Microsoft 365 security: 8 settings to fix today
A fresh Microsoft 365 tenant is configured for convenience, not safety. These eight changes close the gaps attackers check first — most cost nothing but an afternoon.
1. Enforce MFA for every user — no exceptions
Not "enabled", enforced. Password-only accounts are the entry point for the overwhelming majority of tenant compromises. Security defaults give you this in one switch; conditional access does it with more finesse. The account that skips MFA "because the owner finds it annoying" is precisely the account attackers want.
2. Block legacy authentication
Older protocols like IMAP, POP and SMTP basic auth can bypass MFA entirely — attackers use them to password-spray tenants that look protected. Block legacy auth tenant-wide and the side door closes. Check sign-in logs first to catch the ancient scanner or app still using it.
3. Separate admin accounts from daily accounts
The person who administers your tenant should have two identities: a daily account for email and files, and an admin account used only for administration — with the strongest MFA you have. When a phishing email lands, the clicked account shouldn't be able to change tenant settings. And count your global admins: most small businesses need two or three, not seven.
4. Turn on unified audit logging and mailbox auditing
When something goes wrong, the first question is "what happened?" — and without audit logs the answer is a shrug. Verify unified audit logging is on and retained. It costs nothing and turns incident response from guesswork into reading.
5. Tag external email
A one-line banner on messages from outside your organization defeats the most common phishing trick: mail pretending to be the boss. When "the CEO's" urgent wire request carries an external tag, the game is up. Two minutes to configure.
6. Configure anti-phishing and safe link policies
Defender for Office 365 ships with lukewarm defaults. Tighten the anti-phishing policy (impersonation protection for your executives and domain), enable link checking and attachment scanning at the strictest level your license allows, and set the spam filter to quarantine rather than deliver-to-junk for high-confidence phish.
7. Review app consents and inbox rules
Two places attackers hide after a successful phish: OAuth apps granted mailbox access, and inbox rules that silently forward or delete mail. Restrict user app consent to verified publishers, then audit existing consents and rules. Finding a forwarding rule to an outside address is how many businesses discover a months-old breach.
8. Back up Microsoft 365 — it doesn't back up itself
Microsoft guarantees the service stays up, not that your data survives deletion, ransomware or a malicious insider. Retention policies help but aren't backup. Third-party cloud-to-cloud backup of mail, OneDrive, SharePoint and Teams costs a few dollars per user and is the difference between "restore it" and "it's gone". More in our backup & disaster recovery service — and in backup vs. disaster recovery.
How to check where you stand today
Microsoft grades your tenant for you: Secure Score, in the Defender portal, rates your configuration against recommended practice and lists the exact gaps. It's imperfect — some recommendations chase points rather than risk — but it's free, it's specific, and it gives you a number to improve quarter over quarter. A typical unmanaged small-business tenant scores under 40%; the eight settings above move most of that gap. Pull your score before and after the afternoon of fixes, and you'll have a before-and-after you can show the owners.
The takeaway
Attackers don't break Microsoft 365 — they walk through unlocked defaults. One afternoon of configuration closes the doors that matter most. If nobody in your business knows whether these eight are set, that itself is the finding: our Microsoft 365 service includes this hardening as standard, and the free assessment will show you your tenant's current state in writing.
Frequently asked
Won't these changes disrupt our staff?
MFA enrollment and external tagging are the only ones staff notice, and both are a one-time adjustment. The rest work silently. Roll MFA out with a week's notice and a one-page guide and complaints round to zero.
Do we need extra licenses for any of this?
The first seven are available on standard business licenses. Item eight — backup — is a third-party subscription, typically a few dollars per user monthly. Conditional access beyond security defaults needs Entra ID P1, included in Business Premium.
How do we know if we've already been compromised?
Check sign-in logs for impossible travel, review inbox rules you didn't create (attackers hide there), and audit app consents. This is part of what we check in the free assessment — quietly compromised tenants are more common than owners think.
Not sure what your tenant looks like?
The free 45-minute assessment includes a Microsoft 365 configuration review against all eight settings — findings in writing, yours to keep.