How to Secure Microsoft 365 for Small Business: Essential Settings Guide

Microsoft 365 Is Powerful — and Often Misconfigured

Microsoft 365 is the most widely used business productivity platform among small businesses — and one of the most frequently targeted. Attackers know that millions of small businesses use Microsoft 365 with default or minimal security configurations, making it a high-value target. A compromised Microsoft 365 tenant gives attackers access to email, files, contacts, calendars, Teams communications, and potentially the entire business’s digital operations.

The good news: Microsoft includes robust security tools in Microsoft 365 that most small businesses never activate. This guide covers the essential security settings that every Microsoft 365 small business administrator should configure — most of them at no additional cost.

Step 1: Enable Security Defaults or Configure Conditional Access

Security Defaults is Microsoft’s one-click baseline security configuration — a single toggle in the Azure Active Directory admin center that enables MFA for all users, blocks legacy authentication protocols, and requires MFA for privileged operations. For small businesses without a dedicated IT security team, enabling Security Defaults is the single highest-impact security action available.

To enable Security Defaults: Azure Active Directory admin center → Properties → Manage Security Defaults → toggle to Enabled.

Businesses with Microsoft 365 Business Premium can go further with Conditional Access policies — more granular control that enforces MFA based on user, location, device, and application. Conditional Access is more complex to configure but more flexible than Security Defaults for businesses with specific access requirements.

Step 2: Configure Multi-Factor Authentication for All Users

If Security Defaults is enabled, MFA is required automatically. If you are managing MFA manually, ensure every user account — including administrative accounts, service accounts, and shared mailboxes — has MFA registered and enforced. Do not create exemptions for executives or senior staff who claim MFA is inconvenient. Privileged accounts are the highest-value targets and warrant the strongest authentication.

Preferred MFA methods in order of security strength:

1. Microsoft Authenticator app (push notification or code)
2. FIDO2 hardware security key
3. Authenticator app TOTP code
4. SMS text message (acceptable but weakest — vulnerable to SIM swapping)

Step 3: Block Legacy Authentication

Legacy authentication protocols — Basic Authentication, SMTP AUTH for older email clients, IMAP, and POP — do not support MFA. Attackers specifically target legacy authentication endpoints because a stolen username and password is all that is needed, with no MFA challenge. Security Defaults blocks legacy authentication automatically. If you are not using Security Defaults, create a Conditional Access policy blocking legacy authentication for all users.

Before blocking legacy authentication, audit which applications and users are currently using it — blocking it without preparation will break older email clients and applications that have not been updated to support modern authentication.

Step 4: Configure Anti-Phishing and Anti-Malware Policies

Microsoft Defender for Office 365 — included in Microsoft 365 Business Premium — provides advanced threat protection for email. Configure these policies in the Microsoft 365 Defender portal:

• Anti-phishing policy: Enable impersonation protection for your domain and key executives. Configure mailbox intelligence to detect spoofed senders. Set the phishing email threshold to aggressive for better catch rates.
• Safe Links: Scans links in emails and Office documents at time of click — protecting against URLs that appear safe at delivery but are weaponized afterward. Enable for all users.
• Safe Attachments: Detonates email attachments in a sandbox environment before delivery to detect malware that evades signature-based scanning. Enable for all users with the Dynamic Delivery option to minimize email delay.
• Anti-malware policy: Blocks common malware file types — executable files, scripts, and macro-enabled Office documents — from being delivered via email unless specifically needed.

Step 5: Enable Unified Audit Logging

Microsoft 365 logs user and administrator activity — but audit logging must be explicitly enabled to retain those logs for investigation. Without audit logging, you have no forensic record of what happened in your tenant during a security incident.

To enable: Microsoft 365 Defender portal → Compliance → Audit → Start recording user and admin activity. Once enabled, logs are retained for 90 days on standard plans and up to 1 year on premium plans. Export and archive logs externally if longer retention is needed for compliance.

Key activities to monitor through audit logs: bulk email forwarding rules created (a common attacker persistence mechanism), mass file downloads or deletions, new admin accounts created, and sign-ins from unusual locations or impossible travel events.

Step 6: Review and Remove Auto-Forwarding Rules

One of the most common post-compromise attacker actions in Microsoft 365 is creating an email auto-forwarding rule — silently copying all incoming email to an external attacker-controlled address. This gives the attacker persistent visibility into your communications long after the initial compromise is remediated.

Audit existing forwarding rules: Exchange admin center → Mail flow → Rules. Review all rules for any forwarding to external addresses that were not intentionally configured. Also check individual mailboxes for Inbox rules set to forward externally.

Block external auto-forwarding organization-wide: Exchange admin center → Remote domains → Default → uncheck “Allow automatic forwarding.” This prevents any user from configuring automatic forwarding to external addresses regardless of intent.

Step 7: Enable Microsoft Secure Score Monitoring

Microsoft Secure Score is a free dashboard in the Microsoft 365 Defender portal that scores your tenant’s current security configuration and provides prioritized recommendations for improvement. Each recommendation includes an explanation of why it matters and step-by-step implementation instructions.

Review your Secure Score monthly. Work through the recommended actions in priority order — the highest-impact, lowest-effort recommendations are surfaced first. A Secure Score above 70 indicates a well-configured tenant. Most small business tenants start significantly below this.

Step 8: Configure Privileged Identity Management for Admin Accounts

Administrative accounts in Microsoft 365 have elevated privileges that make them high-value targets. Best practices for admin account security:

• Create dedicated admin accounts separate from regular user accounts — never use your day-to-day email account for administrative tasks
• Apply MFA to all admin accounts — this is mandatory, not optional
• Assign the minimum necessary admin role — not every IT contact needs Global Administrator. Use Exchange Admin, SharePoint Admin, or User Admin roles where full Global Admin is not required
• Create a break-glass emergency access account with a strong password stored securely offline — for use only if the primary admin account is locked out

Microsoft 365 Security Configuration Checklist

• Security Defaults enabled or Conditional Access policies configured
• MFA enforced for all users
• Legacy authentication blocked
• Anti-phishing, Safe Links, and Safe Attachments policies active
• Unified audit logging enabled
• External auto-forwarding blocked
• Existing forwarding rules audited and reviewed
• Microsoft Secure Score reviewed and improvement plan in place
• Dedicated admin accounts with MFA for all administrators

Bottom Line

Microsoft 365 includes enterprise-grade security tools that most small businesses never configure. Enabling Security Defaults takes five minutes and immediately raises your security posture significantly. Working through the remaining steps in this guide — Safe Links, Safe Attachments, audit logging, and blocking auto-forwarding — addresses the most common attack vectors against Microsoft 365 tenants. Most of these configurations are included in your existing subscription at no additional cost. The investment is time, not money.