If your business runs on Microsoft 365 — Outlook, Teams, SharePoint, OneDrive — you already have most of the security tools you need to defend against the attacks SMBs actually face. The problem is that Microsoft optimises the default configuration for ease of use, not security. Several of the most important protections are off out of the box.
The good news: most of these settings take five to ten minutes to enable. The bad news: very few SMBs ever turn them on. We see the same misconfigured tenants every time we run a security health check.
Below are the 10 settings to tackle first — in roughly the order of impact. If you only do the first three, you'll have raised your security posture more than 90% of tenants we audit.
A Quick Note on Licensing
Some of these settings require Microsoft 365 Business Premium or higher (specifically the ones that depend on Defender for Office and Conditional Access). If you're on Business Basic or Business Standard, upgrading to Premium adds roughly $10/user/month and is almost always worth it for the security features alone.
Enforce multi-factor authentication for every user
Microsoft says MFA blocks 99.9% of automated account takeover attacks. There is no security setting with a better return on investment.
Block legacy authentication protocols
Protocols like IMAP, POP3, and SMTP AUTH bypass MFA. If you don't actively need them, turn them off — attackers absolutely use them.
Turn on Microsoft 365 Defender for Office (Safe Links + Safe Attachments)
Built-in protection against phishing URLs, weaponised attachments, and impersonation. Required for any plan above Business Basic.
Enable anti-phishing impersonation protection
Add your CEO, CFO, and finance team to the protected senders list. This catches lookalike-domain BEC attempts before they hit inboxes.
Disable external email auto-forwarding
Attackers who compromise an inbox almost always set up an external forwarding rule. Blocking auto-forward to external domains stops the exfiltration.
Add a visible 'external sender' email tag
Visual cues help users spot impersonation. Tagging external senders with a banner is one of the highest-impact anti-phishing changes you can make.
Configure SPF, DKIM, and DMARC for your domain
Without DMARC, anyone can spoof your domain to send phishing emails to your customers. Start with p=none (monitor), then move to quarantine, then reject.
Limit who can create Microsoft Teams and SharePoint sites
Default M365 lets any user create Teams sites — which become shadow data silos. Restricting creation prevents data sprawl and unmanaged file sharing.
Set conditional access for risky sign-ins
Microsoft scores every sign-in attempt for risk. Configure a policy that requires a password reset on 'high risk' sign-ins. Catches credential-stuffing in flight.
Enable mailbox auditing for every user
Without auditing, you can't investigate what happened after a breach. Enable it before you need it — log retention is your friend.
A word of caution
Changes to Conditional Access can lock users out if misconfigured. Always exclude at least one break-glass admin account from your CA policies, and test on a pilot group before rolling out broadly. If you're not confident, get help — a locked-out tenant is a bad day.
How to Verify You're Actually Protected
After enabling these settings, check your Microsoft Secure Score (security.microsoft.com → Secure Score). It's not a perfect measure, but moving from 30% to 70%+ is a strong signal you've closed the worst gaps.
For a deeper review — including a configuration audit against Microsoft's own security baselines and the CIS Microsoft 365 Benchmark — that's exactly what we cover in our Security Health Checks.
The Bottom Line
Most M365 tenants we look at have between 3 and 6 of these settings still on defaults. Fixing them is not glamorous — it's mostly clicking through admin centres. But it is, hour-for-hour, the highest-impact security work an SMB can do.
Don't wait until after the breach. The audit logs you'll want then only exist if you turned them on now.
Related reading: cloud security essentials, zero trust for SMBs, and MFA guide.