Microsoft 365 is the backbone of most small businesses — email, file storage, collaboration, and identity all live there. But out of the box, M365 is configured for convenience, not security. The default settings leave significant gaps that attackers actively exploit.

The good news? You don't need an enterprise security team to fix this. Here are the five most impactful security settings every small business should configure.

1. Enforce Multi-Factor Authentication (MFA) Everywhere

This is the single most effective thing you can do. MFA blocks over 99% of account compromise attacks, according to Microsoft's own data. Without it, a stolen password is all an attacker needs to access your entire organisation's email and files.

What to do: Enable Security Defaults in Azure AD, or better yet, set up Conditional Access policies (available with Business Premium) that require MFA for all users, on all devices, for all cloud apps. Prioritise admin accounts first.

2. Configure Conditional Access Policies

If you're on Microsoft 365 Business Premium (and you should be — it's the sweet spot for SMB security), Conditional Access lets you create rules like "only allow sign-ins from managed devices" or "require MFA when signing in from unusual locations."

Key policies to create:

  • Require MFA for all users on all cloud apps
  • Block legacy authentication protocols (they bypass MFA)
  • Require compliant or Hybrid Azure AD joined devices for access
  • Block sign-ins from countries where you don't operate

3. Implement Least Privilege Access

We regularly find small businesses where half the team has Global Admin rights. This is like giving every employee the master key to your building. If any one of those accounts is compromised, the attacker has full control.

What to do: Audit your admin roles. Most users need no admin access at all. Limit Global Admin to 2-3 break-glass accounts with strong MFA, and use specific roles (Exchange Admin, SharePoint Admin) for people who need them.

4. Enable Email Security Features

Email is the number one attack vector for SMBs. Microsoft 365 includes built-in protection, but much of it needs to be explicitly enabled and configured.

  • Anti-phishing policies: Enable impersonation protection for your executives and key partners
  • Safe Attachments: Scans email attachments in a sandbox before delivery
  • Safe Links: Rewrites URLs to check them at click-time
  • SPF, DKIM, and DMARC: Configure these DNS records to prevent email spoofing of your domain

5. Turn On Audit Logging

If you don't have audit logging enabled, you won't know when something goes wrong until it's too late. Unified Audit Log captures sign-ins, file access, admin actions, and mailbox activity.

What to do: Enable Unified Audit Log in the Microsoft Purview compliance portal. Set up alerts for suspicious activities like impossible travel, mass file downloads, or new inbox rules (a common post-compromise tactic).

What's Next?

These five steps will dramatically improve your security posture, but they're just the foundation. A comprehensive M365 security review covers dozens of additional settings across identity, data loss prevention, device management, and more.

If you'd like help implementing these changes — or want a full security assessment of your Microsoft 365 environment — our Managed Cloud Security service covers exactly this. We'll configure everything, document what we've done, and train your team on the changes.