Microsoft 365 is the backbone of most small and medium businesses — email, file sharing, collaboration, and identity management all run through it. But out of the box, M365's most important security features are either disabled or set to their weakest configuration. Microsoft ships it this way to minimize friction during setup, but leaving these defaults in place leaves your business dangerously exposed.
The good news: enabling the right security settings takes about 30 minutes and dramatically reduces your risk. Here are the 10 settings our security team configures for every client.
1. Enable Multi-Factor Authentication for All Users
This is the single most impactful security setting you can configure. MFA blocks 99.9% of automated account attacks. Yet, shockingly, Microsoft reports that only 38% of M365 business tenants have MFA enabled for all users. Go to Microsoft Entra admin center → Protection → Authentication methods → Policies, and enable MFA for every user account without exception. Use the Microsoft Authenticator app — it's more secure than SMS codes and works even without cell service.
2. Disable Legacy Authentication Protocols
Legacy protocols like POP3, IMAP, and SMTP Auth don't support MFA. They're the primary attack vector for password spray and brute force attacks against M365. Microsoft's data shows that 97% of credential stuffing attacks use legacy authentication. In the Microsoft Entra admin center, create a Conditional Access policy that blocks legacy authentication entirely. If you have a legacy application that requires it, scope the policy to exclude only the specific accounts that application uses — not your entire organization.
3. Configure Anti-Phishing Policies in Defender
The default anti-phishing protection is minimal. Go to Microsoft 365 Defender → Policies & rules → Threat policies → Anti-phishing, and: add all your executive names and titles to impersonation protection; enable mailbox intelligence to detect impersonation based on communication patterns; enable spoof intelligence; and configure the action for detected phishing to be 'Quarantine' (the default is often just 'Move to Junk').
4. Enable Safe Attachments and Safe Links
Safe Attachments opens every email attachment in a virtual sandbox before delivering it to the user — catching malware that signature-based scanning misses. Safe Links rewrites URLs in emails and checks them in real-time when clicked. Both are available in Microsoft Defender for Office 365 (included in Business Premium, available as an add-on for other plans). Configure Safe Attachments with 'Dynamic Delivery' for the best balance of security and email speed, and set Safe Links to scan all URLs in both emails and Teams messages.
5. Set Outbound Spam Policies
If a user account gets compromised, attackers will use it to send spam and phishing emails to your clients, vendors, and contacts — destroying your domain reputation. Go to Threat policies → Anti-spam → Outbound spam filter policy, and set: maximum external recipients per hour to 400 (or lower for very small businesses); enable automatic forwarding blocking; and configure alerts for outbound spam events so your IT team knows immediately when an account is compromised.
6. Enable Unified Audit Log and Alert Policies
The unified audit log records user and admin activity across your M365 environment — critical for investigating security incidents. It's not enabled by default. Go to Microsoft Purview compliance portal → Audit → Start recording user and admin activity. Then create alert policies for high-risk events: suspicious email forwarding rules, mass file deletions, password changes for privileged accounts, and unusual login locations.
7. Restrict External Sharing and Guest Access
By default, users can share SharePoint and OneDrive files with anyone who has the link — no login required. This is convenient but dangerous. Go to SharePoint admin center → Policies → Sharing, and set the default sharing link to 'Specific people' (not 'Anyone with the link'). Limit external sharing to authenticated external users. For Teams, restrict guest access to only what's needed — guests shouldn't be able to delete channels or add apps by default.
8. Enforce Strong Password Policies
M365's default password expiration policy is actually a bad practice — NIST now recommends against mandatory password rotation because it leads to predictable password patterns. Instead, configure: minimum 14-character passwords; ban common passwords and company-specific terms; enable Azure AD Password Protection to prevent weak passwords; and disable password expiration (rely on MFA and risk-based Conditional Access instead).
9. Configure Data Loss Prevention (DLP) Policies
DLP policies detect and block the sharing of sensitive information — social security numbers, credit card numbers, health information, and custom patterns you define. Start with Microsoft's built-in templates for your industry and customize as needed. At minimum, create a policy that alerts on any sharing of financial data or PII outside your organization.
10. Set Up Self-Service Password Reset with MFA
Without self-service password reset, locked-out users call your IT desk to get back in — wasting time and creating a social engineering vulnerability (attackers impersonate users calling for password resets). Enable SSPR with MFA verification so users can securely reset their own passwords. This requires Microsoft Entra ID P1 or P2 licensing (included in Business Premium).
Don't Wait — Do This Today
If you only do three things from this list, make them MFA, block legacy authentication, and configure anti-phishing policies. Those three steps alone will stop the vast majority of attacks targeting M365 environments. Need help? Litefoot Technology manages M365 security for businesses across the Southeast. We'll audit your current configuration, implement all 10 settings, and keep them maintained so you don't have to think about it.