The Microsoft 365 Security Settings Most Small Businesses Miss
Microsoft 365 is reasonably secure out of the box — but "reasonably secure" and "properly secured" are not the same thing. The default settings are designed to minimize friction for new users, not to protect a business from current threats.
Here are the settings that matter most, and why most businesses haven't configured them.
1. Multi-Factor Authentication Is Still Not Enforced for Everyone
Microsoft now enables Security Defaults in new tenants, which requires MFA for all users. But tenants created before October 2019 don't have this — and many businesses either haven't turned it on or have individual users exempted for convenience.
Every user account should require MFA. Not most users. Not everyone except the owner. Everyone.
If you're on Microsoft 365 Business Premium, Conditional Access policies let you configure this properly — including requiring compliant devices and blocking legacy authentication protocols.
2. Legacy Authentication Protocols Are Still Enabled
Basic authentication — the old protocol used by older email clients — doesn't support MFA. An attacker who gets your password can log in directly, bypassing your MFA entirely.
Microsoft has been disabling legacy authentication in phases since 2021, but many tenants still have it enabled for specific protocols. You should audit this and disable it entirely unless you have a specific legacy system that requires it (and if you do, that system needs to be replaced).
3. Exchange Online Protection Is Under-Configured
Microsoft's built-in email security (EOP) includes anti-phishing, anti-spam, and anti-malware policies. The defaults are not tuned for maximum protection.
Key settings to review:
- Anti-phishing policies: Enable mailbox intelligence, impersonation protection for your domain and key senders
- Safe Links: Enabled for email and Office applications — rewrites URLs to check them at click time
- Safe Attachments: Scan attachments in a sandbox before delivery
- DMARC, DKIM, SPF: All three should be configured for your domain to prevent spoofing
4. Admin Roles Are Over-Assigned
The number of Global Administrator accounts in a typical small business tenant is too high. Global Admins can do anything — reset passwords, disable MFA, access all data. Most businesses have 3–5 Global Admins when one or two would be appropriate.
Audit your admin role assignments. Use the principle of least privilege — give users only the access they need for their job function.
5. No Unified Audit Log Review
Microsoft 365 logs everything: logins, document access, email forwarding rules, admin changes. But the logs don't review themselves.
At minimum, you should know if:
- Any user has set up email forwarding to an external address (a common sign of compromise)
- There are any login attempts from unusual locations
- Any admin changes were made outside of your normal maintenance windows
What This Means for Your Business
None of these settings require enterprise IT expertise to configure — but they do require knowing they exist and taking the time to do them right. Many businesses set up Microsoft 365, get everyone's email working, and move on. The security configuration gets deferred indefinitely.
We handle Microsoft 365 administration as part of managed IT. If you've never had a security configuration review of your tenant, start with a free assessment or call us at 541-359-3111.
Need help protecting your business?
Ask Erik serves small businesses and healthcare practices throughout Lane County.