AEAsk Erik
Computer Services
541-359-3111Book Assessment
Cybersecurity News
cybersecurityJune 28, 20253 min read

The Microsoft 365 Security Settings Most Small Businesses Miss

Microsoft 365 is reasonably secure out of the box — but "reasonably secure" and "properly secured" are not the same thing. The default settings are designed to minimize friction for new users, not to protect a business from current threats.

Here are the settings that matter most, and why most businesses haven't configured them.

1. Multi-Factor Authentication Is Still Not Enforced for Everyone

Microsoft now enables Security Defaults in new tenants, which requires MFA for all users. But tenants created before October 2019 don't have this — and many businesses either haven't turned it on or have individual users exempted for convenience.

Every user account should require MFA. Not most users. Not everyone except the owner. Everyone.

If you're on Microsoft 365 Business Premium, Conditional Access policies let you configure this properly — including requiring compliant devices and blocking legacy authentication protocols.

2. Legacy Authentication Protocols Are Still Enabled

Basic authentication — the old protocol used by older email clients — doesn't support MFA. An attacker who gets your password can log in directly, bypassing your MFA entirely.

Microsoft has been disabling legacy authentication in phases since 2021, but many tenants still have it enabled for specific protocols. You should audit this and disable it entirely unless you have a specific legacy system that requires it (and if you do, that system needs to be replaced).

3. Exchange Online Protection Is Under-Configured

Microsoft's built-in email security (EOP) includes anti-phishing, anti-spam, and anti-malware policies. The defaults are not tuned for maximum protection.

Key settings to review:

  • Anti-phishing policies: Enable mailbox intelligence, impersonation protection for your domain and key senders
  • Safe Links: Enabled for email and Office applications — rewrites URLs to check them at click time
  • Safe Attachments: Scan attachments in a sandbox before delivery
  • DMARC, DKIM, SPF: All three should be configured for your domain to prevent spoofing

4. Admin Roles Are Over-Assigned

The number of Global Administrator accounts in a typical small business tenant is too high. Global Admins can do anything — reset passwords, disable MFA, access all data. Most businesses have 3–5 Global Admins when one or two would be appropriate.

Audit your admin role assignments. Use the principle of least privilege — give users only the access they need for their job function.

5. No Unified Audit Log Review

Microsoft 365 logs everything: logins, document access, email forwarding rules, admin changes. But the logs don't review themselves.

At minimum, you should know if:

  • Any user has set up email forwarding to an external address (a common sign of compromise)
  • There are any login attempts from unusual locations
  • Any admin changes were made outside of your normal maintenance windows

What This Means for Your Business

None of these settings require enterprise IT expertise to configure — but they do require knowing they exist and taking the time to do them right. Many businesses set up Microsoft 365, get everyone's email working, and move on. The security configuration gets deferred indefinitely.

We handle Microsoft 365 administration as part of managed IT. If you've never had a security configuration review of your tenant, start with a free assessment or call us at 541-359-3111.

Need help protecting your business?

Ask Erik serves small businesses and healthcare practices throughout Lane County.

Book a Free Assessment 541-359-3111