AEAsk Erik
Computer Services
541-359-3111Book Assessment
Resources
GuideJune 15, 20254 min read

Microsoft 365 Security Hardening Guide for Small Businesses

Step-by-step guide to securing your Microsoft 365 tenant. Covers MFA setup, Conditional Access, Exchange Online Protection, admin role hygiene, and audit logging.

This guide covers the Microsoft 365 security configuration steps that matter most for small businesses with 10–75 users. It assumes you're on Microsoft 365 Business Premium or Business Standard at minimum.


Step 1: Enable Multi-Factor Authentication for All Users

Using Security Defaults (recommended for most small businesses):

  1. Sign in to the Microsoft Entra admin center as a Global Administrator
  2. Go to Identity → Overview → Properties
  3. Select Manage Security defaults
  4. Set Enable Security defaults to Enabled
  5. Click Save

This enforces MFA for all users and blocks legacy authentication protocols automatically.

Using Conditional Access (Business Premium):

  1. Go to Identity → Protection → Conditional Access
  2. Create a policy: Require MFA for all users
    • Users: All users
    • Cloud apps: All cloud apps
    • Grant: Require multi-factor authentication
  3. Create a second policy: Block legacy authentication

Step 2: Configure Anti-Phishing Policies

  1. Go to the Microsoft Defender portal → Email & Collaboration → Policies & Rules → Threat policies
  2. Select Anti-phishing → edit the Default policy or create a custom policy
  3. Enable:
    • Mailbox intelligence (learns from your users' patterns)
    • Impersonation protection for your domain and key users (owner, finance, HR)
    • Spoof intelligence
  4. Set action for detected impersonation: Quarantine

Step 3: Enable Safe Links and Safe Attachments

Safe Links:

  1. In Defender portal → Threat policies → Safe Links
  2. Create or edit a policy:
    • Enable for email, Microsoft Teams, and Office apps
    • Enable Track user clicks

Safe Attachments:

  1. In Defender portal → Threat policies → Safe Attachments
  2. Create or edit a policy:
    • Action: Block (delivers clean messages, quarantines suspicious)
    • Enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams

Step 4: Configure DMARC, DKIM, and SPF

These DNS records tell receiving mail servers how to handle email claiming to be from your domain.

SPF — should already be set if Microsoft 365 was configured correctly. Verify at mxtoolbox.com.

DKIM:

  1. In Defender portal → Email & Collaboration → Policies & Rules → Threat policies → Email authentication settings
  2. Select your domain → Enable DKIM
  3. Add the two CNAME records shown to your DNS provider

DMARC — add a TXT record to your DNS:

Name:  _dmarc
Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com

Start with p=quarantine. Move to p=reject after confirming no legitimate email is blocked.


Step 5: Audit and Restrict Admin Roles

  1. Go to Microsoft 365 admin center → Users → Active users
  2. Filter by Global Administrator role
  3. Remove Global Admin from anyone who doesn't need it daily
  4. Assign scoped roles instead: Exchange Admin, User Admin, Helpdesk Admin

Best practice: No more than 2–3 Global Admins. Each should have a dedicated admin account separate from their daily email account.


Step 6: Check for Malicious Email Forwarding Rules

  1. Go to Exchange admin center → Mail flow → Rules
  2. Look for any rules that forward mail externally — especially to free email services (Gmail, Hotmail)
  3. Also check Mailbox → Manage email apps for each user and confirm no unexpected access

This is one of the most common signs of a compromised account — attackers set up forwarding rules to silently copy all incoming email.


Step 7: Enable Unified Audit Logging

  1. Go to Microsoft Purview compliance portal → Audit
  2. If audit logging is not enabled, click Start recording user and admin activity
  3. Set retention to at least 90 days (Business Premium supports up to 1 year)

Review the audit log for:

  • Logins from unusual locations
  • Admin role changes
  • New email forwarding rules
  • Mass file downloads or deletions

Ongoing Maintenance

  • Review admin role assignments quarterly
  • Check Conditional Access policies after any significant tenant changes
  • Review audit log alerts weekly, or set up automated alerts in Microsoft Defender
  • Verify MFA enrollment status monthly — new employees sometimes slip through

Need Help?

Microsoft 365 security configuration is one of the most common gaps we find in small business environments. If you're not sure whether your tenant is configured correctly, book a free IT Assessment or call 541-359-3111. We'll audit your Microsoft 365 tenant and give you a clear picture of what's in place and what needs attention.

Not sure how your environment measures up?

We review small business IT environments throughout Lane County — no cost, no pressure.

Book a Free Assessment 541-359-3111