← All insights
Guides

How to Secure Microsoft 365 for Your Small Business

Part of our guide: Small business security foundations

For most small businesses, Microsoft 365 is the business — email, files, calendars, identities, all in one place. That also makes it the single richest target an attacker can hit. The good news: M365 ships with strong security tools; the catch is that many of them are off or misconfigured by default. Here’s a practical checklist to lock it down.

Here’s why it’s worth the effort: a typical M365 takeover starts with a phishing email that captures one user’s password. The attacker signs in, sets a hidden inbox rule that auto-deletes their tracks, reads months of billing history, and waits to slip a fake “updated banking details” email into a real invoice thread — textbook business email compromise. Most of the controls below would have broken that chain at the first step.

1. Multi-factor authentication on every account — no exceptions

This is the single highest-impact change you can make. A stolen password is useless without the second factor. Turn on MFA for everyone, especially admins, and don’t leave “break-glass” accounts unprotected. Our MFA rollout guide walks through doing it without the helpdesk pain.

2. Block legacy authentication

Old protocols (POP, IMAP, older Office clients) can’t enforce MFA, so attackers deliberately target them to bypass it. Block legacy authentication so every login has to go through the modern, MFA-protected path.

3. Lock down admin accounts

  • Use a separate admin account that isn’t your day-to-day email.
  • Grant the fewest admin roles needed — not everyone needs Global Admin.
  • Review who has admin rights regularly and remove what’s stale. This is least privilege, the core of zero trust.

4. Use Microsoft Secure Score as your to-do list

Secure Score (in the Microsoft 365 Defender portal) scores your tenant against best practices and gives you a prioritized list of fixes. It’s the easiest way to see what you’ve missed — work the high-impact items down the list.

If you have Microsoft Defender for Office 365, enable anti-phishing policies, Safe Links, and Safe Attachments. Email is the number-one way in, and these catch a large share of phishing and business email compromise before it reaches an inbox.

6. Control external sharing

By default, SharePoint and OneDrive can share files broadly. Set sharing to the minimum your business actually needs, and review “anyone with the link” files. Misconfigured sharing is a quiet but common way data leaks.

7. Turn on audit logging — before you need it

Enable unified audit logging so that if something happens, you can reconstruct what the attacker did. Without logs, investigating a business email compromise is guesswork. This is also what an insurer or regulator will ask for.

8. Back up Microsoft 365 — Microsoft doesn’t

A common and dangerous myth: that Microsoft backs up your data. It doesn’t, beyond limited retention. If ransomware encrypts your files or an employee deletes a mailbox, you need a third-party M365 backup to restore. Treat it as essential, not optional.

9. Manage the devices that connect

Use Conditional Access and basic device management so company data is only reachable from devices you trust and that are up to date. This matters even more with remote and hybrid work.

Warning signs of a compromised account

Even with good settings, know the tells of an account takeover so you can act fast:

  • Hidden inbox rules that forward, move, or delete messages — a classic way attackers hide their activity.
  • Sign-ins from unexpected locations or impossible travel (logins from two distant places minutes apart).
  • Unexpected MFA prompts a user didn’t trigger — a sign someone has the password and is trying to get past MFA.
  • Sent messages the user didn’t write, or contacts reporting odd emails from them.

Any of these warrants an immediate password reset, MFA review, and a check for rogue rules. If a click already happened, our guide on what to do after a phishing click covers the first hour.

The honest part

None of these settings is hard on its own. The challenge is doing all of them, keeping them configured as Microsoft changes defaults, and watching the tenant for suspicious sign-ins and mailbox rules day to day. That ongoing monitoring is exactly what a managed security partner provides — turning M365’s built-in tools into an actually-defended environment. If you’d like a hand hardening your tenant, get in touch.

Keep reading

Related insights

Guides

2FA vs MFA: Are They the Same Thing? (Mostly Yes)

2FA vs MFA — what's the difference, why it matters less than you think, and the one distinction that actually protects your accounts.

Read article
Guides

How to Run a Ransomware Tabletop Exercise

A tabletop exercise finds the gaps in your ransomware plan before a real attack does. Here's how to run a simple, useful one for your business — step by step.

Read article
Guides

Why Every Small Business Needs a Password Manager

Password reuse is one of the biggest risks to small businesses. Here's how a password manager fixes it, what to look for, and how to roll one out.

Read article

Have a question about your security?

We're happy to help — book a no-obligation consultation with our team.

Talk to us