Most Microsoft 365 environments we assess are significantly under-configured. The platform ships with defaults that prioritise ease of adoption over security, and the gap between 'deployed M365' and 'securely configured M365' is where most breaches start. These ten settings take less than a day to implement and make a material difference.
Why M365 defaults are not enough
Microsoft configures M365 for ease of deployment, not security. Legacy authentication protocols are often still enabled. MFA is not enforced out of the box. External sharing is broad by default. Audit logging requires manual activation. None of this is hidden — it is documented — but it requires deliberate action to close.
The consequence is that most tenants we see in incident response work have had months or years of exposure to credential-based attacks that proper MFA and Conditional Access would have blocked entirely.
Ten settings to enable today
Enforce MFA for all users
Go to Microsoft Entra ID → Security → Authentication methods and ensure MFA is enabled for all users, not just admins. Use Conditional Access policies rather than per-user MFA for more granular control and better reporting.
Block legacy authentication
Legacy authentication protocols — IMAP, POP3, SMTP AUTH, and older Exchange ActiveSync — cannot enforce MFA. Attackers use them specifically to bypass it. Block legacy authentication via a Conditional Access policy. Test in report-only mode first and audit existing legacy sign-ins before enforcing.
Enable Microsoft Secure Score tracking
Secure Score is a free dashboard in the Microsoft Defender portal that shows your current security posture and prioritises improvements. Enable it, set a baseline, and review it weekly. It tells you exactly what to fix next.
Configure Conditional Access baselines
Conditional Access is the policy engine for identity security in M365. At a minimum, deploy policies that require MFA for all users on all apps, block legacy authentication, and require compliant devices for access to sensitive data.
Enable Microsoft Defender for Office 365
Defender for Office 365 Plan 1, included in Business Premium, provides anti-phishing, safe links, and safe attachments. Enable safe links to scan URLs in email and Office documents, and safe attachments to detonate suspicious files in a sandbox before delivery.
Harden anti-phishing policies
The default anti-phishing policy is not aggressive enough. Create a custom policy that enables impersonation protection for key personnel and your domains, raises the spoof intelligence threshold, and sets quarantine as the action for detected phish — not the junk folder.
Confirm unified audit logging is on
Go to the Microsoft Purview compliance portal and confirm unified audit logging is enabled. Without it, you have no forensic record of activity in your tenant. It should be on by default in most tenancies, but confirm it and check that retention meets your requirements.
Restrict SharePoint and OneDrive external sharing
The default sharing settings allow sharing with anyone via a link. Lock this down to authenticated external users at minimum, or to your own organisation if your workflow allows. Overly broad sharing is a common source of unintended data exposure.
Enable self-service password reset with MFA verification
Self-service password reset reduces helpdesk load while maintaining security. Enable it with MFA verification. While you are there, enable passwordless authentication options — Microsoft Authenticator phone sign-in is a practical first step for most SMEs.
Audit and reduce admin role assignments
Go to Microsoft Entra ID → Roles and administrators and review who holds Global Administrator, Exchange Administrator, and SharePoint Administrator roles. Reduce this to the minimum. Global Admin should have no more than two to four holders, those accounts should be cloud-only, and all should have MFA enforced.
Enabling MFA and blocking legacy auth closes the door on the majority of M365-based attacks. Everything after that is hardening what is already protected.
What these settings do not cover
These ten settings address the most common misconfigurations. They do not replace a comprehensive M365 security review, which covers email flow, mail routing security (SPF, DKIM, DMARC), device compliance policies, information protection labels, and DLP configurations.
Frequently asked questions
Will blocking legacy authentication break anything?
Possibly. Older email clients and some line-of-business applications that use basic authentication will stop working. Run the Conditional Access policy in report-only mode first and review the legacy authentication sign-in logs before enforcing. Most modern applications support modern authentication and are unaffected.
Does MFA slow down my staff?
Modern MFA — push notification to a phone, biometric on a device — adds a few seconds to sign-in. Most organisations find this a non-issue once users are accustomed to it. Passwordless authentication is actually faster than typing a password.
What licence do I need for these settings?
Many settings are available in Microsoft 365 Business Basic. Conditional Access and Defender for Office 365 require Business Premium or E3/E5. Most SMEs should be running Business Premium — the security features alone justify the price difference over Basic.
