Microsoft 365 Security Hardening: 12 Settings Every Business Should Configure

A Microsoft 365 Business Standard or Business Premium subscription gives you a capable set of collaboration and communication tools. It does not give you a secure configuration out of the box. The default settings in a new Microsoft 365 tenant reflect Microsoft’s priorities around ease of adoption — they are optimised for users to get started quickly, not for organisations to minimise their attack surface.

This matters because Microsoft 365 accounts are one of the most targeted assets in business IT. Business Email Compromise (BEC) attacks — where an attacker gains access to a mailbox and uses it to redirect payments, impersonate executives, or harvest internal information — are among the most financially damaging cyberattacks on small and medium businesses. Most of them begin with a compromised Microsoft 365 account, often one without multi-factor authentication.

The twelve settings below address the most significant gaps in a default Microsoft 365 configuration. None of them require advanced technical expertise to implement, and most can be configured through the Microsoft 365 admin centre without specialised tooling.

1. Enable Multi-Factor Authentication for All Users

This is the single most important security control available in Microsoft 365. MFA prevents the vast majority of account takeover attacks — Microsoft’s own data suggests it blocks over 99% of automated credential-stuffing attacks.

Enable MFA via Security Defaults (suitable for organisations without specific conditional access requirements) or via Conditional Access policies (more granular, available on Business Premium and above). Security Defaults can be enabled in Azure Active Directory → Properties → Manage Security Defaults. For any organisation that hasn’t explicitly configured MFA, this is the first action to take.

2. Protect Admin Accounts with Dedicated Accounts and MFA

Global Administrator accounts should not be the same accounts used for daily email and work. Admin accounts should be separate, licensed only with the permissions they need, named clearly (admin@yourdomain.com rather than firstname.lastname@yourdomain.com), and protected by phishing-resistant MFA — ideally a hardware security key (FIDO2) or the Microsoft Authenticator app with number matching, rather than SMS.

Routine admin tasks should not be performed while signed into an admin account used for email. The risk is that a phishing attack against a person’s regular account escalates to full tenant compromise if that account also holds Global Admin rights.

3. Configure Conditional Access Policies

Available on Microsoft 365 Business Premium and above, Conditional Access lets you define rules for when and how users can access Microsoft 365 resources. The highest-priority policies to implement are: require MFA for all users (if not handled by Security Defaults); block legacy authentication protocols (Basic Auth, which doesn’t support MFA and is still used by some older email clients); and require compliant or hybrid-joined devices for access to sensitive resources.

Legacy authentication is a particularly important target — attacks that bypass MFA by forcing authentication downgrade to legacy protocols are well-documented. Blocking legacy auth via Conditional Access eliminates this attack vector entirely.

4. Enable Microsoft Defender for Office 365

Defender for Office 365 (Plan 1 is included with Business Premium) provides significantly better email threat protection than Exchange Online Protection alone. The critical features to enable are Safe Attachments (scans email attachments in a sandbox before delivery), Safe Links (rewrites and scans URLs in emails at click time), and anti-phishing policies with impersonation protection for your key senders and domains.

Configure these in Microsoft Defender portal → Email & Collaboration → Policies & Rules → Threat policies. Microsoft provides preset security policies (Standard and Strict) that apply sensible defaults — enabling the Standard policy is a reasonable starting point for most businesses.

5. Configure SPF, DKIM, and DMARC for Your Domain

These three DNS-based email authentication standards prevent attackers from sending emails that impersonate your domain. SPF specifies which mail servers are authorised to send email on your behalf. DKIM adds a cryptographic signature to outbound emails that receiving servers can verify. DMARC builds on SPF and DKIM to define what should happen to emails that fail authentication checks.

Most Microsoft 365 configurations have SPF configured correctly but lack DKIM and DMARC. Enable DKIM in Microsoft Defender portal → Email & Collaboration → Policies & Rules → Threat policies → Email authentication settings. For DMARC, start with a policy of p=none to monitor without enforcing, review the reports for two to four weeks, and then move to p=quarantine or p=reject once you’ve confirmed all legitimate mail streams are authenticated correctly.

6. Disable or Restrict External Email Forwarding

Automatic email forwarding to external addresses is one of the most commonly exploited techniques in Business Email Compromise. An attacker who gains access to a mailbox will often configure a forwarding rule to silently copy all incoming emails to an external address, allowing them to monitor communications indefinitely even after the initial access is revoked.

Block automatic external forwarding via an outbound spam filter policy in the Defender portal: set Automatic forwarding rules to “Off — Forwarding is disabled.” There is a legitimate business need to forward email in some circumstances — where that need exists, the exception should be explicit and documented, not permitted by default for all users.

7. Review and Restrict App Consent Permissions

Microsoft 365 allows third-party applications to request permission to access data in your tenant — email, calendar, contacts, files. By default, users can consent to applications requesting a wide range of permissions without administrator involvement. This is a significant attack vector: phishing campaigns regularly use consent phishing, directing users to legitimate-looking OAuth consent pages that grant attacker-controlled applications access to mailboxes.

Restrict this in Azure Active Directory → Enterprise Applications → User Settings. Set “Users can consent to apps accessing company data on their behalf” to No, and require administrator approval for app consent requests. Review the list of applications that have already been granted consent and revoke any that are not actively used or not recognised.

8. Enable Unified Audit Logging

Microsoft 365 captures a detailed audit log of user and admin activity — sign-ins, mail access, file operations, configuration changes. This log is invaluable for investigating security incidents, but it is not retained indefinitely and must be actively enabled on some licence tiers.

Verify that audit logging is enabled in Microsoft Purview compliance portal → Audit. Retention periods vary by licence: Business Basic and Business Standard retain logs for 90 days; Business Premium retains them for one year. If your business has compliance or regulatory obligations that require longer retention, this may influence your licence choice or require supplementary log management.

9. Configure Azure AD Identity Protection Alerts

Azure AD (now Microsoft Entra ID) includes risk detection that flags unusual sign-in patterns: sign-ins from unfamiliar locations, anonymous IP addresses, malware-linked devices, or credentials found in breach databases. Configuring alert notifications for high-risk sign-ins means you learn about potential account compromises in near real-time rather than weeks after the fact.

Review risk settings in Azure Active Directory → Security → Identity Protection. At minimum, configure email alerts for high-risk sign-ins and user risk events to the Global Administrator mailbox or a monitored security alias.

10. Review External Sharing Settings in SharePoint and OneDrive

SharePoint and OneDrive default sharing settings in a new tenant are more permissive than most businesses need. “Anyone” links — which allow access to a file or folder without sign-in, for anyone who has the link — are enabled by default. These links can be shared beyond your intended recipients and provide no audit trail of access.

Review and tighten these in Microsoft 365 admin centre → SharePoint → Policies → Sharing. For most businesses, the appropriate settings are: restrict external sharing to authenticated guests (not anonymous anyone-links) for SharePoint, and set link expiry for any links shared externally. Review which SharePoint sites are currently shared externally by checking site-level sharing reports.

11. Implement Microsoft Intune Device Management

If your organisation uses Microsoft 365 Business Premium, Intune device management is included. Enrolling company devices — Windows laptops, iPhones, Android phones — into Intune allows you to enforce security baselines, require device encryption, deploy BitLocker, push configuration policies, and remotely wipe devices that are lost or belong to departing employees.

The minimum useful configuration for a small business: enrol all company-owned Windows devices, enforce BitLocker encryption, configure Windows Defender settings via policy, and enable mobile device management for company email access on personal phones. Selective wipe (removing company data without wiping the entire device) is a particularly useful capability for BYOD scenarios.

12. Create and Test a Backup Strategy Outside Microsoft 365

This is not a Microsoft 365 configuration setting — it is a gap in most businesses’ Microsoft 365 deployments that is worth addressing explicitly. Microsoft’s service level agreements cover service availability, not data protection from accidental deletion, ransomware, or malicious insider activity. The native recycle bin and version history features in SharePoint and OneDrive have limited retention windows and are not a substitute for backup.

A third-party Microsoft 365 backup solution (Veeam, Acronis, Spanning, Backupify, and others provide this) takes regular snapshots of mailboxes, SharePoint content, and Teams data to an independent storage location. This ensures that data deleted or encrypted by ransomware can be recovered to a known-good point. For any business that stores meaningful data in Microsoft 365 — which is most of them — this is a gap worth closing.

Where to Start

If your Microsoft 365 tenant is largely unconfigured from a security perspective, the priority sequence is: MFA for all users, then admin account protection, then block external forwarding, then configure email authentication (SPF/DKIM/DMARC). These four changes address the most common attack paths against business Microsoft 365 environments and can typically be implemented in a half-day engagement.

A full Microsoft 365 security review — assessing your current configuration against Microsoft’s Secure Score benchmarks and addressing gaps systematically — is a structured engagement that most businesses can complete in two to three days. The Secure Score dashboard in the Microsoft Defender portal provides a useful starting point for understanding where you stand relative to Microsoft’s own recommended baselines.