Microsoft 365 comes with powerful security features, but many are disabled by default. Here are the critical settings every business should configure immediately.
1. Enable Multi-Factor Authentication (MFA)
This is non-negotiable. MFA blocks 99.9% of account compromise attacks.
How to Enable: 1. Go to Microsoft 365 Admin Center 2. Navigate to Users > Active Users 3. Select "Multi-factor authentication" 4. Enable for all users, starting with admins
Pro Tip: Use the Microsoft Authenticator app rather than SMS for better security and user experience.
2. Configure Security Defaults or Conditional Access
For smaller organizations, Security Defaults provide essential protection with minimal configuration:
- -Requires MFA for all users
- -Blocks legacy authentication
- -Protects privileged accounts
Larger organizations should consider Conditional Access policies for more granular control.
3. Set Up Email Authentication (SPF, DKIM, DMARC)
Email spoofing is a major attack vector. These three protocols work together to prevent it:
SPF (Sender Policy Framework): Specifies which servers can send email for your domain.
DKIM (DomainKeys Identified Mail): Adds a digital signature to outgoing emails.
DMARC (Domain-based Message Authentication): Tells receiving servers what to do with emails that fail SPF/DKIM.
4. Enable Unified Audit Logging
You can't investigate what you don't log. Unified Audit Logging captures:
- -User sign-ins and failures
- -File access and sharing
- -Admin activities
- -Mailbox access
To Enable: 1. Go to Microsoft Purview Compliance Portal 2. Navigate to Audit 3. Start recording user and admin activity
5. Configure Safe Attachments and Safe Links
Part of Microsoft Defender for Office 365, these features protect against:
- -Malicious email attachments
- -Phishing links in emails and documents
- -Zero-day threats
Even if you don't have Defender licenses, basic protection is included with Business Premium.
6. Set Up Alerts for Suspicious Activity
Create alerts for critical events:
- -Multiple failed sign-in attempts
- -Sign-ins from unusual locations
- -Privilege escalation
- -Mass file downloads
Navigate to: Security & Compliance Center > Alerts > Alert policies
7. Review and Restrict External Sharing
OneDrive and SharePoint external sharing is often too permissive by default:
- Go to SharePoint Admin Center
- Select Policies > Sharing
- Restrict to specific domains if possible
- Require sign-in for external access
Regular Security Review Checklist
Security isn't a one-time setup. Review these monthly:
- -[ ] Check Secure Score and recommendations
- -[ ] Review sign-in logs for anomalies
- -[ ] Verify MFA adoption rate
- -[ ] Check for stale guest accounts
- -[ ] Review admin role assignments
Get Help With Your Security Configuration
Proper Microsoft 365 security configuration can feel overwhelming. Our team specializes in helping businesses secure their Microsoft environment. Contact us for a security assessment.