Microsoft 365 Security Hardening for Small Business

Microsoft 365 is the backbone of most small businesses. Email, file storage, Teams, SharePoint, identity management, it all runs through M365. The problem is that the default configuration is designed for ease of use, not security. Microsoft ships settings that prioritize getting users up and running quickly, which means many of the most important security controls are either turned off or set to their most permissive option out of the box. Hardening your M365 tenant does not require new products or a large budget. It requires going through the admin center and changing settings that should have been different from the start.

This guide covers the highest-impact security changes you can make to your Microsoft 365 environment. If you have an IT team or provider managing your tenant, send them this list. If you are managing it yourself and are new to the admin center, start with that orientation guide first, then come back here for security hardening. If you just finished an email migration to M365 from Exchange or Google Workspace, the day after cutover is the right time to apply this baseline – see how to migrate email to Microsoft 365 from an old Exchange server or Gmail for why post-migration is the cleanest moment to lock down a fresh tenant. If migration is still in progress, the security work to do during the cutover window itself is covered in how to keep your data safe during a cloud migration – migration credentials, parallel environments, and the destination audit that closes the project.

Enforce Multi-Factor Authentication for Every Account

This is the single most impactful change you can make and it should be done before anything else on this list. Every user account, every admin account, and every service account that supports it should require MFA.

In the Microsoft Entra admin center (formerly Azure AD), go to Protection > Authentication methods and make sure Microsoft Authenticator is enabled for all users. Then go to Protection > Conditional Access and create a policy that requires MFA for all users on all cloud apps. If you are on a Business Premium or higher license, conditional access policies are the right way to enforce this. If you are on Business Basic or Standard, you can use security defaults as a simpler alternative, though it gives you less control.

Do not rely on per-user MFA settings in the legacy MFA portal. That method is being phased out and does not integrate with conditional access. Use conditional access policies or security defaults instead.

Make sure number matching is enabled for push notifications. This prevents MFA fatigue attacks where an attacker bombards a user with push notifications until they accidentally approve one. Number matching requires the user to enter a displayed number into their authenticator app, which makes blind approval impossible.

Block Legacy Authentication Protocols

Legacy authentication protocols, including POP3, IMAP, SMTP AUTH, and older versions of Exchange ActiveSync, do not support MFA. An attacker with stolen credentials can bypass your MFA enforcement entirely by authenticating through a legacy protocol. This is one of the most commonly exploited gaps in M365 environments.

In the Entra admin center, create a conditional access policy that blocks legacy authentication for all users on all cloud apps. Microsoft has been gradually disabling basic authentication across Exchange Online, but some legacy protocols may still be accessible depending on when your tenant was created and how it has been configured.

After enabling the block, monitor sign-in logs for a few weeks to catch any legitimate services that were relying on legacy auth. Some older printers, scanners, or line-of-business applications may need to be reconfigured to use modern authentication. It is better to identify and fix these than to leave a hole in your MFA enforcement.

Set Up Conditional Access Policies

If you are on a Business Premium, E3, or E5 license, conditional access is your most powerful security tool in M365. It lets you define rules for when and how users can access your tenant. For the complete step-by-step setup of every recommended policy including report-only testing and break-glass accounts, see How to configure conditional access in Microsoft 365. Beyond the MFA and legacy auth policies mentioned above, consider these additional policies:

Block sign-ins from countries you do not operate in. If your entire team is in the United States, there is no reason to allow logins from other regions. Create a named location in Entra that includes your operating countries, then create a conditional access policy that blocks access from all other locations. This stops the majority of credential stuffing attacks, which overwhelmingly originate from outside your operating geography.

Require compliant or domain-joined devices for access. If you manage devices through Intune, you can require that only compliant, managed devices can access M365 resources. This prevents an attacker from using stolen credentials on their own machine, even if they have a valid password and pass MFA. The session token is bound to a device that must meet your compliance policies.

Enforce sign-in frequency. By default, M365 sessions can persist for extended periods. Reducing the sign-in frequency for sensitive applications like the admin center or SharePoint forces re-authentication more often, which limits the usefulness of stolen session tokens.

Separate Admin Accounts from Daily-Use Accounts

This is one of the most overlooked settings in small business M365 tenants. The person who manages your M365 environment should not be using their Global Admin account to read email and join Teams meetings. If that account gets phished, the attacker has full control of your entire tenant.

Create dedicated admin accounts that are only used for administrative tasks. These accounts should have strong, unique passwords, require MFA with a hardware key if possible, and should not have a mailbox or M365 license assigned. The admin logs in with this account only when performing admin tasks in the admin center, and uses their regular user account for daily work.

At minimum, review who has Global Administrator, Exchange Administrator, and SharePoint Administrator roles. Most tenants have far more Global Admins than they need. Reduce the number to two or three at most, and use role-specific admin roles for everyone else. The principle of least privilege applies here: give people only the permissions they need for their specific responsibilities.

Configure Microsoft Defender Settings

Microsoft 365 includes security features through Defender, but the specific capabilities depend on your license tier.

Defender for Office 365 (included in Business Premium, available as an add-on for other plans) provides advanced email protection including Safe Links, Safe Attachments, and anti-phishing policies. In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies and configure:

• Safe Links: enable for all users, set to check URLs at time of click (not just time of delivery), and enable for internal emails as well
• Safe Attachments: enable for all users, set to Dynamic Delivery so users get the email immediately while attachments are scanned in the background
• Anti-phishing: enable mailbox intelligence, spoof intelligence, and impersonation protection for your executives and high-value targets

Defender for Business (also in Business Premium) extends protection to endpoints. If your devices are enrolled in Intune, Defender for Business provides EDR-like capabilities including threat detection, automated investigation, and device isolation. This is significantly more protection than the basic Windows Defender antivirus that comes with Windows, and it is included in your license.

If you are on Business Basic or Standard and do not have Defender for Office 365, you are relying on Exchange Online Protection (EOP) only. EOP provides basic anti-malware and anti-spam filtering but lacks the advanced phishing protection and URL/attachment scanning. Our Microsoft 365 licensing guide breaks down exactly what each plan includes and when the upgrade to Business Premium is justified by the security features alone.

Enable and Review Audit Logging

Audit logging in M365 records who did what, when, and from where across your tenant. This data is essential for investigating security incidents and for meeting compliance requirements. In most tenants, audit logging is enabled by default, but it is worth verifying.

In the Microsoft Purview compliance portal, go to Audit and confirm that recording is active. Standard audit logs are retained for 180 days on E5 and Business Premium licenses, and 90 days on lower tiers. If you are in a regulated industry that requires longer retention, you may need to export logs to external storage or upgrade to a plan with longer retention.

Beyond just enabling logging, set up alert policies for critical events. Go to Microsoft 365 Defender > Policies & rules > Alert policy and review the default alerts. Make sure you have alerts configured for:

• New inbox forwarding rules created (a common indicator of email compromise)
• Admin role changes
• Mass file downloads from SharePoint or OneDrive
• Mailbox permission changes
• eDiscovery searches initiated by non-admin users

These alerts are your early warning system. Without them, you are relying on someone manually checking logs to discover that something has gone wrong.

Lock Down External Sharing

SharePoint and OneDrive external sharing is often left wide open in small business tenants. By default, users can share files and folders with anyone, including anonymous links that do not require authentication. This creates data leak risk that most businesses do not realize they have.

In the SharePoint admin center, go to Policies > Sharing and review your settings. For most small businesses, the appropriate setting is “New and existing guests,” which requires external recipients to authenticate before accessing shared content. Disable anonymous sharing links unless you have a specific, documented business need for them. For the full guest access configuration including Entra policies, guest lifecycle management, and automated access reviews, see Microsoft 365 guest access: how to collaborate securely.

Also review Teams external access settings. By default, Teams may allow communication with external organizations and unmanaged accounts. In the Teams admin center, go to External access and configure it to allow communication only with specific trusted domains rather than all external organizations. For a complete walkthrough of Teams settings including guest access, app permissions, and team creation restrictions, see How to set up Microsoft Teams for a small business.

Configure Email Authentication (SPF, DKIM, DMARC)

Email authentication protects your domain from being spoofed in phishing attacks sent to your customers, partners, and vendors. If an attacker sends a phishing email that appears to come from your domain and you do not have proper email authentication, the recipient’s mail server has no way to verify whether the email is legitimate.

SPF (Sender Policy Framework) defines which mail servers are authorized to send email on behalf of your domain. Microsoft provides the SPF record you need, and it is configured as a TXT record in your domain’s DNS.

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound emails that receiving servers can verify. Enable DKIM in the Microsoft 365 Defender portal under Email & collaboration > Policies & rules > Threat policies > DKIM.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do when an email fails SPF or DKIM checks. Start with a monitoring policy (p=none) to collect reports, then move to quarantine and eventually reject as you confirm your legitimate email sources are properly authenticated.

All three work together. SPF without DKIM leaves gaps. Either without DMARC means spoofed emails may still be delivered even when checks fail. Implementing all three is the standard for any business that takes email security seriously.

Review App Permissions and Consent Settings

Users in your tenant can grant third-party applications access to their M365 data by clicking “Allow” on an OAuth consent prompt. This is how legitimate apps like Zoom and Slack integrate with M365, but it is also how attackers trick users into granting access to malicious applications that can read email, access files, and send messages on their behalf.

In the Entra admin center, go to Enterprise applications > Consent and permissions and change the user consent settings to restrict what users can approve on their own. At minimum, limit user consent to apps from verified publishers. For tighter control, require admin approval for all third-party app consent requests.

Then review existing app permissions. Go to Enterprise applications and sort by permissions granted. Look for applications you do not recognize, apps with broad permissions like “Read all mail” or “Access all files,” and apps that have not been used recently. Revoke access for anything that is not actively needed.

What Comes Next

These changes cover the highest-impact hardening steps for a small business M365 tenant. They are not exhaustive. There are deeper settings around data loss prevention, information barriers, sensitivity labels, and advanced compliance features that may be relevant depending on your industry and data handling requirements. This hardening work is also the prerequisite for safely turning on Copilot for Microsoft 365 – Copilot sees everything the user can see, so overpermissioned users become an internal data exposure problem the moment Copilot is enabled. The full Copilot rollout sequence (product family, SharePoint and OneDrive permission audit, sensitivity labels, training, and the 90-day adoption review) is covered in Microsoft Copilot for small business: what it can do and what to watch out for. If staff are already using consumer AI tools while you wait, you are looking at the broader shadow AI problem that most SMBs have not yet realized they have, and the gap between free Copilot and Copilot for Microsoft 365 is one of the most common shadow AI patterns – the what data are you feeding into AI tools breakdown covers what each tier of Copilot actually does with your data.

If you have worked through this list and want a more thorough assessment of your tenant configuration, our Microsoft 365 security audit checklist can help you verify that nothing was missed.

Sequentur manages Microsoft 365 environments for small and mid-sized businesses, including security hardening, ongoing monitoring, and incident response. If you want help locking down your tenant or want a second set of eyes on your current configuration, you can reach us through our contact page to set up a review.