10 Microsoft 365 Security Settings Every Small Business Should Enable

Microsoft 365 has become the backbone of modern business. 

Email, Teams, OneDrive, SharePoint, calendars, document collaboration, and file sharing all live inside a single cloud platform that allows employees to work from virtually anywhere. 

For many businesses, Microsoft 365 is no longer just an email system. It has become the central hub for communication, collaboration, document storage, and day-to-day operations. 

That convenience also makes it one of the most attractive targets for cybercriminals. 

When attackers gain access to a Microsoft 365 account, they often gain access to much more than email. They may be able to read confidential conversations, download company files, monitor communications, impersonate employees, reset passwords, create forwarding rules, and quietly remain inside an organization for weeks before anyone notices. 

The good news is that Microsoft has invested heavily in security. 

The bad news is that many businesses never take advantage of the protections already available. 

At Network Computer Pros, one of the most common findings during our cybersecurity assessments is not outdated software or missing antivirus. 

Instead, we frequently find Microsoft 365 environments that were installed years ago and never properly secured. 

Many organizations simply accepted the default settings, created user accounts, and assumed everything was protected. 

Unfortunately, default settings are designed to help businesses get started—not necessarily to provide the level of protection most organizations actually need. 

For privately owned businesses with approximately 5 to 100 employees, reviewing Microsoft 365 security settings is one of the most effective ways to reduce cybersecurity risk without purchasing additional hardware or replacing existing systems. 

This guide walks through ten Microsoft 365 security settings every small business should review and enable as part of an ongoing cybersecurity strategy. 

Microsoft 365 Security Is Not a One-Time Project

One of the biggest misconceptions we hear is: 

"We're in Microsoft 365 now, so we're secure." 

Unfortunately, cybersecurity doesn't work that way. 

Your Microsoft 365 environment changes constantly. 

New employees are hired. 

Former employees leave. 

Devices are replaced. 

People begin working remotely. 

New software gets connected. 

Third-party applications are added. 

Permissions change. 

Employees accidentally overshare files. 

Cyber threats evolve. 

Simply configuring Microsoft 365 once and forgetting about it can slowly introduce security gaps over time. 

That is why we encourage businesses to treat Microsoft 365 security as an ongoing process instead of a one-time setup. 

Regular reviews help identify problems before they become incidents. 

Click to learn more about our Managed IT Services

1. Enable Multi-Factor Authentication (MFA) for Every User

If there is one security setting every business should prioritize, it is Multi-Factor Authentication. 

Passwords alone are no longer enough. 

Even strong passwords can be stolen through: 

    • Phishing emails  
    • Fake Microsoft login pages  
    • Password reuse  
    • Malware  
    • Browser credential theft  
    • Data breaches  
    • Social engineering  

Once an attacker has a user's password, logging into Microsoft 365 becomes easy unless another layer of protection exists. 

Multi-Factor Authentication requires users to verify their identity using something besides their password. 

Examples include: 

    • Microsoft Authenticator  
    • Authentication apps  
    • Hardware security keys  
    • Phone verification  
    • Passkeys  

This additional verification dramatically reduces unauthorized account access. 

One Mistake We Frequently Find 

During Microsoft 365 assessments, we often see MFA enabled only for administrator accounts. 

While protecting administrators is important, attackers frequently target standard employee accounts first because they tend to have weaker security. 

Once inside a standard mailbox, attackers may: 

    • Read confidential emails  
    • Monitor conversations  
    • Send fraudulent payment requests  
    • Create forwarding rules  
    • Launch Business Email Compromise attacks  
    • Attempt privilege escalation  

Protecting every user—not just administrators—greatly reduces these risks. 

Practical Recommendation 

Every employee should use Multi-Factor Authentication unless there is a documented technical reason not to. 

The slight inconvenience of approving a login is significantly less disruptive than recovering from a compromised Microsoft 365 account. 

Click to learn about:

Cybersecurity Services 

Business Email Compromise Scams Every Small Business Should Recognize 

2. Disable Legacy Authentication

Legacy authentication refers to older login methods that were designed long before today's cybersecurity threats. 

Protocols such as POP, IMAP, and older versions of SMTP authentication may still exist in some Microsoft 365 environments. 

The problem? 

Many of these older protocols do not support modern authentication methods like Multi-Factor Authentication. 

That means an attacker who steals a username and password may still be able to access a mailbox through one of these older protocols—even if MFA has been enabled elsewhere. 

Why Does This Happen? 

Often, no one intentionally enables legacy authentication. 

Instead, it remains active because: 

    • the organization migrated from older email systems  
    • legacy devices were never retired  
    • old software still depends on outdated protocols  
    • default configurations were never reviewed  

In many businesses, no one even realizes these protocols are still active. 

Should Every Business Disable Legacy Authentication? 

In most cases, yes. 

However, some older applications, scanners, printers, or specialized software may still depend on these protocols. 

Before disabling them, your IT provider should verify that no business-critical systems rely on them. 

For most organizations, eliminating legacy authentication significantly reduces the attack surface available to cybercriminals.

3. Limit the Number of Global Administrator Accounts

Administrator accounts deserve special attention. 

Global Administrators have the highest level of access inside Microsoft 365. 

A compromised administrator account can potentially: 

    • create new users  
    • delete accounts  
    • change permissions  
    • disable security settings  
    • access company data  
    • modify email settings  
    • create additional administrators  

Because these accounts are so powerful, they should be treated differently than everyday employee accounts. 

Best Practices 

We generally recommend: 

    • Keeping the number of Global Administrators as low as practical.  
    • Using separate administrator accounts instead of using daily email accounts for administrative work.  
    • Protecting administrator accounts with strong MFA.  
    • Reviewing privileged accounts regularly.  
    • Removing administrator access when it is no longer needed.  

Avoid Shared Administrator Accounts 

Shared administrator accounts may seem convenient, but they reduce accountability. 

If multiple people use the same account, it becomes much harder to determine: 

  • who changed a setting  
  • who approved an action  
  • who created a user  
  • who modified permissions  

Individual administrator accounts provide better visibility and stronger security.

4. Configure Conditional Access Policies

Multi-Factor Authentication is one of the strongest security features available, but Conditional Access takes protection even further. 

Think of Multi-Factor Authentication as checking someone's ID before letting them into the building. 

Conditional Access decides whether they should be allowed in at all. 

Instead of treating every login the same, Conditional Access evaluates factors such as: 

    • Where the user is logging in from  
    • Whether the device is trusted  
    • The application's sensitivity  
    • The user's role  
    • Sign-in risk  
    • Device compliance  
    • Geographic location  

Based on those conditions, Microsoft 365 can: 

    • Allow access  
    • Require Multi-Factor Authentication  
    • Block the login completely  
    • Restrict access to certain applications  
    • Require a compliant company-managed device  

For many businesses, Conditional Access provides one of the biggest improvements in Microsoft 365 security. 

Why It Matters 

Imagine one of your employees normally signs in from Nashville every weekday. 

Suddenly, Microsoft detects a login attempt from Eastern Europe at 3:00 AM. 

Without Conditional Access: 

The attacker may simply receive the normal login prompt. 

With Conditional Access: 

The login can automatically be blocked before the attacker ever reaches the mailbox. 

That single policy may prevent a major cybersecurity incident. 

Start Simple 

Many business owners assume Conditional Access is only for large enterprises. 

It isn't. 

Even basic policies can provide tremendous value. 

Examples include: 

    • Require MFA outside the office  
    • Block sign-ins from countries where your business doesn't operate  
    • Require compliant devices for administrator accounts  
    • Block legacy authentication  
    • Require stronger authentication for financial applications  

The goal isn't to create dozens of complicated rules. 

The goal is to reduce unnecessary risk while keeping employees productive. 

Don't Turn Everything On at Once 

One mistake we occasionally see is businesses enabling every Conditional Access policy they can find. 

That often creates frustration. 

Employees suddenly cannot access email. 

Applications stop working. 

Mobile devices require unexpected setup. 

Instead, Conditional Access should be implemented carefully. 

Review. 

Test. 

Document. 

Deploy. 

That approach avoids unnecessary disruption. 

Click to learn more about our: 

Cybersecurity Services

Managed IT Services 

5. Strengthen Your Email Security

Email continues to be the number one entry point for cyberattacks. 

Not because email is insecure. 

Because people trust email. 

Every day employees receive: 

    • invoices  
    • contracts  
    • resumes  
    • purchase orders  
    • wire instructions  
    • vendor communication  
    • client requests  
    • shipping notifications  

Attackers know this. 

Rather than attacking firewalls, they attack people. 

They create convincing emails designed to look legitimate. 

Sometimes they're fake. 

Sometimes they're sent from compromised Microsoft 365 accounts belonging to real businesses. 

Either way, one successful email attack can lead to: 

    • stolen credentials  
    • ransomware  
    • fraudulent payments  
    • client data exposure  
    • Microsoft 365 compromise  

Microsoft 365 Includes Powerful Email Security Tools 

Many businesses never realize these protections exist. 

Depending on licensing, Microsoft 365 can provide: 

    • Anti-phishing policies  
    • Safe Links  
    • Safe Attachments  
    • Impersonation detection  
    • Malware filtering  
    • Spam protection  
    • Quarantine management  
    • Threat intelligence  

These features work together to identify suspicious emails before employees ever see them. 

Don't Forget SPF, DKIM and DMARC 

One of the most overlooked parts of Microsoft 365 security isn't inside Microsoft 365 at all. 

It's your domain. 

SPF 

DKIM 

DMARC 

These email authentication technologies help receiving mail servers verify that messages claiming to come from your company are actually legitimate. 

Without them: 

Attackers have a much easier time spoofing your domain. 

That increases the likelihood of Business Email Compromise attacks. 

Configuring these records properly improves both security and email deliverability. 

Technology Alone Isn't Enough 

Even the best email security cannot stop every attack. 

Cybercriminals constantly adapt. 

Some attacks contain: 

No malware. 

No suspicious links. 

No attachments. 

Only words. 

These are often the most dangerous. 

That's why employee awareness remains an essential part of Microsoft 365 security. 

Employees should feel comfortable slowing down and verifying unusual requests. 

Especially when money, passwords, payroll or sensitive documents are involved. 

Click to learn more about:

Business Email Compromise Scams Every Small Business Should Recognize

Security Assessment & Employee Training

6. Review OneDrive and SharePoint Sharing Permissions

Microsoft 365 makes collaboration incredibly easy. 

Sometimes... 

Too easy. 

Employees can often share files with: 

Coworkers. 

Clients. 

Vendors. 

Outside consultants. 

Temporary contractors. 

While collaboration improves productivity, excessive sharing creates unnecessary risk. 

One of the Most Common Assessment Findings 

During Microsoft 365 reviews, we frequently discover files that have been shared far more broadly than intended. 

Examples include: 

Entire folders shared externally. 

Old vendor access still active. 

Anonymous sharing links. 

Former employees still having access. 

Departments with permissions they no longer need. 

None of these situations were intentional. 

They simply accumulated over time. 

Follow the Principle of Least Privilege 

A simple rule improves security dramatically. 

Employees should only have access to the information they actually need. 

Not every employee needs: 

HR files. 

Accounting records. 

Executive documents. 

Vendor contracts. 

Client financial information. 

Role-based permissions reduce both accidental exposure and intentional misuse. 

Review External Sharing Regularly 

External collaboration is valuable. 

But it shouldn't become permanent by accident. 

Questions worth asking include: 

    • Who outside the company has access?  
    • Are those links still needed?  
    • Are anonymous links allowed?  
    • Has access been reviewed recently?  
    • Are sensitive libraries protected differently?  

Many organizations are surprised by how much information is still available years after projects have ended. 

Click to learn more about our:

Managed IT Services

Help Desk Support

7. Monitor Sign-In Activity Regularly

One of Microsoft's most valuable security features costs nothing. 

Visibility. 

Microsoft 365 records an incredible amount of sign-in information. 

Yet many businesses never look at it. 

Those logs may reveal: 

Repeated password attacks. 

Impossible travel. 

Unknown countries. 

Suspicious administrator activity. 

Blocked logins. 

New devices. 

Unusual application access. 

Risky sign-ins. 

Often, these warning signs appear long before a full cybersecurity incident occurs. 

Look for Patterns 

One failed login isn't necessarily a problem. 

Hundreds of failed logins every hour deserve attention. 

Likewise: 

An employee logging in from Miami at 9:00 AM and London fifteen minutes later probably isn't traveling that quickly. 

Microsoft identifies many of these situations automatically. 

Someone still needs to review them. 

Administrator Activity Deserves Extra Attention 

Changes involving: 

Security settings. 

Mailbox permissions. 

Forwarding rules. 

Global Administrators. 

Conditional Access. 

Authentication methods. 

Licensing. 

...should all be reviewed carefully. 

Unexpected changes may indicate either human error or unauthorized activity. 

Monitoring Is More Than Alerts 

Many businesses assume monitoring means waiting for Microsoft to send an alert. 

Good monitoring is proactive. 

Someone should regularly review: 

User activity. 

Failed logins. 

Risk events. 

Administrator changes. 

Mailbox forwarding. 

Security recommendations. 

Waiting until employees report suspicious emails often means the attacker has already been inside the environment. 

Click to learn more about our:

Cybersecurity Services

Help Desk Support

Managed IT Services

8. Standardize Employee Onboarding and Offboarding

Most businesses think about cybersecurity in terms of firewalls, antivirus software, and hackers. 

In reality, one of the biggest security risks is much more ordinary: 

Employee account management. 

Every time someone joins or leaves your company, your Microsoft 365 environment changes. 

If those changes aren't handled consistently, security gaps begin to appear. 

New Employees Need More Than an Email Address 

Creating a Microsoft 365 account is only one step in the onboarding process. 

A new employee may also need: 

    • Multi-Factor Authentication enrollment  
    • Microsoft 365 licensing  
    • Group membership  
    • Teams access  
    • OneDrive configuration  
    • SharePoint permissions  
    • Printer access  
    • VPN configuration  
    • Remote access  
    • Device enrollment  
    • Security awareness training  

Without a documented onboarding process, different employees often receive different levels of access. 

Over time, permissions become inconsistent and difficult to manage. 

Offboarding Is Even More Important 

Former employees should never continue accessing company systems. 

Unfortunately, during cybersecurity assessments we occasionally discover: 

    • Active Microsoft 365 accounts for former employees  
    • Shared passwords that were never changed  
    • Active VPN accounts  
    • Mobile devices still connected  
    • Email forwarding rules left behind  
    • OneDrive files that were never transferred  
    • Teams access still active  

None of these situations are intentional. 

They simply happen when no documented process exists. 

Create a Repeatable Checklist 

Every business should have an onboarding and offboarding checklist. 

It should answer questions like: 

    • Who creates new accounts?  
    • Who approves access?  
    • When is MFA enabled?  
    • Who assigns licenses?  
    • How are former accounts disabled?  
    • Who reviews mailbox forwarding?  
    • How are OneDrive files transferred?  
    • How are administrator permissions removed?  

Documenting these processes helps keep Microsoft 365 secure as your business grows. 

Click to learn more about our: 

Help Desk Support

Why Bad Employee Onboarding Creates Cybersecurity and IT Problems Later

Managed IT Services

9. Don't Assume Microsoft 365 Is Fully Backed Up

One of the biggest misconceptions we hear is: 

"Everything is in Microsoft 365, so Microsoft backs it up." 

The reality is more nuanced. 

Microsoft is responsible for keeping its cloud platform available. 

That is different from guaranteeing that every deleted email, Teams message, SharePoint file, or OneDrive document can always be restored exactly how your business expects. 

Recovery expectations vary depending on: 

    • Retention policies  
    • Deleted item settings  
    • Version history  
    • Licensing  
    • Administrative configuration  
    • Business requirements  

For many organizations, that means evaluating whether an additional Microsoft 365 backup solution is appropriate. 

Ask Yourself These Questions 

If an employee accidentally deleted: 

    • six months of email  
    • an important SharePoint library  
    • an entire Teams channel  
    • thousands of OneDrive files  

Could you restore them? 

How long would it take? 

Who would perform the recovery? 

Would everything be restored? 

Many business owners don't know the answers until after an incident occurs. 

Microsoft 365 Backup Should Be Part of Business Continuity 

Backing up Microsoft 365 isn't simply about recovering files. 

It's about keeping the business operating. 

Business continuity planning considers questions like: 

    • How quickly do we need email back?  
    • Which data is most important?  
    • How much downtime can we tolerate?  
    • What happens if ransomware affects Microsoft 365?  
    • What if an employee accidentally deletes critical information?  

Those questions should be answered before an emergency. 

Test Recovery—Don't Just Assume It Works 

Backups that have never been tested provide a false sense of confidence. 

Just because backup jobs complete successfully doesn't necessarily mean recovery will meet your business expectations. 

Periodic testing helps verify: 

    • Restore speed  
    • File integrity  
    • Recovery procedures  
    • Documentation  
    • Staff responsibilities  

Recovery should never be the first time you discover whether your backup strategy works. 

Click to learn more about our: 

Backup & Disaster Recovery

Are Your Tennessee Business Backups Actually Recoverable?

10. Train Employees Continuously

Technology alone will never eliminate cybersecurity risk. 

People remain one of the most important parts of every security program. 

Fortunately... 

They're also one of the strongest defenses when properly trained. 

Cybercriminals Target Employees 

Most modern cyberattacks begin with people. 

Not software. 

Not servers. 

Not firewalls. 

Employees receive emails every day asking them to: 

    • Open documents  
    • Review invoices  
    • Reset passwords  
    • Approve payments  
    • Sign contracts  
    • Download files  
    • Verify login requests  

Attackers simply imitate those normal business activities. 

What Employees Should Learn 

Security awareness training doesn't need to overwhelm employees with technical information. 

Instead, employees should recognize situations that deserve extra attention. 

Topics should include: 

    • Phishing emails  
    • Business Email Compromise  
    • Fake Microsoft login pages  
    • Suspicious MFA requests  
    • Password reuse  
    • Safe file sharing  
    • Wire transfer verification  
    • Vendor payment scams  
    • Social engineering  
    • Reporting suspicious activity  

Small, consistent training sessions are generally more effective than one annual presentation. 

Cybersecurity Culture Matters 

Employees should feel comfortable asking questions. 

If someone pauses before sending a payment... 

Questions an unexpected login... 

Or reports a suspicious email... 

That's a success. 

A strong cybersecurity culture encourages employees to slow down rather than react under pressure. 

The goal isn't perfection. 

The goal is reducing avoidable mistakes. 

Click to learn more about our: 

Security Assessment & Employee Training

Business Email Compromise Scams Every Small Business Should Recognize

Microsoft 365 Security Is an Ongoing Process 

One of the biggest mistakes businesses make is treating Microsoft 365 security like a one-time setup. 

Cyber threats evolve. 

Employees change. 

New applications get installed. 

Devices are replaced. 

Permissions shift. 

Business requirements grow. 

Security should grow with them. 

Regular reviews help identify small issues before they become major problems. 

Even organizations with strong security today should periodically reassess their Microsoft 365 environment. 

Frequently Asked Questions

Is Microsoft 365 secure by default?

Microsoft invests heavily in protecting its platform, but default settings are designed to help businesses get started—not necessarily to provide the highest level of security for every organization. Every business should review its Microsoft 365 configuration based on its users, workflows, and risk tolerance. 

Does every employee really need Multi-Factor Authentication?

For most businesses, yes. 

Cybercriminals rarely target only administrator accounts. Standard user accounts often become the starting point for Business Email Compromise, phishing attacks, and unauthorized access. 

Does Microsoft automatically back up all my business data?

Microsoft provides resiliency and retention capabilities, but businesses should evaluate whether additional backup solutions are appropriate based on their recovery goals and operational needs. 

How often should Microsoft 365 security settings be reviewed?

At minimum, annually. 

Many businesses also review their environment after: 

    • Employee turnover  
    • Office relocations  
    • New software deployments  
    • Cyber insurance renewals  
    • Security incidents  
    • Significant business growth  
Can a small business benefit from Conditional Access?

Absolutely. 

Many Conditional Access policies are appropriate for organizations with only a handful of employees. 

Even simple policies—such as requiring MFA for remote logins or blocking sign-ins from countries where your business does not operate—can significantly reduce risk. 

Should Microsoft 365 security be managed internally or outsourced?

That depends on the size of your business and your available IT resources. 

Many privately owned businesses with 5 to 100 employees choose to work with a managed IT provider because Microsoft 365 security requires ongoing monitoring, updates, user management, documentation, and periodic reviews rather than a one-time setup. 

Final Thoughts

Microsoft 365 is one of the most powerful business platforms available today. 

It enables communication, collaboration, remote work, and productivity for organizations of every size. 

But simply purchasing Microsoft 365 does not automatically make a business secure. 

Strong cybersecurity comes from thoughtful configuration, regular reviews, employee education, and ongoing management. 

The ten settings discussed in this guide represent some of the most important areas every small business should review, but they are only part of a broader cybersecurity strategy. 

Rather than asking, "Is Microsoft 365 secure?" a better question is: 

"Have we configured Microsoft 365 to match the way our business actually operates?" 

For many organizations, a cybersecurity assessment is the easiest way to answer that question. 

It provides an opportunity to review existing settings, identify gaps, verify that key protections are working as expected, and prioritize practical improvements based on the organization's size, workflow, and risk profile. 

Whether your business is in South FloridaMiddle Tennessee, or supports employees across multiple locations, regularly reviewing your Microsoft 365 environment can help reduce cybersecurity risk while keeping your team productive.