Microsoft 365 Security Settings Most SMBs Get Wrong

Most Microsoft 365 tenants are running with default settings that Microsoft designed for convenience, not security. If your organization hasn’t made specific configuration changes since setup, your email, files, and user accounts are more exposed than you realize. This guide covers the most impactful settings you should change, ordered by how much risk each one eliminates.

Default Settings Are Built for Onboarding, Not Protection

Microsoft builds M365 for the broadest possible audience: consumers, schools, startups, and enterprises. That means the out-of-the-box configuration prioritizes ease of use. Features like external file sharing, legacy authentication protocols, and open mailbox forwarding are enabled by default because they reduce friction during onboarding. For a 50-person company handling financial records, client data, or anything subject to regulatory requirements, those defaults create real exposure.

The gap between “we use M365” and “our M365 is properly configured” is wider than most business owners expect. Microsoft publishes a Secure Score dashboard that grades your tenant’s configuration against their own recommended settings. Most SMB tenants score below 40% on their first assessment. That number doesn’t reflect some abstract benchmark. It measures how many known attack vectors you’ve left open in the platform your entire company uses every day.

Your M365 license almost certainly includes the security features needed to close these gaps. The problem isn’t missing tools. It’s that the tools ship turned off.

Enforce MFA and Eliminate Legacy Authentication

Multi-factor authentication is the single most effective control you can apply to your M365 tenant. Microsoft’s own data shows that MFA blocks 99.9% of automated account compromise attempts. Yet plenty of M365 tenants still have users logging in with only a username and password.

Enabling MFA through Security Defaults is the minimum starting point. For more granular control, use Conditional Access policies (available on Business Premium and E3/E5 plans) to enforce MFA based on sign-in risk, location, and device compliance. Conditional Access lets you require MFA for external access while allowing trusted office networks with fewer prompts, which reduces friction for your team without sacrificing protection.

Just as important: disable legacy authentication protocols. POP3, IMAP, and SMTP Basic Auth all bypass MFA entirely. An attacker who obtains a user’s password can authenticate through these older protocols and skip the second factor as if it doesn’t exist. Microsoft has been deprecating these protocols over the past two years, but many tenants still have them enabled for “compatibility” with old email clients, multifunction printers, or shared mailboxes configured years ago.

Check your Entra ID (formerly Azure AD) sign-in logs and filter for legacy authentication events. If you find any, identify the source application and migrate it to modern authentication. Every legacy auth connection is a door that bypasses your MFA investment. For more on why multi-factor authentication matters, we’ve covered the business case in detail.

Configure Conditional Access Policies

Conditional Access is the policy engine in Entra ID that controls how and when users can access your M365 resources. If MFA is the lock on your front door, Conditional Access is the security system that decides which doors require which locks, based on who’s trying to enter, where they’re coming from, and what device they’re using. It’s available on Business Premium, E3, and E5 plans, and it’s one of the most underused security features in SMB tenants.

Security Defaults (the free tier) gives you a basic MFA requirement for all users, which is better than nothing. But Conditional Access replaces Security Defaults with granular, context-aware policies that adapt to real-world scenarios your business actually faces. Once you enable any Conditional Access policy, Security Defaults is automatically disabled, so plan your policies before making the switch.

Block sign-ins from countries where you don’t operate. If your company does business in the U.S. and nowhere else, there’s no reason to allow authentication attempts from overseas IP ranges. Create a named location for your operating countries and build a policy that blocks all sign-ins from outside those regions. This single rule eliminates a massive volume of credential-stuffing attacks that originate from foreign IP addresses. Legitimate employees traveling abroad can be handled with a temporary exception or a VPN that routes through a domestic endpoint.

Require compliant or hybrid-joined devices for access. A policy that limits M365 access to devices enrolled in Intune (or hybrid Azure AD joined) means a stolen password alone isn’t enough. The attacker also needs a device your organization manages. This is especially important for accessing SharePoint, OneDrive, and Teams, where your company’s files live. For organizations not yet using Intune, you can start with a policy that requires devices to meet basic conditions, like running a supported operating system with up-to-date patches.

Restrict which apps can access corporate data. Not every app on a user’s personal phone should be able to sync M365 email and files. Conditional Access policies can limit access to approved client applications or apps that support modern authentication. This prevents users from configuring company email on unsecured third-party mail apps that don’t support remote wipe or encryption.

Enforce sign-in risk policies. If your licensing includes Entra ID P2, Conditional Access integrates with Identity Protection to evaluate sign-in risk in real time. A login from a user’s usual device and location passes through normally. The same credentials used from an unfamiliar location, an anonymous proxy, or a device exhibiting suspicious behavior triggers additional verification or gets blocked entirely. These risk-based policies adapt automatically without requiring your team to manually investigate every anomalous login.

Always test in report-only mode first. Conditional Access policies can lock users out of their accounts if misconfigured, and a lockout during business hours is disruptive and expensive. Every policy should run in report-only mode for at least a week before enforcement. Report-only mode logs what the policy would have blocked without actually blocking it, so you can identify legitimate workflows that need exceptions before they become outages.

Start with two or three high-impact policies — geographic blocking, MFA enforcement for risky sign-ins, and device compliance for file access — then expand from there. A Microsoft 365 consulting partner can help you design policies that match your specific workforce patterns without disrupting daily operations.

Lock Down Email Forwarding and Transport Rules

One of the first things attackers do after compromising a mailbox is create an auto-forwarding rule to an external email address. From that point forward, they silently receive a copy of every incoming message, including password reset emails, invoices, wire transfer instructions, and internal communications. The legitimate user never notices because the emails still arrive in their inbox normally. This is how business email compromise (BEC) attacks sustain access for weeks or months before detection.

According to the FBI’s Internet Crime Complaint Center, BEC attacks caused over $2.9 billion in reported losses in 2023 alone. The forwarding rule is the mechanism that makes these attacks persistent and profitable.

Block external auto-forwarding at the transport rule level in Exchange Online. This is a single configuration change that prevents any mailbox in your organization from forwarding email to an address outside your domain. Users who legitimately need external forwarding can use shared mailboxes or delegate access, both of which are auditable and controllable.

While you’re reviewing Exchange settings, audit your existing mail flow rules. Attackers also create inbox rules that automatically delete emails from specific senders (like your IT team or security vendor) or move them to obscure folders to avoid detection. A quarterly review of mail flow rules across all mailboxes takes minutes with PowerShell and can uncover compromises that have been running silently. Your email security configuration should include these checks as part of ongoing monitoring.

Clean Up Admin Account Privileges

Global Admin accounts are the keys to your entire M365 environment. A compromised Global Admin can read any mailbox, delete any file, modify security policies, and add new admin accounts. If an attacker gets one, they control everything.

Start with the basics: your Global Admin count should be between two and four. Many SMB tenants accumulate five, eight, or even twelve Global Admins over time because someone needed elevated access to “quickly fix something” and the role was never removed afterward. Every unnecessary admin account is an additional target with maximum blast radius.

Every admin account must have MFA enabled without exception. Better yet, use dedicated admin accounts that are separate from daily-use accounts. Your IT manager should not be reading email, clicking links, and browsing the web with the same credentials they use to manage your entire tenant. If their daily account gets phished, a separate admin account prevents the attacker from escalating to full environment control.

If your licensing includes Entra ID P2 (part of M365 E5 and available as an add-on), enable Privileged Identity Management (PIM). PIM makes admin roles “just-in-time,” meaning administrators activate elevated privileges only when performing admin tasks, and that access expires automatically after a set window. This dramatically reduces the time window during which admin credentials are useful to an attacker.

Set up alerts for high-risk admin activities in the M365 audit log: new admin role assignments, mail transport rule changes, external sharing policy modifications, and Conditional Access policy edits. These alerts cost nothing to configure and can catch unauthorized changes within minutes.

Restrict External Sharing and Enable Data Loss Prevention

SharePoint and OneDrive external sharing defaults allow your users to share files and folders with anyone outside your organization, including through “Anyone” links that require no authentication at all. That means a single employee can accidentally (or intentionally) make sensitive documents accessible to the entire internet with two clicks.

At minimum, restrict sharing to authenticated external users who must sign in to access shared content. Disable “Anyone” links entirely. For document libraries containing financial data, HR records, or client information, turn off external sharing at the library level.

Data Loss Prevention (DLP) policies add a second layer by scanning outbound email and shared documents for sensitive information patterns: credit card numbers, Social Security numbers, health record identifiers, and other regulated data types. When a DLP policy detects a match, it can block the message, require the sender to provide a business justification, or notify a compliance officer.

Most SMBs skip DLP because it sounds like an enterprise-only feature. The built-in DLP templates are actually straightforward to deploy. If you process payment card data, enable the PCI DSS template. Healthcare organizations should enable the HIPAA template. These pre-built rules catch the most common data exposure scenarios with minimal setup effort.

Pairing DLP with sensitivity labels takes protection further. A document labeled “Confidential” can be automatically encrypted, blocked from external sharing, and watermarked. Labels can be applied manually by users or automatically based on the document’s content. For businesses subject to HIPAA, PCI DSS, CMMC, or SOC 2 requirements, these controls often satisfy specific compliance mandates.

Where to Start This Week

You don’t need to implement everything at once. Prioritize based on risk:

1. Enable Security Defaults to enforce MFA on every account immediately. This single change blocks the vast majority of credential-based attacks.

2. Disable legacy authentication by blocking POP, IMAP, and SMTP Basic Auth across your tenant.

3. Set up Conditional Access policies to replace Security Defaults with context-aware controls — start with geographic blocking and device compliance in report-only mode.

4. Block external email forwarding with an Exchange Online transport rule.

5. Audit your admin accounts. Remove Global Admin from anyone who doesn’t need it. Confirm every remaining admin has MFA enforced.

6. Restrict external sharing in SharePoint and OneDrive. Eliminate “Anyone” links.

7. Check your Secure Score in the Microsoft 365 Defender portal and work through the top recommendations.

If your internal team doesn’t have the capacity or M365 expertise to make these changes without risking lockouts, a Microsoft 365 consulting partner can audit your tenant configuration and implement these controls properly. Misconfigured Conditional Access policies can lock users out of their accounts, so testing in report-only mode before enforcing is important.

Building a formal data security policy alongside these technical controls ensures your team knows how to handle sensitive information at the process level, not just through technology restrictions.

Your M365 tenant is likely the single most important piece of infrastructure your business operates. Every employee uses it daily for email, documents, file sharing, and collaboration. The security controls described here are included in licenses most SMBs already pay for. The only real cost is the time to configure them correctly.

If you want a second set of eyes on your current setup or need help prioritizing which changes to tackle first, Infonaligy’s managed security team works with M365 environments daily and can identify the specific gaps that matter most for your business and compliance requirements.