Microsoft 365 is the backbone of most small business operations — email, documents, Teams, and more. The problem is that most businesses buy the licenses, migrate their data, and then treat security as someone else's job. It isn't. The default Microsoft 365 configuration is not secure for most businesses, and attackers know it.
This article covers the specific settings that matter most. Not all of them require higher-tier licenses. Most of them take less than an hour to configure if you know where to look.
Start Here: Multi-Factor Authentication
If you do nothing else on this list, turn on MFA. Full stop.
Business email compromise — where an attacker gains access to your email account and impersonates you to wire money, redirect payments, or harvest sensitive information — is the most common and costly attack against small businesses. A stolen password alone is not enough to log in when MFA is enabled.
Microsoft 365 supports several MFA methods. In order of preference:
- Microsoft Authenticator app (push notification or code)
- Authenticator app from any TOTP-compatible app (Authy, Google Authenticator)
- SMS text message — better than nothing, but SIM-swapping is a real attack; push this method out of use if possible
Enable MFA via the Microsoft Entra admin center (formerly Azure AD). Under Security > Authentication methods, enable the authenticator app for all users. Set MFA as required, not optional — optional means some percentage of your team won't use it.
Security Defaults (available free on all M365 plans) enable MFA for all users automatically. If you don't have time to configure this properly, enabling Security Defaults is a meaningful step in the right direction.
Use Separate Admin Accounts
Your Global Administrator account should never be your day-to-day email account. If your email gets compromised, the attacker also has full admin access to your entire Microsoft 365 tenant — every mailbox, every file, every setting.
Create a dedicated admin account (e.g., admin@yourdomain.com or an .onmicrosoft.com address) that is used only for admin tasks. It should have MFA enabled. It should not have email active. Log into it only when you need to make admin changes, then log out.
This is one of the highest-impact, lowest-cost changes you can make.
Conditional Access: Block High-Risk Logins
Conditional Access is a Microsoft Entra (Azure AD) feature that lets you define rules for when and how users can log in. It requires at least Microsoft 365 Business Premium or an add-on license, but it's powerful.
The most impactful policies for small businesses:
- Require MFA for all users — enforces MFA at the policy level rather than relying on per-user settings
- Block legacy authentication — prevents older protocols (POP3, IMAP, SMTP AUTH) that don't support MFA from being used (more on this below)
- Block logins from high-risk locations — you can restrict logins to specific countries if your team is US-only
- Require compliant devices — ensures only managed, enrolled devices can access company data
Start with requiring MFA for all users and blocking legacy authentication. Those two alone eliminate a large percentage of the attack surface.
Disable Legacy Authentication Protocols
This one is critically important and frequently skipped. Legacy authentication protocols — SMTP AUTH, POP3, IMAP — do not support modern MFA. If these are enabled, an attacker with a valid password can log into your email regardless of your MFA settings.
In the Microsoft 365 Admin Center, go to Settings > Org Settings > Modern Authentication. Make sure legacy authentication is disabled.
If any of your users or systems (e.g., printers scanning to email, old CRM systems) depend on legacy auth, this requires some transition planning. But it's worth doing. Work through those use cases one by one rather than leaving legacy auth open for everyone.
Microsoft Defender for Business
If you're on Microsoft 365 Business Premium, Defender for Business is included. If you're on a lower tier, it's available as an add-on at around $3/user/month.
Defender for Business provides:
- Endpoint detection and response (EDR) for Windows and Mac
- Threat and vulnerability management — shows you what's unpatched and at risk across your devices
- Attack surface reduction rules — blocks common attacker techniques at the OS level
- Automated investigation and remediation
It's not a replacement for a dedicated EDR solution in every case, but for most small businesses it's the right level of protection and it's already part of your Microsoft subscription.
Enable it via the Microsoft Defender portal (security.microsoft.com) and deploy the onboarding package to your devices.
Audit Mailbox Rules Periodically
When attackers compromise a mailbox, one of the first things they do is create a rule to forward copies of all incoming email to an external address — so they can keep reading your email even after you change your password. These rules are often hidden or named something innocuous.
Log into the Microsoft 365 admin center and periodically review inbox rules for all users. Look for:
- Rules that forward to external email addresses
- Rules that delete messages matching certain keywords
- Rules that move messages to obscure folders
The Exchange Online PowerShell module makes it easier to audit this across all mailboxes at once. If you're not comfortable doing this yourself, it's worth having your IT provider run through it quarterly.
License Level Matters
Not everything on this list is available on every M365 plan. Here's a rough breakdown:
Microsoft 365 Business Basic ($6/user/month): Email, Teams, web apps, OneDrive. No Conditional Access, no Defender for Business, limited security features.
Microsoft 365 Business Standard ($12.50/user/month): Adds desktop Office apps and additional services, but still limited on security features.
Microsoft 365 Business Premium ($22/user/month): Adds Conditional Access, Defender for Business, Intune (device management), Azure AD Premium P1, and Azure Information Protection. This is the right tier for most businesses that handle sensitive data.
If you're on Business Basic or Standard and handling sensitive client data, financial records, or protected health information, upgrading to Business Premium is worth a serious look. The security tools included are substantially better than what you can bolt on separately.
Getting Microsoft 365 security right isn't complicated once you know where to focus. If you'd like help reviewing your current tenant configuration, Aspect offers a security assessment that covers M365 specifically along with your broader environment. We'll tell you what's at risk and what to fix first.