Most Microsoft 365 breaches at small businesses come down to a handful of missed settings. Fix these and you close the doors attackers actually use.
1. Enforce multi-factor authentication (MFA) for everyone
This is the single most important change. Enable MFA for every user — not just admins — using Security Defaults or a Conditional Access policy. It stops the vast majority of account-takeover attacks even when a password is stolen or phished.
2. Protect and limit admin accounts
- Use separate accounts for admin work; don't run daily email from a Global Admin account.
- Keep the number of Global Admins small (ideally two to four).
- Require phishing-resistant MFA for all admins.
3. Turn on anti-phishing and Safe Links / Safe Attachments
If your plan includes Microsoft Defender for Office 365, enable anti-phishing policies, Safe Links, and Safe Attachments. These scan links and files at click-time and catch threats that slip past basic filtering.
4. Block legacy authentication
Old protocols (POP, IMAP, SMTP AUTH, legacy Exchange) bypass MFA entirely and are a favorite of password-spraying bots. Block legacy authentication with a Conditional Access policy unless a specific system genuinely needs it.
5. Watch for mailbox rules and forwarding
A classic attacker move after compromising a mailbox is to create hidden inbox rules or auto-forwarding to an external address. Disable automatic external forwarding, and review mailbox rules if you suspect compromise.
6. Control external sharing in SharePoint and OneDrive
Default sharing can be more open than you expect. Set sharing to the least-permissive level your business can work with, and prefer sharing with specific people over "anyone with the link."
7. Keep an eye on the audit log and alerts
Make sure unified audit logging is on, and configure alerts for risky sign-ins, unusual admin actions, and mass file downloads. You cannot respond to what you cannot see.
Do these three first: enforce MFA for all users, block legacy authentication, and disable automatic external email forwarding. Together they shut down the most common Microsoft 365 attacks.
Not sure how your tenant is configured?
A security assessment includes a review of your Microsoft 365 configuration against these and other best practices — and a prioritized list of what to fix first.