10 Security Settings in Microsoft 365 Every Business Should Enable Today

Secure Your Microsoft 365 Tenant. Protect Your Business. Start Today.

Most businesses already pay for the security tools they need — they just haven't turned them on. Microsoft 365 includes enterprise-grade protections built directly into your subscription, yet the majority of organizations run with default settings that leave critical gaps wide open.

✔ Block 99.9% of account compromise attacks with one setting  

✔ Stop phishing emails before they reach your users  

✔ Prevent data leaks from personal devices and unsecured apps  

✔ Maintain HIPAA, CMMC, and regulatory compliance posture

Introduction

Microsoft 365 is the backbone of the modern workplace — email, Teams, SharePoint, OneDrive, and cloud storage all running under one roof. For businesses in Washington, D.C., Virginia, Maryland, and across the country, it is also one of the most targeted platforms by cybercriminals.

The hard truth: a Microsoft 365 tenant with default settings is not a secure tenant. It is a liability.

According to Microsoft's 2025 Digital Defense Report, over 99% of compromised accounts did not have multi-factor authentication enabled. The same report found that Microsoft 365 services block approximately 156,000 business email compromise attempts every single day — a scale that underscores just how relentlessly attackers are targeting the platform. Yet most of the tools needed to stop these attacks are already included in your Microsoft 365 subscription — sitting inactive, waiting to be switched on.

This guide covers the 10 most impactful Microsoft 365 security settings every business should enable immediately, regardless of whether you are running Microsoft 365 Business Basic, Business Premium, E3, or E5. For organizations evaluating their license tier and whether they are paying for the right level of security coverage, our Microsoft 365 License Right-Sizing guide is a critical companion read.

The security posture gap is real. The good news: closing it does not require new software purchases. It requires activating what you already own.

Why Microsoft 365 Security Configuration Matters More Than the License Tier

Before diving into the settings themselves, it is worth addressing a common misconception: that buying a higher Microsoft 365 license tier automatically makes your organization more secure.

It does not.

Microsoft 365 E5 includes Defender for Office 365 Plan 2, advanced Purview compliance tools, and Microsoft Sentinel integration — but those features protect you only if they are configured correctly. An E5 tenant with weak Conditional Access policies and no MFA enforcement is less secure than a well-configured Business Premium environment.

As we covered in Why Your "IT Guy" Is Now a Business Liability, the gap between owning enterprise-grade tools and operationalizing them is exactly where most SMBs are exposed. The 10 settings below close the most critical gaps — most of them in under an hour.

The 10 Microsoft 365 Security Settings to Enable Now

1. Multi-Factor Authentication (MFA) — The Non-Negotiable First Step

Where to configure: Microsoft Entra ID (formerly Azure AD) > Security > Authentication Methods

Available in: All Microsoft 365 plans

Multi-factor authentication is the single highest-impact security control available in Microsoft 365. Microsoft's data shows MFA blocks over 99.9% of automated account compromise attacks. Despite this, many organizations — particularly SMBs — still rely on passwords alone.

There are two paths to enabling MFA in Microsoft 365:

• Security Defaults — A one-click setting in Entra ID that enforces MFA for all users and blocks legacy authentication protocols. Ideal for organizations without existing Conditional Access policies. Enable under Microsoft Entra ID > Properties > Manage Security Defaults.
• Conditional Access Policies — A more granular approach available in Microsoft 365 Business Premium and E3/E5. Allows MFA requirements to be scoped by user, group, application, location, and device compliance state. This is the enterprise-grade path recommended for organizations with remote workers, contractors, or compliance requirements.

The Microsoft Authenticator app provides the most phishing-resistant MFA experience. Push notifications combined with number matching (enabled by default in newer tenants) prevent MFA fatigue attacks — a technique where attackers spam approval requests hoping users accidentally approve them.

Action: If your organization has not enabled MFA across all accounts — including shared mailboxes and service accounts — treat this as a P0 priority today.

2. Conditional Access Policies — Zero Trust Authentication in Practice

Where to configure: Microsoft Entra ID > Security > Conditional Access

Available in: Microsoft 365 Business Premium, E3, E5

Conditional Access is the policy engine that enforces Zero Trust principles at the identity layer. Rather than trusting any user who provides the correct credentials, Conditional Access evaluates every sign-in attempt against a set of conditions — device compliance, location, user risk score, application sensitivity — before granting access.

Key Conditional Access policies every organization should implement:

• Require MFA for all users — Baseline policy covering all sign-ins

• Require MFA for Azure Portal and Admin Portals — Elevated protection for administrative access

• Block legacy authentication — Legacy protocols like SMTP AUTH and IMAP do not support MFA and are primary attack vector. Block them entirely for user accounts.

• Require compliant or hybrid-joined devices — Ensures only managed, policy-compliant devices can access corporate resources

• Block sign-ins from high-risk locations — Country-level blocks for regions with no legitimate business activity

For organizations subject to HIPAA, CMMC, or FedRAMP, Conditional Access is not optional — it is a foundational compliance control. PSI's Managed Services team helps clients deploy and maintain Conditional Access policy frameworks tailored to their specific compliance obligations.

3. Microsoft Defender for Office 365 — Anti-Phishing and Safe Links

Where to configure: Microsoft 365 Defender Portal (security.microsoft.com) > Policies & Rules > Threat Policies

Available in: Microsoft 365 Business Premium (Plan 1), E5 (Plan 2); add-on for E3

Phishing attacks targeting Microsoft 365 users are the leading cause of credential compromise and business email compromise (BEC) fraud. The FBI's 2025 Internet Crime Report identified BEC as the second-most financially devastating cybercrime category, with losses reaching $3.046 billion — trailing only investment fraud

Microsoft Defender for Office 365 adds three critical layers of protection not present in standard Exchange Online Protection:

• Safe Links — Rewrites and time-of-click verifies all URLs in emails and Office documents. If a link points to a known malicious domain — or is weaponized after delivery — Safe Links blocks it at the moment of click.
• Safe Attachments — Detonates email attachments in a sandbox environment before delivery. Malicious payloads are blocked before reaching the user's inbox. Enable the "Dynamic Delivery" option to minimize delivery delays.
• Anti-Phishing Policies with Impersonation Protection — Detects attempts to impersonate your executives, brand, and custom domains. Configure protected senders (CEO, CFO, key vendors) and enable mailbox intelligence to improve detection accuracy.

Enable these policies under Threat Policies in the Microsoft 365 Defender portal. Apply them to all users, not just executives — attackers target finance teams, HR, and IT staff with equal frequency.

4. Microsoft Secure Score — Your Security Posture Baseline

Where to configure: Microsoft 365 Defender Portal > Secure Score

Available in: All Microsoft 365 plans

Microsoft Secure Score is a quantified measurement of your organization's security posture within Microsoft 365 and Azure. It evaluates your current configuration against hundreds of best-practice controls and assigns a numerical score with prioritized improvement actions.

Secure Score serves three functions:

• Baseline measurement — Know where you stand today before making any changes
• Prioritized action list — Microsoft ranks improvement actions by impact and difficulty, so you focus effort where it reduces the most risk
• Compliance mapping — Actions are mapped to frameworks including NIST, ISO 27001, CMMC, and others — valuable for audit preparation

A well-configured Microsoft 365 tenant should target a Secure Score above 60–70%. Organizations with scores below 40% have significant exposure that should be addressed immediately.

Use Secure Score as your weekly security operations dashboard. Any score decrease signals a configuration drift that warrants investigation.

5. Microsoft Purview — Data Loss Prevention (DLP) Policies

Where to configure: Microsoft Purview Compliance Portal > Data Loss Prevention

Available in: Microsoft 365 Business Premium, E3, E5

Data Loss Prevention policies prevent sensitive information from leaving your organization through email, Teams, SharePoint, OneDrive, and devices. For businesses in regulated industries — healthcare, financial services, government contracting — DLP is a compliance requirement, not just a best practice.

Start with Microsoft's built-in DLP templates for your relevant regulations:

• HIPAA — Detects Protected Health Information (PHI) including Social Security Numbers, medical record identifiers, and health plan numbers
• PCI-DSS — Flags credit card numbers and financial account data in transit or at rest
• CMMC / ITAR — Identifies Controlled Unclassified Information (CUI) categories for defense contractors

Configure DLP policies in "Audit" mode first. This allows you to assess the volume and nature of sensitive data movement before applying blocking rules — preventing business disruption while building visibility. After a 30-day baseline, move high-risk scenarios to block mode.

Key DLP actions to configure:

• Block external sharing of documents containing SSNs, PHI, or financial account data
• Require business justification for sharing sensitive files outside the organization
• Alert the compliance team when DLP policy violations occur
• Apply sensitivity labels to automatically classify and protect documents

6. Microsoft Entra ID Protection — Risk-Based Sign-In Policies

Where to configure: Microsoft Entra ID > Security > Identity Protection

Available in: Microsoft 365 E3 with Entra ID P2 add-on; Microsoft 365 E5 (included)

Microsoft Entra ID Protection uses machine learning to detect anomalous sign-in behaviors in real time — impossible travel (login from New York and London within 30 minutes), unfamiliar sign-in properties, credential exposure in breach databases, and more.

Two critical policies to enable:

• Sign-in Risk Policy — Triggers step-up authentication (additional MFA challenge) or blocks sign-in entirely when risk signals indicate potential compromise. Set the threshold to "Medium and above" to balance security with usability.
• User Risk Policy — Identifies user accounts flagged as potentially compromised based on leaked credentials or behavioral anomalies. Automatically requires a secure password reset for high-risk users.

For organizations managing Microsoft 365 licensing across large user populations, Entra ID Protection provides automated response to credential-based attacks that would otherwise require manual intervention — a capability that directly reduces dwell time when accounts are targeted.

7. Microsoft Intune — Mobile Device and Application Management

Where to configure: Microsoft Intune Admin Center (intune.microsoft.com)

Available in: Microsoft 365 Business Premium, E3, E5

The proliferation of personal devices accessing corporate email and data is one of the most significant unmanaged risk vectors in the modern workplace. When an employee accesses Microsoft 365 from a personal phone or an unmanaged laptop, your organization has no visibility or control over what happens to that data if the device is lost, stolen, or compromised.

Microsoft Intune provides device and application management across Windows, macOS, iOS, and Android. Key configurations to enable:

• Compliance Policies — Define minimum security requirements for devices accessing corporate resources (PIN/password, OS version, encryption, no jailbreak). Non-compliant devices are blocked by Conditional Access.
• App Protection Policies (MAM) — For personal devices (BYOD), App Protection Policies wrap Microsoft 365 apps in a managed container without enrolling the entire device. Corporate data in Outlook, Teams, and OneDrive can be wiped remotely without touching personal data.
• Windows Autopilot — Automates the provisioning of new Windows devices with corporate security policies, removing the need for manual setup and ensuring every device is configured consistently from day one.
• Endpoint security policies — Deploy Microsoft Defender for Endpoint configuration, disk encryption (BitLocker/FileVault), and firewall policies from Intune to all managed endpoints.

For organizations that have not yet deployed Intune, PSI's System and Infrastructure Modernization services include full Intune deployment and enrollment workflows.

8. Exchange Online — Block Legacy Authentication Protocols

Where to configure: Exchange Admin Center > Settings > Modern Authentication / Entra ID Conditional Access

Available in: All Microsoft 365 plans

Legacy authentication protocols — SMTP AUTH, POP3, IMAP, and basic authentication — are a primary attack vector in Microsoft 365 compromises. These protocols do not support multi-factor authentication, meaning that even with MFA enforced, an attacker who obtains a user's password can authenticate via IMAP and bypass your MFA entirely.

Microsoft has deprecated basic authentication for Exchange Online, but many tenants still have legacy protocols enabled for individual users or third-party applications that have not been updated.

Steps to eliminate legacy authentication:

• Audit legacy authentication usage — Run sign-in log reports in Entra ID filtered by "Legacy Authentication Client" to identify users or apps currently authenticating via legacy protocols.
• Migrate dependent applications — Identify printers, scanners, line-of-business applications, and shared mailboxes using SMTP AUTH and migrate them to OAuth 2.0 or certificate-based authentication.
• Block via Conditional Access — Create a Conditional Access policy targeting "Other clients" (the designation for legacy auth clients) and set the action to Block. This closes the MFA bypass gap entirely.

This is one of the most commonly overlooked configurations in Microsoft 365 security audits. If your tenant has legacy authentication active, attackers likely know it too.

9. Microsoft 365 Audit Logging and Unified Audit Log

Where to configure: Microsoft Purview Compliance Portal > Audit

Available in: All Microsoft 365 plans (retention duration varies by license)

You cannot investigate what you cannot see. Microsoft 365 Unified Audit Logging captures user activity, administrator actions, mailbox access events, file operations in SharePoint and OneDrive, Teams messages, and login events — all in a centralized, searchable log.

Critical audit log configurations:

• Enable Unified Audit Logging — Confirm it is active in the Compliance Portal. In newer tenants it is on by default, but older tenants may have it disabled.
• Extend retention periods — Default retention is 90 days for most plans. Microsoft 365 E5 includes one-year retention natively. Organizations subject to compliance frameworks like CMMC, HIPAA, or SEC regulations typically require 1–7 years of log retention. Consider Microsoft Purview Audit (Premium) or a third-party SIEM for extended retention.
• Set up audit alerts — Configure automated alerts for high-risk events: admin role elevation, bulk mailbox access (indicating potential email exfiltration), mass file deletion in SharePoint, and external forwarding rules created on user mailboxes.
• Monitor for mailbox forwarding rules — Attackers frequently configure auto-forwarding rules to exfiltrate email to external addresses after compromising an account. Alert on any new external forwarding rule creation.

Audit logs are also the primary evidence source during a security incident investigation. Without them, breach scope, attacker dwell time, and data exfiltration volume are impossible to determine — significantly increasing remediation costs and regulatory exposure.

10. External Sharing Controls — Govern Collaboration Without Exposing Data

Where to configure: SharePoint Admin Center > Policies > Sharing; Microsoft 365 Admin Center > Settings > Org Settings > Microsoft 365 Groups

Available in: All Microsoft 365 plans

SharePoint Online, OneDrive, and Microsoft Teams enable seamless collaboration — including with external partners, vendors, and clients. Without properly configured sharing controls, however, that same openness becomes a data leakage vector.

Microsoft 365 external sharing operates on a spectrum from "Anyone with the link" (maximum exposure) to "Only people in your organization" (maximum restriction). Most organizations need a middle path: enabling controlled collaboration with verified external partners while blocking anonymous link sharing.

Recommended external sharing configuration:

• SharePoint and OneDrive sharing level — Set to "New and existing guests" (requires guest accounts) rather than "Anyone" (anonymous access). This ensures all external sharing is tied to authenticated identities.
• Guest access expiration — Configure guest accounts to expire after 90–180 days and require periodic access review. Unused guest accounts accumulate silently and expand your attack surface.
• Sensitivity labels on Teams and SharePoint sites — Apply Microsoft Purview sensitivity labels to classify sites and Teams as Internal, Confidential, or Highly Confidential. Labels automatically enforce appropriate sharing restrictions.
• Restrict external sharing by domain — In SharePoint Admin Center, configure an allowlist of approved partner domains. Sharing with unapproved external domains is blocked, preventing accidental or malicious data exposure.
• Link expiration for "Anyone" links — If your business model requires anonymous sharing for specific use cases, set mandatory expiration dates (7–30 days) and password requirements for all "Anyone" links.

The Security Configuration Reality Check: Are You Protected?

Here is a quick self-assessment to benchmark your current Microsoft 365 security posture:

If you checked fewer than 7 of these, your Microsoft 365 environment has exploitable security gaps that require immediate attention.

Microsoft Licensing and Security: Getting the Right Coverage

Several of the controls above — Conditional Access, Defender for Office 365, Intune, and Entra ID Protection — require specific Microsoft 365 license tiers to access. Before investing in configuration work, it is worth confirming your current license tier includes the tools you need.

Here is a brief mapping:

If you are running Business Basic or E1 and expecting enterprise-grade security coverage, there is a significant capability gap. Conversely, if you are paying for E5 but have not configured these features, you are funding tools you are not using.

PSI's Microsoft licensing team helps organizations align their license tier to their actual security requirements — neither overpaying for unused features nor underpaying and leaving critical protections off the table. Explore our Microsoft 365 licensing solutions to see how we can help right-size your subscription.

Frequently Asked Questions

How long does it take to implement these 10 Microsoft 365 security settings?

Most of these settings can be configured in 4–8 hours by an experienced Microsoft 365 administrator. MFA, Security Defaults, and audit logging can be enabled in under 30 minutes each. More complex deployments — Intune device enrollment, Conditional Access policy frameworks, and DLP policy design — typically require 1–3 days of focused effort depending on organizational complexity.

Do I need Microsoft 365 E5 to have adequate security for my business?

Not necessarily. Microsoft 365 Business Premium provides most of the critical security controls — Defender for Office 365 Plan 1, Intune, Conditional Access, and Entra ID P1 — at a price point well below E5. As of 2026, Business Premium is listed at approximately $22/user/month (check Microsoft's current pricing page for the latest rates, as pricing is subject to change). E5 adds advanced threat hunting, Defender for Office 365 Plan 2, and extended audit retention. For most SMBs, the Business Premium is the right security baseline. E5 is appropriate for organizations with dedicated security operations teams or stringent compliance requirements.

What is the difference between Security Defaults and Conditional Access?

Security Defaults are a simplified, one-click MFA enforcement setting designed for organizations without dedicated IT staff. Conditional Access provides granular, policy-based control over every authentication decision. For organizations with more than 10 users, contractors, remote workers, or compliance requirements, Conditional Access is the recommended approach — it provides the flexibility Security Defaults lack while enforcing a true Zero Trust posture.

Can PSI help us implement these Microsoft 365 security settings?

Yes. PSI's Managed Services and Cybersecurity teams provide Microsoft 365 security configuration, Conditional Access policy design, Intune deployment, and ongoing security monitoring for organizations in Washington D.C., Virginia, Maryland, and nationwide. We begin with a Microsoft Secure Score baseline assessment and prioritize configurations by risk reduction impact.

How do these settings relate to CMMC and HIPAA compliance?

Many of these 10 controls directly satisfy CMMC Level 2 and HIPAA Security Rule requirements. MFA and Conditional Access address access control requirements. DLP and sensitivity labels address data protection obligations. Audit logging addresses audit and accountability controls. For defense contractors pursuing CMMC certification or healthcare organizations maintaining HIPAA compliance, a properly configured Microsoft 365 tenant is foundational — not supplemental — to your compliance posture.

Conclusion: Security You Already Own, Waiting to Be Activated

The 10 security settings covered in this guide represent the highest-impact, lowest-cost security investments available to any Microsoft 365 organization. Most of them are already included in your subscription. None of them require additional software purchases. All of them meaningfully reduce your exposure to the credential attacks, phishing campaigns, data leaks, and compliance failures that are targeting businesses of every size in 2026.

The organizations that get breached are not always the ones with the smallest security budgets. They are frequently the ones who owned the right tools and never turned them on.

Your Microsoft 365 tenant contains a security arsenal. This guide is your activation checklist.

Ready to Secure your Microsoft 365 Environment?

Contact PSI to schedule a Microsoft Secure Score baseline assessment and security configuration review. Our team works directly with senior engineers — not account managers — to deliver configurations that protect your data, satisfy your compliance requirements, and align with your actual Microsoft 365 licensing investment.

Schedule Your Microsoft 365 Security Assessment

‍