Securing Microsoft 365 for Small Business

Microsoft 365 (formerly Office 365) is powerful, but its default configuration leaves significant security gaps. Most small businesses don't realize they're vulnerable until after a breach. These essential configurations dramatically improve your security posture.

The Problem with Default Settings

Out of the box, Microsoft 365 prioritizes ease of use over security:

• Multi-factor authentication is optional (not enforced)
• Legacy authentication protocols remain enabled
• Users can share files externally with anyone
• Audit logging isn't enabled for many activities
• Advanced threat protection features aren't activated
• Email forwarding rules aren't restricted

These defaults make sense for Microsoft—they reduce support calls from frustrated users. But they create opportunities for attackers.

Essential Security Configurations

1. Enforce Multi-Factor Authentication (MFA)

Priority: CRITICAL

Enable MFA for all users, especially administrators. This single change blocks 99.9% of account compromise attacks.

How to enable:

• Admin center → Azure Active Directory → Security → Conditional Access
• Create policy requiring MFA for all users
• Use authentication app (not SMS) for best security
• Configure trusted locations if needed (e.g., office IP address)

Pro tip: Start with administrators and executives, then roll out to all users within 30 days.

2. Block Legacy Authentication

Priority: HIGH

Legacy protocols (like POP3, IMAP, and basic authentication) don't support MFA. Attackers love these because stolen passwords work without requiring the second factor.

How to disable:

• Azure AD → Security → Conditional Access
• Create policy blocking legacy authentication
• First identify apps using legacy auth (may require updates)
• Modern authentication works with Outlook, mobile apps, etc.

3. Enable Advanced Threat Protection (ATP/Defender)

Priority: HIGH

Microsoft Defender for Office 365 (formerly ATP) provides critical email security features.

Key features to enable:

• Safe Links: Scans URLs at click-time for malicious content
• Safe Attachments: Opens attachments in sandbox before delivery
• Anti-phishing policies: Protects against impersonation and spoofing
• Anti-malware: Enhanced detection beyond basic filtering

Note: Requires Microsoft 365 Business Premium or E3/E5 license.

4. Configure Data Loss Prevention (DLP)

Priority: MEDIUM-HIGH

Prevent sensitive information from being shared inappropriately.

Common DLP policies for small business:

• Block emails containing Social Security numbers externally
• Prevent sharing files containing credit card numbers
• Restrict forwarding of emails marked confidential
• Alert when sensitive documents are shared publicly

For aerospace/defense contractors: Create policies for ITAR and CUI data.

5. Restrict External Sharing

Priority: MEDIUM

By default, users can share SharePoint and OneDrive files with anyone, including anonymous links.

Recommended settings:

• Limit external sharing to specific domains (e.g., trusted partners)
• Require authentication for external access
• Disable anonymous links or set expiration (e.g., 30 days)
• Block downloads from unmanaged devices
• Enable audit logging for external sharing activities

6. Enable Audit Logging

Priority: MEDIUM

Audit logs track user activities and are essential for investigating security incidents.

What to log:

• User sign-ins and sign-in failures
• File access and downloads
• Permission changes
• Mailbox access by non-owners
• Email forwarding rule creation
• Admin activities

Retention: Keep logs for at least 90 days (365 days for compliance)

7. Configure Email Forwarding Controls

Priority: MEDIUM

Attackers often create forwarding rules to exfiltrate data or monitor communications.

Best practices:

• Disable automatic forwarding to external addresses
• Alert administrators when forwarding rules are created
• Periodically review existing forwarding rules
• Use transport rules to block or redirect external forwarding

8. Implement Retention Policies

Priority: MEDIUM (Higher for regulated industries)

Retention policies ensure emails and documents are kept or deleted according to legal/compliance requirements.

Common retention schedules:

• Email: 7 years (general business)
• Contracts: 7-10 years after expiration
• Financial records: 7 years
• Quality records (aerospace): Per AS9100 requirements
• Employee records: 7 years after termination

9. Configure Mobile Device Management (MDM)

Priority: MEDIUM

Control how company data is accessed from mobile devices.

Key policies:

• Require device encryption
• Enforce PIN/password on mobile devices
• Enable remote wipe capability
• Block rooted or jailbroken devices
• Require updated operating systems

10. Review Administrator Roles

Priority: HIGH

Too many admin accounts increase risk. Follow principle of least privilege.

Best practices:

• Limit Global Administrators to 2-5 people maximum
• Use specific role assignments (Exchange Admin, SharePoint Admin, etc.)
• Require separate admin accounts (don't use daily accounts for admin tasks)
• Enable Privileged Identity Management for just-in-time admin access
• Review and remove unnecessary admin rights quarterly

Additional Recommendations

Enable Microsoft Secure Score

Microsoft Secure Score provides a dashboard showing your security posture and recommendations for improvement.

How to access: Microsoft 365 Security Center → Secure Score

Goal: Aim for a Secure Score above 70% (most small businesses start around 30-40%)

Configure External Email Warnings

Add warning banners to emails from external senders to reduce phishing success.

Example banner: "⚠️ EXTERNAL: This email originated outside your organization. Exercise caution with links and attachments."

Enable Alert Policies

Configure alerts for suspicious activities:

• Unusual number of files downloaded
• User sends email to large number of recipients
• Elevation of user permissions
• Malware detection
• Forwarding rule creation

License Considerations

Security features vary by Microsoft 365 license tier:

Business Basic ($6/user/month):

• Basic email security
• Basic MFA
• SharePoint/OneDrive

Business Standard ($12.50/user/month):

• Everything in Basic
• Desktop Office apps
• Better email security

Business Premium ($22/user/month) - RECOMMENDED:

• Everything in Standard
• Microsoft Defender for Office 365
• Advanced Threat Protection
• Conditional Access policies
• Intune device management

For most small businesses, Business Premium provides the best security-to-cost ratio.

Implementation Timeline

Week 1: Enable MFA for admins and executives
Week 2: Roll out MFA to all users
Week 3: Block legacy authentication
Week 4: Enable Advanced Threat Protection features
Week 5-6: Configure DLP, external sharing, and audit logging
Week 7-8: Implement mobile device policies and review admin roles
Ongoing: Monitor Secure Score and alerts, adjust policies as needed

The Bottom Line

Microsoft 365 is a powerful productivity platform, but it requires proper security configuration. Don't rely on defaults—they prioritize convenience over security. By implementing these configurations, you'll dramatically reduce your risk of account compromise, data loss, and compliance violations.

For aerospace and defense contractors subject to CMMC or NIST 800-171, many of these configurations are required, not optional. Start securing your Microsoft 365 environment today.