Why Your Microsoft 365 Security Defaults Aren't Enough

Microsoft 365 is the dominant business productivity platform for UK small and medium-sized businesses. The majority of small organisations with up to 100 staff use it for email, document storage, collaboration, and increasingly for core business applications. For most of these organisations, the security of Microsoft 365 is the security of their most critical business data.

Microsoft provides a feature called Security Defaults — a set of baseline security settings that can be applied to a 365 tenancy in a single click. Security Defaults are better than nothing. They are considerably less than sufficient. This guide explains what Security Defaults cover, what they leave exposed, and what a properly hardened Microsoft 365 configuration looks like for a small business.

What Microsoft 365 Security Defaults Actually Do

Security Defaults, when enabled, apply four core changes to a Microsoft 365 tenancy:

• Require MFA registration for all users (but not enforce MFA use immediately)
• Enforce MFA for administrator accounts
• Block legacy authentication protocols — older authentication methods that don't support MFA
• Require MFA when risky sign-in behaviour is detected by Microsoft's Identity Protection engine

These are meaningful controls. Blocking legacy authentication alone closes a significant attack vector — attackers actively target organisations where legacy protocols like IMAP and POP3 remain enabled, because these protocols can be used to authenticate without MFA. Enforcing MFA for administrator accounts protects the accounts that, if compromised, provide complete control of the tenancy.

But Security Defaults are a starting point, not a security posture. Here is what they leave uncovered.

MFA Is Required at Registration, Not Enforced for All Logins

Under Security Defaults, users are prompted to register for MFA. They are not blocked from accessing 365 services if they haven't completed registration, nor are they blocked during a 14-day grace period after registration is prompted. An organisation that enabled Security Defaults six months ago and hasn't verified that every user has completed MFA registration may have staff accounts that are still unprotected.

Properly enforced MFA — via Conditional Access policies, which require at least an Entra ID P1 licence — blocks access from any account that hasn't completed MFA, without grace periods and without exceptions. The difference between "prompted to register" and "cannot log in without MFA" is significant in a credential phishing scenario.

No Conditional Access Controls

Security Defaults don't provide Conditional Access — the ability to apply authentication requirements based on context. Conditional Access allows you to require MFA only when a sign-in occurs from outside the office network, block authentication entirely from high-risk countries, require compliant devices for access to sensitive data, and apply stronger authentication requirements to administrator accounts than to standard users.

Without Conditional Access, your MFA policy is binary: it applies the same way regardless of whether a user is on your office network or authenticating from a residential IP in an unfamiliar country. Context-aware authentication is significantly more effective than flat MFA requirements.

Audit Logging Is Limited Without a Higher Licence

Microsoft 365's audit log — the record of sign-ins, admin actions, file access, mailbox activity, and configuration changes — is a critical forensic resource when something goes wrong. Under Business Basic and Business Standard licences, audit log retention is 90 days. Under Business Premium, it extends to 180 days. For an investigation into a breach that began several months before discovery — which is common — 90 or even 180 days may be insufficient.

More critically, some audit events are simply not captured without specific licence tiers or audit policy settings. Mailbox access by non-owners — the event that would reveal a compromised account reading your CEO's email — requires that mailbox auditing is explicitly enabled, which it is not by default in all configurations.

No Advanced Threat Protection Without Business Premium

Microsoft Defender for Office 365 — the advanced email security layer that provides Safe Links, Safe Attachments, and anti-phishing policies — is included in Business Premium but not in Business Basic or Business Standard. Organisations on lower licence tiers have standard spam and malware filtering but not the sandboxed attachment analysis and real-time link detonation that Defender for Office 365 provides.

Safe Attachments analyses email attachments in a sandboxed environment before delivering them to the recipient — catching malicious attachments that have been crafted to evade signature-based detection. Safe Links rewrites URLs in emails and documents and checks them at the point of click — catching malicious links that were safe at delivery time but were subsequently pointed at malicious content.

The Configuration Settings That Make the Biggest Difference

Beyond Security Defaults, the following Microsoft 365 configuration changes provide the most significant security improvement for a small organisation, in approximate priority order:

• Enforce MFA for all users via Conditional Access (requires Entra ID P1, included in Business Premium)
• Enable and review audit log settings — ensure mailbox auditing is enabled for all mailboxes, confirm log retention settings
• Disable basic authentication if any legacy protocols remain enabled in your tenancy
• Configure anti-phishing policies in Defender for Office 365 — enable impersonation protection for senior staff and your domain
• Review external sharing settings in SharePoint and OneDrive — default settings in many tenancies allow unauthenticated sharing with anyone who has a link
• Review and restrict admin roles — identify which accounts have Global Administrator rights and ensure these are limited to the minimum necessary number of accounts
• Enable sign-in risk policies via Entra ID Identity Protection — automatically block or require additional verification for sign-ins Microsoft's machine learning identifies as high risk

Monitoring 365 Is Not the Same as Securing 365

Even a well-configured Microsoft 365 tenancy benefits from continuous monitoring of its sign-in logs and activity. Configuration is static; threats are dynamic. An attacker who compromises a user account via a technique that bypasses your current controls — a real-time phishing proxy, a session cookie theft, a compromised device — will be visible in the sign-in logs if someone is watching them. The configuration determines your exposure. The monitoring determines how quickly a successful attack is detected and contained.