Microsoft 365 Security Settings
for Small BusinessesMicrosoft 365 is the productivity backbone of most UK small businesses. But is Microsoft 365 secure enough for business out of the box? The short answer is no — not without the right configuration, monitoring, and additional controls. This guide covers the Microsoft 365 security settings that every small business should have in place, explains what Microsoft 365 Security Defaults actually do, and identifies the gaps that leave organisations exposed.
Are Microsoft 365 Security Defaults Enough?
Microsoft 365 Security Defaults are a set of baseline security settings that Microsoft makes available to every tenancy. When enabled, they apply four core protections:
- Require all users to register for multi-factor authentication (MFA)
- Enforce MFA for administrator accounts
- Block legacy authentication protocols that cannot support MFA
- Trigger MFA challenges when risky sign-in behaviour is detected
These defaults are a meaningful starting point. Blocking legacy authentication alone closes a significant attack vector — IMAP and POP3 protocols are actively targeted by attackers because they bypass MFA entirely. Enforcing MFA for admin accounts protects the accounts that, if compromised, grant complete control of the tenancy.
But Security Defaults are exactly that: defaults. They are the minimum baseline, not a security posture. For a small business that depends on Microsoft 365 for email, document storage, and collaboration, relying solely on Security Defaults leaves critical gaps.
The Gaps That Microsoft 365 Security Defaults Leave Open
MFA Registration Is Not MFA Enforcement
Security Defaults prompt users to register for MFA but do not block access during a 14-day grace period. An organisation that enabled Security Defaults months ago may still have staff accounts that have never completed MFA registration. The difference between "prompted to register" and "cannot log in without MFA" is the difference between a policy and a control.
No Conditional Access Policies
Security Defaults apply MFA uniformly. They cannot distinguish between a login from the office network and a login from an unfamiliar IP address in another country. Conditional Access — available with Entra ID P1 licences (included in Business Premium) — allows you to require MFA only for external access, block sign-ins from high-risk locations, and require compliant devices for access to sensitive data. Context-aware authentication is significantly more effective than flat MFA requirements.
Limited Audit Logging
Under Business Basic and Business Standard licences, audit log retention is limited to 90 days. Investigations into breaches that started months before discovery — which is common — may find that the evidence has already been purged. Some audit events, including non-owner mailbox access, require explicit configuration to capture at all.
No Advanced Threat Protection on Lower Licence Tiers
Microsoft Defender for Office 365 — providing Safe Links, Safe Attachments, and anti-phishing policies — is only included in Business Premium. Organisations on Business Basic or Standard have standard spam and malware filtering but lack sandboxed attachment analysis and real-time link detonation.
SharePoint and OneDrive Sharing Defaults
Default sharing settings in many Microsoft 365 tenancies allow unauthenticated external sharing via "Anyone with the link" permissions. Unless these defaults are reviewed and tightened, staff can inadvertently share sensitive documents with anyone on the internet.
The Microsoft 365 Security Settings That Matter Most
Beyond Security Defaults, the following configuration changes provide the most significant security improvement for a small business, in priority order:
- Enforce MFA for all users via Conditional Access — eliminate the grace period and apply context-aware authentication rules
- Review and restrict admin roles — identify which accounts have Global Administrator rights and reduce them to the minimum necessary
- Configure anti-phishing policies — enable impersonation protection for senior staff and your domain in Defender for Office 365
- Review external sharing settings — restrict SharePoint and OneDrive sharing to authenticated recipients only
- Enable mailbox auditing — ensure non-owner access events are captured for all mailboxes
- Enable sign-in risk policies — automatically block or require additional verification for sign-ins flagged as high risk by Entra ID Identity Protection
- Disable unused legacy protocols — confirm that IMAP, POP3, and SMTP AUTH are disabled across all mailboxes
Is Microsoft 365 Secure Enough for Business?
Microsoft 365 can be secure enough for a small business — but not in its default configuration. The platform provides the tools, but the configuration, monitoring, and ongoing management are the responsibility of the organisation. Most small businesses do not have the internal expertise to harden a Microsoft 365 tenancy to the level required, and most managed IT providers configure the basics but do not provide continuous security monitoring of sign-in logs, admin activity, and suspicious mailbox behaviour.
The most common scenario we see is a small business with Microsoft 365 where:
- Security Defaults are enabled but not all users have completed MFA registration
- No Conditional Access policies are in place
- External sharing in SharePoint and OneDrive is unrestricted
- No one is monitoring sign-in logs or audit activity
- Admin accounts are shared or not properly segregated
This is not a secure configuration. It is a configuration that has not yet been tested by an attacker.
What Continuous Monitoring Adds
Even a properly configured Microsoft 365 tenancy benefits from continuous security monitoring. Configuration is static; threats are dynamic. An attacker who compromises a user account via a technique that bypasses your controls — a real-time phishing proxy, a session token theft, a compromised device — will be visible in the sign-in logs if someone is watching them.
Effective Microsoft 365 monitoring covers:
- Authentication anomalies — sign-ins from unusual locations, impossible travel, or unfamiliar devices
- Suspicious mailbox rules — auto-forwarding rules that divert email to external addresses, a hallmark of business email compromise
- Admin activity — new admin role assignments, configuration changes, or the creation of new accounts
- Data exfiltration indicators — unusual download volumes, sharing activity, or access patterns in SharePoint and OneDrive
Further Reading
- Why Your Microsoft 365 Security Defaults Aren't Enough
- Business Email Compromise: The Fraud Costing UK Small Businesses Millions
- Multi-Factor Authentication: How to Actually Roll It Out Across Your Business
- Phishing Attacks Are Getting Harder to Spot
Microsoft 365 Monitoring. Included.
SOC in a Box integrates with Microsoft 365 via the Management Activity API, ingesting sign-in logs, audit events, and security alerts into the SOC365 detection engine. Your named analyst monitors your tenancy alongside your network — authentication anomalies, suspicious mailbox rules, unusual admin activity — all in real time. Five working days from scoping call to live monitoring.
Book a scoping call