Microsoft 365 Security Checklist for Small Business

Most small businesses pay for Microsoft 365 but only scratch the surface of its security features. The default settings leave gaps that attackers know how to exploit. A misconfigured M365 tenant is one of the most common entry points for business email compromise in Australia.

Here are 20 security settings you should check in your Microsoft 365 tenant. We have grouped them by difficulty so you can start making progress today.

Do today (5 minutes each)

These are quick wins. You can do them right now from the Microsoft 365 admin centre.

1. Enable MFA for all users

Multi-factor authentication is the single most effective security control you can enable. Go to Entra ID > Security > MFA and enforce it for every account. No exceptions.

2. Block legacy authentication

Older email protocols (POP3, IMAP, SMTP) bypass MFA entirely. Disable them in Entra ID > Security > Conditional Access. If no one is using Outlook 2013, there is no reason to leave these open.

3. Set passwords to never expire

This sounds counterintuitive, but Microsoft and the ASD both recommend it. Password expiration policies lead to weaker passwords. Combine non-expiring passwords with MFA for better security.

4. Disable user consent to apps

By default, users can grant third-party apps access to their M365 data. Turn this off in Entra ID > Enterprise Applications > Consent and permissions. Require admin approval for all app access.

5. Enable unified audit log

Go to the Microsoft Purview compliance portal and ensure the unified audit log is turned on. This records all user and admin activity. You will need these logs if you ever investigate an incident.

6. Set audit log retention to 180 days

The default retention is 90 days. Extend it to at least 180 days. Many breaches are not discovered for weeks or months. If the logs are gone, you cannot investigate.

7. Enable mailbox auditing

Mailbox auditing tracks who accessed which mailboxes and what they did. It should be on by default in newer tenants, but it is worth confirming. Your IT provider can verify this is enabled for you.

This week (need some planning)

These settings require a bit more thought or testing before you roll them out.

8. Configure safe attachments

In the Microsoft 365 Defender portal, enable Safe Attachments policies. These scan email attachments in a sandbox before delivering them. Set the action to "Block" for detected malware.

9. Configure safe links

Enable Safe Links to rewrite and check URLs in emails at the time of click. This catches links that were clean when the email arrived but became malicious later.

10. Set up anti-phishing policies

Configure anti-phishing policies in Defender to protect against impersonation attacks. Add your executives and key contacts to the impersonation protection list.

11. Restrict external sharing in SharePoint

Review your SharePoint external sharing settings. The default is often too permissive. Limit external sharing to specific domains or require approval for each share.

12. Configure data loss prevention (DLP)

Set up basic DLP policies to prevent sensitive data (credit card numbers, tax file numbers, health records) from being shared externally via email or SharePoint.

13. Enable self-service password reset

Configure SSPR in Entra ID so users can reset their own passwords securely. This reduces helpdesk load and eliminates the "just tell me the password over the phone" risk.

14. Review and clean up admin roles

Check who has Global Administrator access. Most tenants have too many global admins. Follow the principle of least privilege. Use specific admin roles (Exchange Admin, SharePoint Admin) instead.

15. Set up alerts for suspicious activity

In the Defender portal, configure alert policies for:

• Impossible travel (logins from two countries within an hour)
• Mass file downloads
• Email forwarding rule creation
• New admin role assignments

Get expert help (complex to implement correctly)

These settings are powerful but can cause disruption if configured incorrectly. We recommend working with an experienced M365 partner.

16. Conditional access policies

Create policies that restrict access based on location, device, and risk level. For example: block sign-ins from countries where you have no staff, or require compliant devices for access.

17. Intune device management

Enrol company devices in Intune to enforce security policies: encryption, PIN requirements, app restrictions, and remote wipe capability. This is essential if staff use laptops outside the office.

18. Sensitivity labels

Apply sensitivity labels to documents and emails (Confidential, Internal Only, Public). Labels can enforce encryption and restrict sharing based on classification.

19. Attack simulation training

Use the built-in attack simulator in Defender to send test phishing emails to your staff. Track who clicks and provide targeted training. This is the most effective way to reduce phishing risk.

20. Privileged Identity Management (PIM)

Enable PIM to provide just-in-time admin access. Instead of permanent admin roles, users request elevated access for a limited time. This reduces the attack surface if an admin account is compromised.

How to check your score

Microsoft provides a free security assessment called Secure Score. Go to security.microsoft.com > Secure Score to see your current rating and recommended improvements.

Most small business tenants score between 30% and 50% when we first assess them. After implementing the checklist above, you should be above 70%.

Need a hand?

Want us to review your M365 tenant? Our free IT health check includes a full security configuration audit. We will show you what is configured correctly, what is missing, and what to prioritise.

Learn more about our Microsoft 365 services