Microsoft 365 Security Basics for Small Businesses

Microsoft 365 is how most small businesses handle email, documents, Teams calls and file sharing. It is also one of the most common targets for credential phishing. The default settings when you first set up Microsoft 365 are not as secure as they should be. Getting the basics right significantly reduces your exposure to the most common attacks.

This guide covers the key settings in plain English. None of them require technical expertise to understand, though some require admin access to apply.

1. Enable MFA on Every Account

Multi-factor authentication is the single most effective control you can apply to Microsoft 365. It means a stolen password alone cannot be used to log into an account. The attacker also needs the second factor, usually a code from an authenticator app or a phone prompt.

In Microsoft 365 admin, go to Users, then Active users, then Multi-factor authentication. Enforce it for every account, including admin accounts. Microsoft also offers Security Defaults (available under Azure Active Directory) which enforces MFA as a baseline for all users with minimal configuration.

If MFA is not enabled on your Microsoft 365 accounts, this is the first thing to fix. Everything else is less important by comparison.

2. Use a Separate, Dedicated Admin Account

Admin accounts in Microsoft 365 have the ability to change settings for every user, access all mailboxes, and alter security policies. They should not be used for day-to-day email and work.

Create a dedicated admin account that is used only for admin tasks. Give it a strong, unique password and enforce MFA. Your regular work account should have only the permissions it needs for normal tasks. If a phishing attack compromises your regular account, the attacker does not automatically get admin access.

3. Disable Legacy Authentication Protocols

Legacy authentication protocols (such as basic authentication used by older mail clients) do not support MFA. If legacy auth is enabled, an attacker with a valid password can bypass MFA entirely by using a legacy authentication method to log in.

Microsoft has been disabling legacy authentication globally, but it is worth verifying it is disabled in your tenant. In the Azure portal, this is done via Conditional Access policies or Security Defaults. If you have any older mail clients that use basic authentication (Outlook 2013 or earlier, some older iOS mail apps), they will stop working when legacy auth is disabled and will need updating.

4. Block External Email Forwarding

After a successful phishing attack, one of the first things attackers do is set up a forwarding rule that silently copies all incoming email to an external address they control. This means they continue to receive your emails even after you change your password.

Block automatic external forwarding at the tenant level via the outbound spam filter policy in the Microsoft 365 Security and Compliance centre. Set it to "automatic" or "off" rather than "on". Users should not be able to forward their entire inbox to an external Gmail or similar address without explicit approval.

Also check existing mailboxes for any forwarding rules already in place, particularly on accounts that have been compromised in the past.

5. Review Spam and Anti-Phishing Policies

Microsoft 365 includes spam and phishing filters. The default settings are reasonable, but the more aggressive protection levels are not enabled by default. In the Microsoft Defender portal, review the anti-phishing policies and consider enabling:

• Impersonation protection for key users (your name, your supplier names)
• Mailbox intelligence, which learns from your typical email patterns
• Spoof intelligence to flag emails from domains that fail authentication

These settings reduce the volume of convincing phishing emails that reach inboxes.

6. Enable Audit Logging

Audit logging records admin actions and user activity across Microsoft 365. If an account is compromised and an attacker makes changes (creates forwarding rules, accesses files, changes settings), audit logs let you see what happened and when.

In the Microsoft Purview compliance portal, confirm that audit logging is enabled. For most Microsoft 365 Business plans it can be turned on without additional cost. Logs are retained for 90 days on standard plans.

7. Configure SPF, DKIM and DMARC for Your Domain

These three DNS records authenticate your outbound email and tell other mail servers what to do with emails that fail authentication. They do not prevent all phishing, but they make it harder for attackers to send convincing emails that appear to come from your domain.

• SPF: specifies which mail servers are authorised to send email from your domain. Microsoft provides the SPF record value when you set up a custom domain.
• DKIM: adds a cryptographic signature to outbound email. Enable it in Microsoft 365 admin under DomainKeys Identified Mail.
• DMARC: the policy record that ties SPF and DKIM together. Start with p=none to receive reports without blocking anything, then move to p=quarantine and eventually p=reject once you have confirmed all legitimate sending sources are covered.

What This Does Not Cover

These settings reduce the most common Microsoft 365 risks significantly. They do not replace staff training, DNS filtering at the network level, endpoint security on devices, or proper monitoring. Security is layered. Microsoft 365 configuration is one important layer.