Microsoft 365 Security Settings Every Small Business Should Turn On
The default Microsoft 365 settings are not enough to protect your business — here are the key security controls Australian SMBs should enable right now.
Microsoft 365 is the backbone of most Australian small businesses — email, documents, Teams, cloud storage, all in one subscription. But out of the box, a Microsoft 365 tenant is not as secure as it could be. Microsoft makes sensible default choices, but "sensible" is not the same as "sufficient". The settings below can make a significant difference to your security posture, and many of them cost nothing beyond the time to configure them.
Enable Multi-Factor Authentication for All Users
This is the single highest-impact action you can take. MFA prevents attackers from accessing accounts even when they have a valid username and password — which they increasingly do, thanks to data breaches and phishing campaigns.
There are two ways to enable MFA across your organisation:
- Security Defaults (free, all plans): A one-click option that enforces MFA for all users and blocks legacy authentication. Go to the Azure Active Directory admin centre, select Properties, then Manage Security Defaults. This is the fastest and easiest path for businesses without complex requirements.
- Conditional Access (requires Business Premium or Azure AD P1): Provides more control — for example, requiring MFA only when users are outside your office network, or applying different rules to admin accounts. More complex to configure but more flexible.
If you do nothing else on this list, do this.
Block Legacy Authentication
Legacy authentication protocols — older connection methods used by some email clients and applications — do not support MFA. Attackers specifically target these protocols because they allow credential-based access that bypasses your MFA controls entirely. Enabling Security Defaults blocks legacy authentication automatically. If you are using Conditional Access instead, create a policy that blocks all legacy authentication clients. Check first whether any of your business applications rely on legacy protocols — most modern apps do not — and migrate away from anything that does before blocking.
Turn On Audit Logging
Audit logging records what happens in your Microsoft 365 environment — who logged in, from where, what emails were sent, what files were accessed or deleted. This information is invaluable if you ever need to investigate an incident. In some Microsoft 365 plans, audit logging must be manually enabled.
Go to the Microsoft Purview compliance portal (compliance.microsoft.com), navigate to Audit, and confirm that auditing is turned on. Logs are retained for 90 days on most plans (one year on Business Premium and above). Enable it now — you cannot go back and recover logs from before you turned it on.
Configure Safe Links and Safe Attachments
These features require Microsoft 365 Business Premium or Defender for Office 365 Plan 1.
Safe Links checks URLs in emails and Office documents against Microsoft's threat intelligence database at the time of click — not just at the time of delivery. This catches attacks where a link is benign when the email arrives but is later redirected to a malicious site.
Safe Attachments opens email attachments in a sandboxed environment before delivering them to your inbox, detecting malware that has not yet been identified by standard antivirus signatures.
Both are configured in the Microsoft Defender portal (security.microsoft.com) under Email and Collaboration policies. Enable both with at minimum the Standard preset security policy, which Microsoft maintains with current threat intelligence.
Set Up Anti-Phishing and Anti-Spam Policies
Microsoft 365 includes anti-phishing protection that can be tuned to provide stronger defences than the default. In the Defender portal, review your anti-phishing policy and consider enabling:
- Impersonation protection: Add your key executives and domain names so that emails impersonating them are flagged or quarantined.
- Spoof intelligence: Review and manage which external senders are allowed to spoof your domain.
- Mailbox intelligence: Uses your contacts and email history to identify unusual sender behaviour.
Review your anti-spam policy settings and ensure that high-confidence spam and phishing messages are quarantined rather than delivered to junk folders.
Review Mailbox Forwarding Rules
One of the most common indicators of a business email compromise (BEC) attack is a hidden forwarding rule that silently copies all incoming email to an external address controlled by the attacker. These rules are often set up within minutes of an account being compromised and can go undetected for months.
Check your forwarding rules regularly. In the Exchange admin centre (admin.exchange.microsoft.com), review Transport Rules and individual mailbox forwarding settings. Consider blocking automatic external forwarding at the organisation level — most small businesses have no legitimate need for employees to auto-forward company email to external addresses.
Enable Mobile Device Management
Basic MDM is available on all Microsoft 365 plans; Intune (full MDM) requires Business Premium.
If staff access Microsoft 365 on their phones or tablets, Mobile Device Management lets you enforce basic security requirements — PIN locks, encryption, remote wipe capability if a device is lost or stolen. Basic MDM is built into Microsoft 365 and can be activated through the admin centre. For more comprehensive device management, including managing Windows PCs, Microsoft Intune is included with Business Premium.
Set Up Microsoft Secure Score
Microsoft Secure Score (security.microsoft.com/securescore) gives your tenant a security score and provides a prioritised list of recommended actions with step-by-step guidance. It is a useful dashboard for understanding where your gaps are and tracking improvements over time. Review it monthly and work through the recommendations in order of impact.
Data Retention and Basic DLP
Requires Microsoft 365 Business Premium or Microsoft 365 compliance add-ons for full functionality.
Data Loss Prevention (DLP) policies can automatically detect and block sharing of sensitive information — such as tax file numbers, credit card numbers, or medical records — via email or in documents. Even basic DLP policies configured through the Purview compliance portal can significantly reduce the risk of accidental data exposure. Retention policies ensure that important business records are preserved for the appropriate period and that data you no longer need is disposed of appropriately.
Configuring all of these settings in one sitting is ambitious — start with MFA, blocking legacy authentication, and reviewing mailbox forwarding rules. These three changes alone will address the most common attack vectors targeting Microsoft 365 tenants. Work through the rest over time, using Secure Score as your guide.
Free tool
Know your cyber risk in 15 minutes
50 plain-English questions. Prioritised recommendations. Free PDF report. No sign-up.
Start free assessment →Frequently asked questions
Is Microsoft 365 secure out of the box for small businesses?
Not as secure as it could be. Microsoft ships 365 with a set of default configurations designed to balance security with ease of setup, but several important protections are either disabled or not configured by default. Multi-factor authentication, for example, is not enforced by default for all users in older tenants. Advanced anti-phishing policies, audit logging, and controls on mailbox forwarding rules all require deliberate configuration. The good news is that most of the high-value settings described in this guide are available at no additional cost on standard plans.
Do I need Microsoft 365 Business Premium or will Business Basic do?
Business Basic gives you the core apps, email, and Teams, but lacks several important security features. Microsoft 365 Business Premium adds Microsoft Defender for Business (endpoint protection), Defender for Office 365 Plan 1 (Safe Links, Safe Attachments, advanced anti-phishing), Intune for device management, and Azure AD Premium P1 for Conditional Access policies. For businesses handling sensitive client data, financial information, or operating under any regulatory obligation, Business Premium is strongly recommended. If budget is a constraint, at minimum enable Security Defaults (free on all plans) and use the Secure Score dashboard to prioritise improvements.
How do I turn on MFA for all Microsoft 365 users?
The simplest approach is to enable Security Defaults, which enforces MFA for all users and is available on every Microsoft 365 plan at no extra cost. Go to the Azure Active Directory admin centre (aad.portal.azure.com), navigate to Properties, then Manage Security Defaults, and toggle it on. If you are on Business Premium and want more granular control — such as excluding specific scenarios or using number matching — you can configure Conditional Access policies instead. Microsoft has a step-by-step guide in their documentation, and your IT provider can assist if needed.
Tags