Skip to main content

Microsoft 365 Security

If your business uses Microsoft 365, you already have access to powerful security features — many of which are free or included in your existing subscription. Most small businesses use only a fraction of what's available.

Enable multi-factor authentication for everyone

MFA is the single most important step you can take in Microsoft 365. It prevents the majority of account takeover attacks — even when passwords are compromised.

  • Enable Security Defaults in Azure Active Directory (now Entra ID) — it enforces MFA for all users at no extra cost.
  • Use the Microsoft Authenticator app rather than SMS codes where possible.
  • Ensure all accounts — including shared and service accounts — have MFA enabled.
  • Run the Secure Score assessment in the Microsoft 365 Security Centre to see your current MFA coverage.

Protect administrator accounts

Global administrator accounts in Microsoft 365 have the highest level of access. If an admin account is compromised, an attacker can lock you out of your entire Microsoft 365 environment.

  • Use dedicated admin accounts — don't use your regular email account for administration.
  • Admin accounts should have no Microsoft 365 licence assigned — use them only for admin tasks.
  • Require MFA on all admin accounts, ideally using the Privileged Identity Management feature.
  • Have at least two Global Admin accounts in case one is locked out, but keep the total number small.
  • Never share admin credentials — each admin should have their own account.

External email warnings and anti-phishing

Microsoft 365 includes email security features that can significantly reduce the risk of phishing and business email compromise.

  • Enable external email warnings so staff can see when an email comes from outside your organisation.
  • Configure anti-phishing policies in the Defender portal — even the basic settings catch a large proportion of attacks.
  • Enable Safe Links and Safe Attachments if you have Microsoft Defender for Office 365 (included in Business Premium).
  • Set up DMARC, DKIM, and SPF DNS records — these prevent attackers from impersonating your email domain.

Secure email and file sharing

OneDrive, SharePoint, and Teams can be configured to prevent accidental or unauthorised sharing of sensitive business data.

  • Review sharing settings in SharePoint and OneDrive — disable the Anyone with the link option if your business doesn't need it.
  • Enable sensitivity labels to classify and protect confidential documents.
  • Audit who has access to shared drives and team sites — remove access for anyone who no longer needs it.
  • Review external sharing settings — ensure staff can't share confidential data with personal email addresses.

Regular access reviews

People join and leave businesses, and their access requirements change. Regular access reviews ensure you're not accumulating unnecessary privileges over time.

  • Conduct a quarterly review of which accounts are active and what they have access to.
  • Disable accounts immediately when staff leave — in Microsoft 365, this can be done in the admin centre.
  • Review any accounts with Global Admin or other privileged roles — remove permissions that are no longer needed.
  • Check for inactive accounts — accounts that haven't logged in for 90 days are worth investigating.
  • Use the Microsoft 365 Secure Score as a benchmark and track your improvement over time.

Ready to protect your business?

Start free — no credit card needed