Microsoft 365 settings every business should turn on.
Microsoft 365 ships with insecure defaults. Five settings take under an hour and shut the door on the most common cloud attacks.
Microsoft 365 is the most common attack surface for small businesses because everyone uses it and most people leave the default settings in place. The defaults are convenient. They are not secure. Five changes inside the admin center take under an hour and remove the most common attack paths we see.
Why defaults aren't safe
Microsoft has to ship a product that works for a one-person consultancy and a Fortune 500 out of the same installer. The defaults lean toward usability so nothing breaks. You as a business owner have to decide to turn on the security posture you actually need — nobody else will do it for you.
What attackers exploit in real M365 tenants
“A small marketing firm left "legacy authentication" enabled, which allows password-only logins for old protocols.”
Red flag: Attackers brute-forced their way into a senior account using leaked passwords from unrelated breaches. MFA didn't apply to legacy auth.
“An accounting firm's email was compromised and the attacker set up an auto-forward rule to send all messages to an outside Gmail address.”
Red flag: External forwarding was allowed by default. The attacker read every client email for three weeks before anyone noticed.
The five to flip
- Turn on MFA for every account through a Conditional Access policy.
- Disable legacy authentication (block basic auth protocols like IMAP/POP/SMTP with passwords).
- Block external email auto-forwarding by default.
- Enable the unified audit log — it's off by default in older tenants.
- Set up alert policies for suspicious sign-ins, impossible travel, and mail forwarding rule changes.
Want us to tune your tenant?
An M365 security baseline takes us a morning. We'll hand back a report of what we changed and why.
- 1Log into admin.microsoft.com and check whether MFA is enforced. If not, fix it this week.
- 2Disable legacy authentication in Entra ID Conditional Access.
- 3Block external auto-forwarding in the Exchange transport rules.
- 4Verify the audit log is enabled — look for the toggle in the compliance portal.
- 5Turn on the built-in alert policies and send the alerts to an inbox someone actually monitors.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Shadow IT is hurting your business.
Every month, employees sign up for tools you don't know about. Shadow IT leaks data, breaks compliance, and multiplies your attack surface.
ReadTip #28 · Cloud & SaaSSaaS password hygiene.
Your employees use 80+ SaaS tools. Reused passwords across any of them turn one small breach into a company-wide incident. Here's how to fix it.
Read