Microsoft 365 ships with powerful security features. Most of them are turned off by default. A brand-new tenant with default settings is missing conditional access, anti-phishing protection, data loss prevention, audit logging, and dozens of other controls that Microsoft built but left for administrators to enable. Most small business admins never find them.
Here are the 8 Microsoft 365 security settings that make the biggest difference and that most tenants are missing.
Microsoft 365 security settings to configure now
1. Security defaults or conditional access
Security defaults is a single toggle that enforces MFA for all users and blocks legacy authentication. It is the absolute minimum. Conditional access policies go further: requiring MFA only from untrusted networks, blocking sign-ins from risky locations, and requiring compliant devices for access to sensitive data. If neither is enabled, your tenant accepts password-only logins from anywhere on Earth.
2. Anti-phishing policies
Microsoft 365 includes anti-phishing protection that detects impersonation of your executives and trusted domains. It ships in a permissive state. Tightening the policy to quarantine messages that impersonate your CEO, CFO, and domain catches the business email compromise attacks that cause the most financial damage.
3. Safe attachments and safe links
Safe attachments detonates email attachments in a sandbox before delivery, catching malware that signature-based scanning misses. Safe links rewrites URLs in email and Office documents to route through Microsoft’s reputation checking at click time, not just delivery time. Both features exist in Business Premium and E5 licenses but require policy configuration to activate.
4. Unified audit logging
Audit logging records who accessed what, when, and from where across Exchange, SharePoint, OneDrive, Teams, and Azure AD. It is essential for breach investigation and compliance evidence. By default, retention is 90 days. Organizations with compliance requirements should extend this and configure alert policies for suspicious activity patterns.
5. Data loss prevention (DLP)
DLP policies detect and prevent sensitive information from leaving your organization through email, Teams messages, and file sharing. Pre-built templates cover credit card numbers, social security numbers, health records, and financial data. Without DLP, an employee can email a spreadsheet containing 10,000 customer SSNs to their personal Gmail without anyone noticing.
6. External sharing restrictions in SharePoint and OneDrive
Default settings allow users to share files and folders with anyone, including anonymous links that require no authentication. Tightening external sharing to require authentication, restricting anonymous links, and enabling expiration dates on shared links prevents accidental data exposure that is the most common cause of cloud data breaches.
7. Multi-factor authentication for all admins
Global administrator accounts without MFA are the highest-risk credentials in your organization. A compromised admin account gives an attacker full control over your entire tenant: every mailbox, every file, every user. MFA on admin accounts is non-negotiable. Extend it to all users for complete protection.
8. Mailbox audit logging for all users
Mailbox auditing tracks actions like message access, deletion, and forwarding rule creation. It is on by default for new tenants since 2019, but older tenants may have it disabled. More importantly, the default audit actions miss some critical events. Configuring additional audit actions for delegate access, mailbox login, and send-as operations provides complete visibility.
Why these settings are not enabled by default
Microsoft builds for the broadest possible audience. Security settings that could disrupt user workflows or break legacy applications ship disabled to avoid support tickets from the millions of organizations that would not understand why something stopped working. The settings exist. Enabling them is your responsibility or your managed IT provider’s responsibility.
A properly configured Microsoft 365 tenant is one of the most secure productivity platforms available. A default-configured tenant is one of the most commonly breached. The difference is not licensing. It is configuration.
If you are unsure which of these settings are enabled in your tenant, our M365 management team can run a security audit and show you exactly where the gaps are.
