The Microsoft 365 Security Settings Most Businesses Have Never Turned On

Microsoft 365 is one of the most powerful security platforms available to small and medium businesses. It also comes with the vast majority of its security controls switched off by default. You are paying for a feature set that, in most cases, has never been configured.

Here are the settings that make the biggest difference, and why they are turned off in the first place.

Why Are They Off By Default?

Microsoft ships 365 with conservative defaults to avoid breaking existing workflows during migration. The assumption is that your IT provider or internal team will configure the security controls post-deployment. In practice, many businesses go live and never revisit it.

1. Multi-Factor Authentication (MFA)

MFA is the single most impactful control you can enable. Microsoft's own data shows that MFA blocks over 99% of automated account compromise attacks. And yet a significant number of Microsoft 365 tenants still have it disabled or only partially enforced.

The key is enforcement via Conditional Access, not just the "Security Defaults" toggle. Conditional Access lets you require MFA based on user role, location, device compliance, and risk level. It is a far more flexible and robust implementation.

What to check: Go to Azure Active Directory, then Security, then Conditional Access. If you have no policies listed, you are not enforcing MFA properly.

2. Defender for Office 365 Anti-Phishing Policies

Microsoft 365 Business Premium includes Defender for Office 365, which adds anti-phishing, safe links, and safe attachments. The problem is that the default policy is weak, and many businesses never configure the enhanced protection settings.

Specifically, you want to enable impersonation protection for your key users and domains, and set safe attachments to block or replace suspicious files rather than just scanning them. These settings alone will catch a significant percentage of targeted phishing attempts that would otherwise land in inboxes.

3. Audit Logging

Unified Audit Logging needs to be explicitly enabled in Microsoft 365. Without it, you have no record of who accessed what, when files were downloaded, or when configuration changes were made. In the event of a security incident, this is the difference between being able to investigate and being completely in the dark.

Go to the Microsoft Purview compliance portal, select Audit, and check whether logging is on. If you have never done this, it is probably off.

4. External Sharing Controls in SharePoint and OneDrive

By default, Microsoft 365 allows your users to share files with anyone using a link, including unauthenticated external users. For most businesses, this is far too permissive.

At minimum, external sharing should require recipients to authenticate with a Microsoft account. For businesses handling sensitive data, sharing should be restricted to specific domains or disabled entirely for certain libraries.

5. Admin Role Hygiene

It is common to find Microsoft 365 tenants where every IT contact has been given Global Administrator rights, or where former staff accounts still hold admin roles. Global Admin is the highest-privilege role in the tenant. It should be used only when absolutely necessary and protected with privileged identity management (PIM) if your licence allows.

Run an audit of your admin roles. Remove any accounts that do not need elevated access. Ensure Global Admin accounts are separate from day-to-day user accounts.

6. Legacy Authentication Protocols

Older email clients and some line-of-business applications connect using legacy authentication protocols (IMAP, POP3, basic authentication) that do not support MFA. Attackers specifically target these protocols because they bypass modern authentication controls entirely.

Unless you have a specific business requirement for legacy protocols, they should be blocked via Conditional Access. Microsoft has been deprecating basic authentication progressively, but the block is not applied automatically to all tenants.

What to Do Next

Running through these settings manually is possible, but time-consuming and easy to get wrong. A Microsoft 365 security review will cover these controls and more, giving you a clear picture of your configuration gaps and a prioritised remediation plan.

Most of the fixes above are configuration changes, not additional cost. If you are already paying for Microsoft 365 Business Premium, the tools are there. They just need to be turned on.