Microsoft 365 is secure. Your Microsoft 365 tenant probably is not. The platform ships with reasonable defaults and a lot of switches that nobody has ever flipped. Below are the ten we find off, in tenants we inherit, most weeks.
1. Phishing-resistant MFA for everyone
Not “most people”. Everyone. Including the CFO who keeps complaining. Microsoft Authenticator with number matching is free, fast, and defeats the session-hijack phishing kits that are now mainstream.
2. Conditional access baselines
If you have Business Premium, you have Entra ID P1, which means you have conditional access. At minimum: block legacy authentication, require compliant or hybrid-joined devices for admins, and require MFA from unknown locations. That is a 90-minute configuration on a quiet Tuesday.
3. Sign-in risk policies
Identity Protection flags sign-ins with atypical travel, unfamiliar properties, or matches to leaked credentials. Configure the policy to force password reset on medium risk. It catches compromise before the attacker gets useful access.
4. External sender banner
Set-ExternalInOutlook and a transport rule with a yellow banner on the top of every message from outside your tenant. Users start spotting the “looks internal but is not” phishing emails immediately. Biggest bang for no buck.
5. Defender for Office 365 impersonation protection
Add your board, your finance team, and any name-brand suppliers to the impersonation protection list. Messages that look like them but are not get a warning banner or quarantine. Stops the “urgent invoice” class dead.
6. Anti-phishing and safe links
Default policies leave a lot on the table. Tighten the anti-phishing threshold from standard to aggressive on the high-risk users, enable safe links rewriting, and enable safe attachments with dynamic delivery. Users will not notice anything except fewer bad clicks.
7. Data loss prevention
DLP is the one most teams put off. Start small: a rule that warns users when they share documents containing credit card numbers or national insurance numbers externally. Build from there. The library of templates covers 80 percent of use cases out of the box.
8. Retention and litigation hold
Email retention defaults to “forever, but deletable”. That is neither a retention policy nor a defensible position. Pick a retention period by department, put shared mailboxes on hold, and let Purview do the rest.
9. SharePoint sharing defaults
The default is “anyone with the link”. For most businesses that is wrong. Change the default to “specific people” at tenant level, and let users upgrade to wider sharing explicitly. Cuts the accidental overshare by a large margin.
10. Audit log retention
Turn on unified audit logging, extend retention to 365 days. When something does happen, you need the logs. Discovering you have 30 days of audit after a breach is a painful lesson.
And one bonus
Third-party backup. Microsoft does not back up your M365 data. Retention policies and recycle bins are not backup. Keepit, Druva or AvePoint will all cover you for £4 to £6 per user per month.
None of the above is exotic. None of it requires a consultancy engagement. It does require someone to sit down with the tenant for a day. We tune M365 tenants for clients weekly. If yours has never had the treatment, it is probably overdue.