Getting your Microsoft 365 security settings right is one of the most important steps a small business can take. Most companies in Chattanooga already use M365 for email, cloud storage, and Teams — but many run it with default settings, which is not the same as secure.
Microsoft ships M365 with a balance of usability and security. Critical protections are available but not turned on. Attackers know this. A misconfigured M365 tenant is one of the most common entry points for business email compromise, ransomware, and data theft. The victims are almost always small and mid-size businesses that assumed the platform was secure out of the box.
This guide walks through ten specific Microsoft 365 security settings every administrator should check — why each one matters, and what to do if it’s not configured correctly.
—
Microsoft 365 gives you the tools for a genuinely secure environment. The challenge is flexibility: the platform serves organizations of every size, so protections are included but not always on by default. A Fortune 500 company has a dedicated security team to tune every setting. Most Chattanooga businesses have an office manager, a part-time IT person, or a managed IT provider handling the whole stack. This checklist helps you or your IT partner lock down the fundamentals.
> Key Takeaways
> – Microsoft 365 does not ship fully secured by default. Critical protections require manual configuration.
> – Multi-factor authentication and Conditional Access are the two highest-impact settings you can enable today.
> – Legacy authentication protocols are a major, often overlooked attack vector that attackers exploit specifically because they bypass MFA.
> – External sharing, admin role assignments, and third-party app permissions are common blind spots even for organizations that believe they’ve handled M365 security.
> – Microsoft Secure Score gives you a real-time snapshot of your tenant’s security posture with prioritized recommendations.
—
Setting 1: Enforce Multi-Factor Authentication for All Users
MFA is the single most effective control you can add to Microsoft 365. Microsoft’s own data shows MFA blocks over 99.9% of account compromise attacks. Despite this, a significant share of small business M365 tenants have MFA either disabled entirely or enabled only for a handful of accounts.
To check your current state, go to the Microsoft 365 admin center, navigate to Users > Active users, and look for the Multi-factor authentication option in the top menu. You’ll see a list of users and their MFA status. If any user shows “Disabled”, especially users with admin privileges, that account is one leaked password away from a full breach.
The fastest way to enforce MFA across your organization is Security Defaults — a free baseline policy Microsoft built for organizations that haven’t configured Conditional Access yet. Find it in Azure Active Directory > Properties > Manage Security Defaults. For most small businesses, Security Defaults is a significant improvement over doing nothing. If you need more control, Conditional Access policies give you more precision.
One important note: MFA only works if users actually complete enrollment. After you turn it on, users will be prompted to set up their second factor the next time they sign in. Communicate this to your team before you flip the switch. Surprise MFA prompts at 8 AM on a Monday create help desk calls and workarounds.
—
Setting 2: Block Legacy Authentication
This is the setting most often overlooked, and one that attackers exploit specifically because most people don’t know about it. Legacy authentication refers to older protocols like SMTP AUTH, IMAP, POP3, and basic authentication that don’t support modern MFA challenges. An attacker who gets a user’s password can authenticate through these older protocols and completely bypass your MFA enforcement.
To check your exposure, go to Azure Active Directory > Sign-in logs and filter for “Legacy authentication client” in the Client app column. If you see sign-in activity from legacy clients, you have active exposure.
Blocking legacy authentication is done through Conditional Access policies in Azure AD. Create a policy that targets all users, selects legacy authentication clients as the condition, and sets the grant control to Block. Before you do this, check that none of your line-of-business applications rely on legacy auth. Some older software still uses it. Update those apps where possible — or exclude them explicitly rather than break them silently.
This single change can dramatically reduce your attack surface, particularly for credential stuffing attacks where attackers try lists of leaked username-password pairs against M365 tenants at scale.
—
Setting 3: Review and Limit Global Administrator Accounts
Global Administrator is the most powerful role in a Microsoft 365 tenant. A user with this role can add users, reset passwords (including other admins), access all data, change billing, and modify any security setting. Most small businesses have either too many Global Admins or are running day-to-day operations from a Global Admin account rather than a standard user account.
The best practice is to have no more than two to four dedicated Global Admin accounts, used only when administrative tasks require it. Daily work, including checking email and attending Teams meetings, should happen from a standard user account. This is called the principle of least privilege: don’t give an account more access than the task requires.
To review your current admin assignments, go to Microsoft 365 admin center > Roles > Role assignments, then select Global Administrator. If you see users whose full-time job is not IT administration listed here, they should be downgraded to a role that matches their actual responsibilities. Microsoft 365 has over 60 built-in roles; most common tasks can be handled with Exchange Administrator, SharePoint Administrator, or User Administrator without ever needing Global Admin.
For your actual Global Admin accounts, enable MFA and consider requiring Privileged Identity Management (PIM) if your license includes it. PIM requires admins to explicitly activate their elevated privileges for a limited window of time rather than having them permanently active.
—
Setting 4: Enable and Review Audit Logging
Microsoft 365 audit logging records sign-ins, file access, email activity, permission changes, and hundreds of other events across your tenant. When something goes wrong, and at some point something will, audit logs are the difference between having a clear picture of what happened and guessing.
Audit logging is not always on by default. To check, go to the Microsoft Purview compliance portal (formerly Microsoft 365 Compliance Center), navigate to Audit, and look for the message at the top of the page. If it says “Start recording user and admin activity,” logging is off and you need to enable it immediately.
Once enabled, Microsoft 365 retains audit logs for 90 days at the standard tier and up to one year with Microsoft 365 E3/E5 or an add-on. For most small businesses, 90 days is adequate for incident response. If you operate in a regulated industry like healthcare, finance, or legal, talk to your IT provider about retention requirements.
Audit logs are also your first line of defense for detecting unauthorized access after the fact. If an employee’s account is compromised and an attacker quietly reads email or exfiltrates documents over two weeks, audit logs are how you reconstruct what they accessed and when.
—
Setting 5: Configure Safe Links and Safe Attachments
Microsoft Defender for Office 365 (formerly Advanced Threat Protection) includes two controls that dramatically reduce phishing and malware risk: Safe Links and Safe Attachments. These features are available with Business Premium, E3, or E5 subscriptions, or as add-ons.
Safe Links rewrites URLs in emails and Office documents so that when a user clicks a link, Microsoft first checks the destination against its threat intelligence database in real time. If the link points to a known malicious site or a newly flagged phishing page, the user is blocked and warned before reaching it. Without Safe Links, a convincing phishing email with a fresh malicious URL will pass through your email filters undetected.
Safe Attachments routes email attachments through a sandboxed environment before delivery. The attachment is detonated in isolation, its behavior is analyzed, and only clean attachments are delivered to the user’s inbox. This adds a delay of a few minutes for some attachments, but it catches malware that signature-based antivirus alone would miss.
To configure these, go to the Microsoft Defender portal (security.microsoft.com) > Email & Collaboration > Policies & Rules > Threat policies. Both features require active policies to be in place, the features being licensed is not enough. Your policies need to cover all users and specify the protection behavior.
—
Setting 6: Control External Sharing in SharePoint and OneDrive
By default, SharePoint and OneDrive allow sharing with anyone who has a link, including people outside your organization who don’t have a Microsoft account. This setting is convenient for collaboration, but it means an employee can accidentally or intentionally share a client contract, financial records, or employee files with the entire internet by copying a link.
To review your current sharing settings, go to the SharePoint admin center > Policies > Sharing. You’ll see a slider that controls sharing at the tenant level. The options range from “Anyone” (most permissive) to “Only people in your organization” (most restrictive). For most small businesses, the right setting is “New and existing guests”; external sharing is allowed, but only with people who authenticate with a Microsoft account or a one-time passcode.
Beyond the tenant-wide setting, you can also lock down sharing at the site collection level, which is useful if you have SharePoint sites containing sensitive data like HR records or financial documents. Those sites should be restricted to organization-only access regardless of the tenant default.
Audit your existing sharing links regularly. The SharePoint admin center includes a report of sharing links that can reveal files shared externally that you didn’t know about.
—
Setting 7: Enable Microsoft Secure Score
Microsoft Secure Score is a built-in dashboard in the Microsoft Defender portal that measures your tenant’s security posture on a numeric scale and provides a prioritized list of actions to improve it. Think of it as a continuous security audit running in the background of your M365 environment.
To access it, go to security.microsoft.com > Secure Score. Your score is shown as a number out of a maximum possible score based on your licensed features. Below the score you’ll see recommended actions grouped by category: Identity, Devices, Apps, Data, and Infrastructure. Each action shows the points it would add to your score, the level of effort required, and step-by-step implementation instructions.
Secure Score doesn’t just tell you what’s wrong — it tells you why it matters and how to fix it. For a small business without a dedicated security team, this is a genuinely useful tool. You don’t need a perfect score. Focus on high-impact, low-effort items first: MFA, legacy auth blocking, Safe Links, and disabling unused services. Those four changes move your score significantly and close the most common attack vectors.
Review your Secure Score at least quarterly and after any significant changes to your environment, like adding new users, enabling new Microsoft services, or migrating applications.
—
Setting 8: Review Third-Party App Permissions
When employees install third-party apps that integrate with Microsoft 365, calendar tools, project management apps, file sync utilities, those apps often request permissions to read email, access files, or manage contacts. Most employees click “Accept” without reading the permissions. Some of those apps are legitimate and well-secured; others are not.
To see what third-party apps have been granted access to your tenant, go to Azure Active Directory > Enterprise Applications. Filter by “Third party” or browse the full list. For each application, you can see what permissions it holds and which users have granted it access.
The risk here is real. An app with read access to all email in your tenant — a permission that sounds routine — can exfiltrate years of sensitive correspondence. An app with write access to SharePoint can overwrite or delete files. Attackers have also distributed malicious OAuth apps that impersonate legitimate tools, designed specifically to harvest M365 credentials and data.
Review this list and remove any apps that are no longer in use or that hold permissions disproportionate to their function. You can also disable user consent entirely and require admin approval for any new third-party app connection, which is the recommended approach for security-conscious organizations.
—
Setting 9: Configure Mailbox Auditing
Separate from the tenant-wide audit logging covered earlier, Exchange Online includes per-mailbox auditing that logs specific actions taken on individual mailboxes, including owner actions, delegate actions, and admin actions. This covers things like reading a message, copying an item to another folder, sending mail as another user, and modifying folder permissions.
Mailbox auditing was enabled by default for most M365 tenants starting in 2019, but older tenants may still have it off, and the default audited actions don’t cover everything relevant to a security investigation.
To verify mailbox auditing is enabled, use the Exchange admin center or run a PowerShell check against your mailboxes. You should also confirm that “Owner” audit actions include “MailItemsAccessed”, the action that records when an attacker reads messages from a compromised account. This specific action is essential for determining what information an attacker accessed during a breach.
For businesses in healthcare or finance, where understanding the exact scope of a breach is both legally required and operationally critical, mailbox auditing is not optional.
—
Setting 10: Disable Unused Microsoft 365 Services
Every feature that’s turned on but not actively managed is an additional attack surface. Microsoft 365 subscriptions include dozens of services that many small businesses never use but that remain enabled. Unused services can be abused by attackers to bypass controls, exfiltrate data, or maintain persistence after a breach.
Common examples include:
PowerApps and Power Automate: These no-code tools can be used to build data exfiltration flows or bypass email restrictions. If your organization doesn’t use them intentionally, restrict access.
Microsoft Forms: External-facing forms can be used by attackers to phish your users or collect sensitive data. Disable external sharing of Forms if you don’t need it.
Sway and other consumer-facing apps: These services can be used to host phishing pages or host malicious content under your organization’s trusted domain.
SMTP relay and connectors: Unused mail flow connectors can be abused to send phishing email that appears to come from inside your organization.
Review your active Microsoft 365 services in the admin center under Settings > Org settings, and disable any services your organization has no active use for. The principle applies here too: the smaller your attack surface, the less there is for attackers to exploit.
—
Microsoft 365 Security Settings: Quick-Reference Checklist
| Setting | Impact | Effort | Plan |
|---|---|---|---|
| 1. Enforce MFA for all users | High | Low | All plans |
| 2. Block legacy authentication | High | Medium | Business Premium |
| 3. Limit Global Admin accounts | High | Low | All plans |
| 4. Enable audit logging | High | Low | All plans |
| 5. Configure Safe Links & Attachments | High | Medium | Business Premium |
| 6. Control external sharing | Med | Low | All plans |
| 7. Enable Secure Score | Med | Low | All plans |
| 8. Review third-party app permissions | High | Medium | All plans |
| 9. Configure mailbox auditing | Med | Medium | All plans |
| 10. Disable unused services | Med | Low | All plans |
Frequently Asked Questions
How do I know if my Microsoft 365 tenant has already been compromised?
Check the Azure AD sign-in logs for sign-ins from unfamiliar geographic locations, unusual device types, or outside your normal business hours. Review the Unified Audit Log in Microsoft Purview for unexpected file access, forwarding rules on mailboxes, or new admin account creation. If something looks suspicious, contact your IT provider immediately, don’t wait.
Do I need Microsoft 365 Business Premium to apply these settings?
Several of these settings, including MFA enforcement and audit logging, are available on all M365 plans. Others, like Safe Links, Safe Attachments, and Conditional Access, require Business Premium or higher. If you’re on a lower-tier plan like Business Basic or Apps for Business, upgrading to Business Premium is often one of the highest-ROI security investments a small business can make.
How often should I review these settings?
At a minimum, quarterly. Also review after: adding or removing users, making significant software or infrastructure changes, or any suspected or confirmed security incident. Your IT provider should include an M365 security posture review in their regular cadence.
Can I do all this myself, or do I need an IT provider?
Technically savvy business owners can work through most of these settings using Microsoft’s documentation and the Secure Score recommendations. The practical challenge is time: most SMB owners don’t have 10-15 hours to work through this, stay current as the platform evolves, and monitor for issues. A managed IT provider handles this as part of ongoing service, which is why most small businesses with 20 or more employees find it cost-effective.
What’s the biggest mistake small businesses make with Microsoft 365 security?
Assuming the default settings are good enough. Microsoft ships M365 with a balance of security and usability out of the box. The default settings are not designed for organizations handling sensitive data or operating in regulated industries. Treating M365 as “secure by default” is the single most common mistake we see when we do tenant reviews for new clients.
—
What to Do Next
Securing your Microsoft 365 tenant doesn’t require a full IT department. It requires the right configuration and someone who knows where to look. The settings in this guide are the most impactful controls available — and the ones we find misconfigured or missing most often when we audit a new client’s environment.
ETTC offers Microsoft 365 tenant security reviews for small and mid-size businesses in Chattanooga and throughout Hamilton County. We’ll check every setting on this list, identify gaps, and give you a plain-English report on what needs to change and why.
Schedule a free consultation and we’ll take a look at your M365 environment together. No jargon, no pressure, just a clear picture of where you stand and a realistic plan to close any gaps.
East Tennessee Technical Consultants
📞 (423) 779-8196 | ✉️ Helpdesk@etntech.com | etntech.com
—