The Short Version
Microsoft 365 ships with security settings tuned for usability, not protection. Most tenants go live with default configurations that leave significant gaps: no multi-factor authentication enforcement, legacy authentication protocols still active, admin accounts without dedicated privileged access, and Defender features switched off. This guide covers the 20 settings that matter most and explains why the defaults exist the way they do.
Why M365 Ships Insecure by Default
Microsoft makes business decisions. Enabling strong security controls by default would generate enormous helpdesk volume for Microsoft and for IT partners — users locked out of accounts, legacy applications suddenly broken, mail clients that stop syncing. So the defaults are permissive. Security defaults (a Microsoft feature that enables basic MFA for all users) weren’t even introduced until 2019, and they’re still not enabled in most tenants that were created before then.
The assumption is that organizations will configure their own security posture based on their risk tolerance and compliance requirements. In practice, most small and mid-sized businesses don’t have the internal expertise to know what needs to be configured, and the Microsoft 365 admin center spans hundreds of settings across a dozen portals.
The 5 Categories That Matter
When evaluating an M365 tenant, we organize settings into five categories: identity and access management, admin account hygiene, Defender and threat protection, data loss prevention, and legacy protocol controls. A weakness in any one of these categories can be the entry point for a breach.
MFA and Conditional Access
Multi-factor authentication (MFA) is the single highest-impact control available in M365. Microsoft reports that MFA blocks more than 99.9% of automated account compromise attacks. Despite this, a significant percentage of M365 tenants still don’t enforce MFA for all users.
There are three ways MFA is implemented in M365, and they are not equivalent:
- Per-user MFA (legacy): Applied per account. No central enforcement. Easy to miss newly added users. Does not support modern Conditional Access policies.
- Security Defaults: Enforces MFA for all users using Microsoft’s baseline policies. Better than nothing, but blunt — no ability to create exceptions or apply context-aware rules.
- Conditional Access (P1 or higher): The correct implementation. Allows you to require MFA based on user risk, sign-in location, device compliance state, and application sensitivity. Can require phishing-resistant authentication (FIDO2/Windows Hello) for admin accounts.
Conditional Access also enables blocking sign-ins from high-risk countries, requiring compliant devices for access to sensitive data, and automatically revoking sessions when a user’s risk score changes. These capabilities require Azure AD P1 licensing (included in Microsoft 365 Business Premium).
Admin Account Hygiene
Global Administrator accounts are the highest-value target in any M365 tenant. A compromised Global Admin can create new accounts, disable MFA for existing accounts, exfiltrate all mailboxes, destroy all data, and grant themselves persistent access. The following controls are non-negotiable:
- No licensed mailboxes on admin accounts: Admin accounts should not receive email. Email is an attack surface. Use a separate, unlicensed account for administrative tasks.
- Minimum admin count: Microsoft recommends 2–4 Global Admins (enough for redundancy, few enough to manage). Every additional Global Admin is an additional attack surface.
- Privileged Identity Management (PIM): Requires Azure AD P2. Admins are not permanently assigned to privileged roles — they request elevation when needed, provide justification, and the role expires after a set time window. This limits the blast radius of any compromise.
- Phishing-resistant MFA for admins: Regular TOTP MFA (the six-digit code from an authenticator app) is vulnerable to real-time phishing. Admin accounts should use FIDO2 security keys or Windows Hello for Business — methods that can’t be intercepted and replayed.
Defender and Threat Protection
Microsoft Defender for Office 365 (Plan 1 is included in Business Premium) provides several protection layers that are not enabled by default:
Safe Links rewrites URLs in emails and Teams messages and checks them in real time when the user clicks, rather than at delivery time. This closes the gap where a URL was clean at delivery but became malicious later — a technique called “time-of-click” phishing.
Safe Attachments detonates email attachments in a sandboxed environment before delivering them to the user. This catches novel malware that hasn’t yet been added to signature databases.
Anti-phishing policies include impersonation protection, which flags emails that appear to be from your executives or key contacts but arrive from external domains. It also enables mailbox intelligence — learning each user’s communication patterns to detect anomalous senders.
Attack Simulation Training: Included with Defender for Office 365, this allows you to run simulated phishing campaigns against your own users and deliver training to those who click.
Data Loss Prevention
Data Loss Prevention (DLP) policies scan content in email, SharePoint, Teams, and OneDrive for sensitive data patterns — Social Security numbers, credit card numbers, health information, and custom patterns you define. When a match is found, the policy can block the transfer, notify the user, alert an administrator, or log the event.
Microsoft ships several built-in DLP templates for common compliance frameworks (HIPAA, PCI-DSS, Massachusetts 201 CMR 17). These templates are a starting point, not a finished implementation — they require tuning to reduce false positives and extend coverage to your specific data types.
Legacy Authentication
Legacy authentication refers to older email protocols — POP3, IMAP, SMTP AUTH, and basic authentication — that don’t support modern MFA. When legacy authentication is enabled, an attacker with a stolen password can connect directly to mailboxes using these protocols, completely bypassing MFA.
Microsoft began blocking legacy authentication by default in 2023, but many tenants that existed before this change still have it enabled — either globally or for specific accounts that were exempted to avoid breaking older email clients or applications.
Disabling legacy authentication requires inventorying all applications and devices that connect to M365. Shared mailboxes accessed by older mail clients, printers that scan to email, and legacy line-of-business applications that authenticate via SMTP are common culprits that need to be migrated to modern authentication before legacy protocols can be disabled.
How We Score Your Tenant
Our M365 Security Scorecard evaluates your tenant against 20 specific controls across the five categories above. Each control is weighted by its actual security impact — MFA enforcement carries more weight than audit log retention, for example, because the breach scenarios it prevents are more severe and more common.
The scorecard generates a letter grade and a prioritized remediation list. Items are ranked by impact-to-effort ratio, so you can start with the controls that provide the most protection for the least disruption.
Check M365 Security Scorecard — Free
Connect your Microsoft 365 tenant and get an instant security audit across 20 key controls. The scorecard grades your MFA configuration, admin hygiene, Defender policies, DLP setup, and legacy authentication exposure — with a prioritized remediation plan.
Nicholas Salem is the CEO of Boston Managed IT, a managed services provider serving professional services firms and small businesses across Greater Boston. BMIT helps clients build and operate security programs that meet Massachusetts compliance requirements.
