Why Default M365 Settings Are Not Enough
Microsoft 365 is the productivity backbone of millions of businesses worldwide, and that ubiquity makes it a prime target for cybercriminals. According to Microsoft's own Digital Defense Report, more than 99% of compromised accounts did not have MFA enabled. The attackers do not need sophisticated exploits — they just need your users to click a phishing link and hand over their credentials.
The good news is that Microsoft has built an enormous security toolkit into every M365 subscription — from basic Business Premium all the way up to E5. The bad news is that most of it requires manual configuration. Here are the 12 settings every Colorado business should enable immediately.
1. Enable Multi-Factor Authentication for All Users
This is non-negotiable. Enable MFA using Security Defaults (free, included with every tenant) or, preferably, deploy Conditional Access policies (requires Entra ID P1, included in Business Premium). Conditional Access gives you fine-grained control over when MFA is required, which apps it applies to, and what happens when a sign-in looks suspicious.
2. Enable the Microsoft Authenticator App and Disable SMS MFA
SMS-based MFA is vulnerable to SIM-swapping attacks. Push notification MFA via the Microsoft Authenticator app is significantly stronger. Even better: enable Passwordless Phone Sign-In or FIDO2 security keys for your highest-privilege users to eliminate passwords entirely from the authentication flow.
3. Configure Conditional Access — Require Compliant Devices
Require that devices accessing corporate data are enrolled in Microsoft Intune and meet your compliance policies (e.g., encryption enabled, OS patched, antivirus active). This prevents a stolen laptop or a personal device from accessing sensitive data even with valid credentials.
4. Enable Microsoft Defender for Office 365 — Safe Links and Safe Attachments
Microsoft Defender for Office 365 (included in Business Premium) scans every email attachment in a sandboxed environment before delivery and rewrites every URL in an email so that it is scanned at the time of click. This catches malware that was not yet known at the time the email arrived. Enable both Safe Links and Safe Attachments for all users, all domains.
5. Block Legacy Authentication Protocols
Older email clients use protocols like POP3, IMAP, and SMTP that do not support MFA. Attackers target these legacy protocols specifically because they can bypass your MFA controls. Create a Conditional Access policy that blocks all legacy authentication across your tenant. This single change blocks an enormous category of credential-stuffing attacks.
6. Enable and Review the Unified Audit Log
The Microsoft 365 Unified Audit Log records every action taken in your tenant — logins, email sends, file access, admin changes, and more. Make sure it is enabled (it is on by default for most tenants, but verify) and configure log retention appropriate to your compliance requirements. Microsoft Purview Audit Standard retains logs for 180 days; Premium extends this to one year.
7. Configure Anti-Phishing Policies
Enable impersonation protection for your key executives and domains. Microsoft can detect when an attacker is sending email that impersonates your CEO but comes from an external domain. Also enable mailbox intelligence, which learns your users' communication patterns and flags unusual messages from people they have not corresponded with before.
8. Enable DKIM and DMARC for Your Domain
DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC) prevent attackers from spoofing your email domain. Without these records, a criminal can send an email that appears to come from yourcompany.com — tricking your vendors, customers, and partners. Configure DKIM signing in the Microsoft Defender portal and publish a DMARC record starting with p=none (monitoring only), then advance to p=quarantine and ultimately p=reject.
9. Restrict External Sharing in SharePoint and OneDrive
By default, SharePoint and OneDrive allow users to share files and folders with anyone via an anonymous link — no account required. Review your sharing settings and restrict external sharing to only authenticated external users at a minimum, or limit it to specific domains if your business only collaborates with known partners.
10. Enable Microsoft Secure Score Monitoring
Microsoft Secure Score (found in the Microsoft Defender portal) is a live dashboard that scores your tenant's security posture and surfaces recommended actions with an impact score. Make reviewing Secure Score a monthly operational task. Assign ownership of Secure Score improvement to a specific person or team.
11. Configure Alert Policies for High-Risk Events
Set up alert policies that notify your IT team immediately when high-risk events occur: impossible travel sign-ins, mass file deletion, mass file download, inbox rule creation, or elevation of admin privileges. These are early indicators of an account compromise or an insider threat. Microsoft Defender XDR includes built-in alert rules for all of these.
12. Enable Privileged Identity Management (PIM)
Global Administrator and other privileged roles in your tenant should never be assigned permanently. Microsoft Entra Privileged Identity Management (PIM) enables just-in-time (JIT) role activation — admins request elevation when they need it, it is time-limited, and every activation is logged. This dramatically reduces the blast radius of a compromised admin account.
"Most M365 breaches we investigate were entirely preventable. The controls existed, they were just never turned on. Hardening your Microsoft 365 tenant is not a complex project — it's a configuration exercise that any competent IT partner can complete in a single engagement."
Getting Started
If you are not sure where your Microsoft 365 tenant stands today, Axiom IT Group offers a comprehensive M365 Security Assessment. We review your tenant configuration against the CIS Microsoft 365 Foundations Benchmark and deliver a prioritized remediation plan. For most of our Denver-area clients, we can complete the critical hardening steps in a single four-to-eight hour engagement.
Reach out to schedule your assessment — and stop leaving the door unlocked.