Microsoft 365 Security Checklist for Small Businesses

Enable multifactor authentication for 100% of your users via Conditional Access, not the legacy per-user MFA toggle. Service accounts and shared mailboxes need a plan too - either app passwords with strict scoping or, better, modern authentication with managed identities.

Roll Conditional Access policies in report-only mode for a week before enforcing. That gives you a real picture of who is using what, and prevents a Monday-morning lockout.

Legacy auth protocols (IMAP, POP, SMTP AUTH, older Office clients) bypass MFA entirely. Disabling them blocks the most common password-spray and brute-force attacks against M365. Audit sign-in logs for legacy auth traffic first, then create a Conditional Access policy that blocks it.

At minimum: require MFA from any location, block sign-in from countries you do not operate in, and require compliant (Intune-managed) devices for admin roles. Microsoft's security defaults are a reasonable starting point if you are unlicensed for Conditional Access; if you have it, use it.

Even at minimum: enroll Windows and macOS devices, require disk encryption, screen lock and a current OS version. Conditional Access can then require a compliant device for sensitive resources - SharePoint, finance, payroll.

If your license includes Defender for Office 365, enable Safe Links, Safe Attachments and anti-phishing policies with impersonation protection for your top ten most-impersonated mailboxes (typically execs and finance). Wire fraud against SMBs almost always starts with email impersonation; this single control blocks the majority of it.

These three DNS records make it dramatically harder for attackers to spoof your domain in phishing campaigns against your customers and partners. Start with DMARC in p=none, monitor reports for two to four weeks, then move to quarantine and finally reject. Most SMBs never get past p=none and leave the door open.

Microsoft replicates the service. They do not protect you from a user deleting a SharePoint library, an attacker encrypting OneDrive, or a retention policy mistake. A third-party Microsoft 365 backup (Veeam, Datto, AvePoint, Keepit) is essential - and tested restores are the only proof it works.

Most SMBs we audit have 10 to 25 percent of M365 spend going to dormant accounts, duplicate licenses or oversized SKUs. Run a quarterly licence audit. The savings often pay for the security work above.

Audit logging is on by default for newer tenants but often disabled in older ones. Without it you have no forensic trail when something goes wrong. Verify it is on and that you retain logs for at least 180 days - longer if you can.

Conditional Access policies, admin role assignments, sharing settings, DLP rules and Intune compliance baselines all drift over time. A quarterly review by a named owner catches drift before it becomes an incident. If the answer to "who owns M365 security at your company" is silence, that is the first thing to fix.