• Creators of The SECUR IT Success Framework
Facebook Youtube Linkedin
Cyber kaizen white text no background

Call Anytime

0800 208 8456

Cyber kaizen white text no background

Call Anytime

0800 208 8456

Microsoft 365 Security: 10 Essential Steps

  • HOME
  • Microsoft 365 Security: 10 Essential Steps

Your Business Runs on Microsoft 365. Is It Actually Secure?

Microsoft 365 is brilliant. Your team can work from anywhere, collaborate in real time, store files in the cloud, and communicate without thinking twice. Most UK businesses with 10 to 200 employees are using it every single day.

But here’s the problem: most of them are using it with the default settings. And the default settings are not secure.

Out of the box, Microsoft 365 doesn’t enforce multi-factor authentication, doesn’t protect against email spoofing, doesn’t back up your data, and doesn’t restrict who can access what from where. That’s not a criticism of Microsoft – it’s simply how the platform is designed. It gives you the tools. It doesn’t set them up for you.

This guide walks you through ten settings and features that every business should have in place. None of them require specialist knowledge to understand. All of them make a measurable difference.

Download The Complete Guide

The 10 Steps

Step 1: Turn On Multi-Factor Authentication for Every User
Why it matters?

Your password is not enough. Stolen passwords are sold on the dark web for pennies. If someone gets hold of a password and there’s no second factor, they’re straight into your email, your files, and your contacts.

Enable MFA for every Microsoft 365 account in your organisation – no exceptions. The most common method is a push notification to the Microsoft Authenticator app on your phone. It takes 3 seconds each time you sign in. That’s 3 seconds to stop an account takeover.

Microsoft’s own data shows that MFA blocks over 99% of automated account compromise attacks. For even stronger protection, use phishing-resistant methods like the Microsoft Authenticator app with number matching.

"MFA is the single most effective thing you can do to protect your business accounts. It takes 3 seconds. It stops 99% of automated attacks."

Why it matters?
Even with MFA, you should control where and how people access your business data. Conditional Access lets you set rules: only allow access from managed devices, block sign-ins from countries you don’t operate in, and require extra verification for sensitive actions.
Work with your IT provider to define policies that match how your team works. For example: allow mobile access but only from company-registered devices. Block logins from outside the UK unless someone is travelling.
It reduces your exposure without getting in the way of your team’s productivity.
Why it matters?
If anyone can send an email that looks like it came from your domain, your customers, suppliers, and staff are all vulnerable. Attackers use this to send fake invoices, request bank transfers, and steal login credentials – all from what appears to be a trusted internal email address.
Set up three email authentication records on your domain: SPF, DKIM, and DMARC. These are technical settings that tell the world “if an email claims to be from our domain, here’s how to verify it’s genuine.” If you’re not sure whether yours are configured, try our free DMARC Generator tool.
Your emails are more likely to reach inboxes (better deliverability), and criminals cannot impersonate your brand via email.
Why it matters?
If something goes wrong – a data breach, a compromised account, an accidental deletion – you need to know what happened, when, and who was involved. Without audit logging enabled, you’re flying blind.
Make sure unified audit logging is turned on in your Microsoft 365 admin centre. This records all user activity: file access, email actions, admin changes, and sign-in events.
It gives you a clear trail if you ever need to investigate an incident, prove compliance, or understand what went wrong.
Why it matters?
This is the one that catches most businesses off guard. Microsoft 365 does not back up your data. If an employee deletes files, if ransomware encrypts your mailbox, or if an admin accidentally wipes a SharePoint site – Microsoft’s retention policies are limited and time-bound.
Use a dedicated third-party backup solution that creates independent copies of your email, OneDrive, SharePoint, and Teams data. Make sure your backups are stored separately from your Microsoft 365 environment.
You can recover anything – a single email, a deleted folder, an entire mailbox – whenever you need to. Without it, deleted means gone.

"Microsoft guarantees platform uptime. It does not guarantee your data. That distinction matters more than most businesses realise."

Why it matters?
Older email protocols (POP3, IMAP, SMTP Basic Auth) don’t support MFA. Attackers target these because they bypass the extra security layer you’ve just set up. If legacy authentication is still enabled, your MFA is incomplete.
Block legacy authentication methods through your Microsoft 365 settings or conditional access policies. You may need to check that no older devices or applications rely on these protocols first.
Closes one of the most common backdoors that attackers exploit.
Why it matters?
Global admin accounts are the keys to the kingdom. If one is compromised, an attacker has complete control over your Microsoft 365 environment – every user, every file, every setting.
Limit the number of global admin accounts to the absolute minimum (ideally two or three). Use separate admin accounts that are not used for day-to-day work. Apply MFA and conditional access policies specifically to these accounts.
If a regular user account is compromised, the blast radius is contained. Admin accounts should be the hardest thing in your organisation to break into.
Why it matters?
You can’t respond to something you don’t know about. Microsoft 365 can send automatic alerts when something unusual happens – a login from an unexpected location, a mass file download, or a forwarding rule being created on a mailbox.
Configure alert policies in the Microsoft Defender portal. Set notifications for high-risk events and make sure they go to someone who can act on them.
Early detection is everything. The faster you spot suspicious activity, the less damage it can cause.
Why it matters?
Employees share sensitive information every day – financial data, customer records, personal details. Sometimes by accident. Data Loss Prevention (DLP) policies automatically detect and protect sensitive content before it leaves your organisation.
Define policies that flag or block the sharing of sensitive information – such as National Insurance numbers, credit card details, or financial documents – through email, Teams, or SharePoint.
It reduces the risk of accidental data leaks and helps you demonstrate compliance with GDPR and industry regulations.
Why it matters?
One of the most common security gaps in Microsoft 365 is oversharing. Employees create “anyone with the link” sharing permissions, and suddenly sensitive files are accessible to anyone who stumbles across the URL.
Change the default sharing setting to “people in your organisation” rather than “anyone.” Review existing shared links and revoke unnecessary access. Make external sharing require approval for sensitive sites.
Your files stay inside your business unless you’ve deliberately chosen to share them.

How to Know Where You Stand?

Not Sure Which of These You've Got in Place? We Can Check.

If reading through this list made you uncomfortable – or if you’re honestly not sure how many of these steps are in place for your business – you’re not alone. Most businesses we work with have two or three of these covered. Very few have all ten.

The good news is that most of these changes can be implemented quickly, with minimal disruption. The first step is knowing where you are.

Let Us Check Your Microsoft 365 Security - for Free

Our free IT Health Check includes a full review of your Microsoft 365 environment. We’ll check every one of these ten steps, identify any gaps, and give you a clear report – in plain English – of what needs attention.

No obligation. No sales pressure. Just the facts about your current setup.

No obligation. No pressure. Just an honest conversation about what your internal team needs.

"We didn't realise our Microsoft 365 wasn't backed up until Cyber Kaizen checked. That was a wake-up call."

Operations Director

45-employee professional services firm

Book Your Free Consultation
Or Ring Us Now: 0800 208 8456
  • Worth £1,200
  • No obligation
  • Results within 48 hours
  • Microsoft Partner
  • CISSP certified

Prefer to learn live?

Join our next free webinar.

See Upcoming Events

You Might Also Like

Cybersecurity
Essentials

Where to Start - Six steps that cover 90% of your risk, in plain English.

Download the Free Guide

The Complete Guide to Managed IT Support

Everything you need to know before you sign with a provider.

Download the Free Guide

Download the Free Guide

Fill the form below to download the guide