Securing Microsoft 365: A Checklist for Small Business

Microsoft 365 is probably your most critical business system. Email, documents, collaboration - it’s all in there. And yet I regularly see small businesses running with the default settings, which aren’t as secure as you’d think.

Here’s a practical checklist to lock down your M365 environment. You don’t need an IT department to do most of this.

The Basics (Do These Today)

Enable Multi-Factor Authentication for Everyone

This is the single most important thing you can do. Go to the Microsoft 365 admin centre > Users > Active users > Multi-factor authentication and enable it for all accounts.

Better yet, use Security Defaults or Conditional Access policies to enforce it automatically.

How to check: Sign out and sign back in. Are you prompted for a second factor? If not, it’s not working.

Check Admin Account Security

Admin accounts are the crown jewels. If an attacker gets one, they control everything.

  • Use a separate admin account from your daily account
  • Never use admin accounts for regular email or web browsing
  • Enable MFA specifically on all admin accounts (consider hardware keys for these)
  • Review who has admin roles and remove anyone who doesn’t need them

Where to check: Admin centre > Users > Active users > Filter by “Admin”

Set Up Secure Password Policies

Microsoft 365 has default password policies, but you might want to tighten them:

  • Minimum 14 characters (length matters more than complexity)
  • Banned password list (prevents “Company2025!” type passwords)
  • Self-service password reset (reduces IT burden and locked accounts)

Where to configure: Azure Active Directory > Security > Authentication methods

Email Security (Do These This Week)

Enable Anti-Phishing Policies

Microsoft 365 includes anti-phishing, but it’s not always configured aggressively.

  • Go to Security & Compliance centre > Threat Management > Policy
  • Enable impersonation protection (protects against spoofed executive emails)
  • Configure safe links and safe attachments
  • Enable first contact safety tips (warns when receiving email from new senders)

Configure DMARC, DKIM, and SPF

These email authentication protocols prevent attackers from spoofing your domain. They’re free to set up but require DNS changes.

  • SPF: Specifies which mail servers can send email as your domain
  • DKIM: Adds a digital signature to outgoing emails
  • DMARC: Tells receiving servers what to do with emails that fail SPF/DKIM

Microsoft publishes guides for setting these up. If you’re not confident with DNS, ask your IT support.

How to check: Use a tool like MXToolbox to test your domain’s email authentication.

Block Auto-Forwarding

Attackers often set up mailbox rules to forward emails to external addresses. Block this:

  • Exchange admin centre > Mail flow > Rules
  • Create a rule to block auto-forward to external recipients

You can whitelist specific addresses if you have legitimate forwarding needs.

Check for Suspicious Mailbox Rules

Existing compromised accounts might already have forwarding rules.

How to check: Run the Get-InboxRule cmdlet in PowerShell for each user, or use the Microsoft 365 admin centre to review rules.

Look for rules that forward, redirect, or delete emails - especially if the user doesn’t remember creating them.

Data Protection (Do These This Month)

Enable Audit Logging

You can’t investigate what you don’t log. Turn on unified audit logging:

  • Security & Compliance centre > Search > Audit log search
  • Click “Start recording user and admin activity”

This should be on by default but verify it.

Configure Retention Policies

Decide how long emails and documents should be kept, then enforce it:

  • How long do you legally need to retain records?
  • When should data be automatically deleted?
  • Are there holds needed for legal or compliance reasons?

Where to configure: Security & Compliance centre > Information governance > Retention

Set Up Data Loss Prevention (DLP)

DLP policies can prevent sensitive information from leaving your organisation:

  • Block emails containing credit card numbers to external recipients
  • Warn before sharing documents containing sensitive data
  • Flag bulk downloads of customer information

Start with Microsoft’s built-in sensitive information types (credit cards, tax file numbers, Medicare numbers).

Where to configure: Security & Compliance centre > Data loss prevention

Review External Sharing Settings

Who can share files and folders externally? By default, it might be everyone.

  • SharePoint admin centre > Policies > Sharing
  • Consider limiting external sharing to specific users or requiring approval
  • At minimum, disable anonymous sharing links

Device and Access Controls (Do These)

Configure Conditional Access

Conditional Access lets you require MFA, block access, or limit capabilities based on conditions:

  • Require MFA for admin access
  • Block access from risky locations
  • Require compliant devices for sensitive data
  • Force MFA when sign-in risk is detected

Where to configure: Azure Active Directory > Security > Conditional Access

Note: Some Conditional Access features require Azure AD Premium licensing.

Enable Mobile Device Management

If people access M365 from phones, consider basic MDM:

  • Require a device PIN
  • Enable remote wipe for lost devices
  • Block access from jailbroken devices

Microsoft Intune is included in Business Premium and provides these controls.

Review Third-Party App Permissions

Users might have granted access to third-party apps. Some are legitimate; others are phishing vectors.

Where to check: Azure Active Directory > Enterprise applications > All applications

Review the list. For each app, check what permissions it has. Remove anything you don’t recognise or no longer use.

Ongoing Maintenance

Review the Secure Score

Microsoft provides a security score with specific recommendations:

  • Security centre > Secure score
  • Review each recommendation
  • Implement what makes sense for your business

Don’t aim for 100% - some recommendations might not apply to you. But if you’re below 50%, you’ve got work to do.

Enable Alerts

Set up alerts for suspicious activity:

  • Security & Compliance centre > Alerts > Alert policies
  • Enable notifications for impossible travel, suspicious inbox rules, malware detection

Decide who receives alerts and how quickly they’ll respond.

Schedule Quarterly Reviews

Every three months, review:

  • Who has admin access (still needed?)
  • Which third-party apps have permissions
  • Any unusual activity in audit logs
  • Updated recommendations in Secure Score

If You Need Help

This checklist covers the essentials, but Microsoft 365 security can go deeper. If you need help:

  • Microsoft publishes excellent documentation at docs.microsoft.com
  • Consider a Microsoft 365 security assessment from a qualified partner
  • For complex environments, working with AI consultants Sydney or similar specialists can help automate monitoring and response

The defaults are a starting point, not a finish line. Every setting you tighten makes an attacker’s job harder.

Your business runs on Microsoft 365. Secure it like it matters.