Skip to main content
    Cybersecurity

    Microsoft 365 Security Checklist for Small Businesses

    Venterprise MSPPublished June 19, 20268 min read
    Microsoft 365 Security Checklist for Small Businesses

    Microsoft 365 ships with many security features that are not enabled by default. This checklist covers the settings that matter most for small businesses — starting with multi-factor authentication and working through email security, device management, audit logging, and regular review tasks.

    A Microsoft 365 subscription gives your business access to a substantial set of security controls — but most of them require deliberate configuration to activate. The default settings in a new M365 tenant are designed for accessibility, not security. That means a business that activates M365 and starts using it without configuring security settings is more exposed than the product's reputation might suggest.

    This checklist covers the settings with the highest practical impact for small businesses. It is organized from most critical to least critical. If you are starting from scratch, work through the sections in order.

    Start Here: Multi-Factor Authentication

    If you implement nothing else on this checklist, implement multi-factor authentication. The majority of account compromise incidents in M365 environments involve stolen or guessed passwords. MFA makes a stolen password insufficient on its own — the attacker also needs access to the second factor, which is typically a phone-based authentication app.

    • Enable MFA for all users — not just administrators. User accounts are regularly targeted because they tend to have weaker passwords and less scrutiny than admin accounts.
    • Use an authenticator app (such as Microsoft Authenticator) rather than SMS codes where possible. SMS-based MFA is better than no MFA but is vulnerable to SIM-swapping attacks.
    • Disable the option for users to skip MFA enrollment — set an enrollment deadline and enforce it.
    • Review which users have MFA disabled via the Microsoft 365 admin center under Users > Active Users and confirm the list is empty or limited to documented exceptions.
    • Enable Security Defaults in the Entra ID admin center if you are not using Conditional Access policies. Security Defaults enforce MFA for all users and block legacy authentication protocols.

    Secure Your Admin Accounts

    Administrator accounts have the ability to change security settings, read all email, and delete data across your tenant. They require additional controls beyond standard user accounts.

    • Create dedicated admin accounts that are separate from day-to-day user accounts. Do not use the same account for email and for administrative tasks.
    • Ensure all admin accounts have MFA enforced — check this under Roles > Role Assignments in the admin center.
    • Confirm that your Global Administrator role has no more users assigned than necessary. For most small businesses, one to two Global Admin accounts is sufficient.
    • Enable Privileged Identity Management (PIM) if your subscription includes it — this requires just-in-time activation for admin roles rather than standing access.
    • Review the full list of admin role assignments quarterly and remove any that are no longer needed.
    • Ensure your break-glass emergency access account credentials are documented, stored securely, and tested annually.

    Email Security Settings

    Email is the most common entry point for phishing, business email compromise, and malware delivery. The following settings are available in Microsoft Defender for Office 365 (included in M365 Business Premium and available as an add-on for other plans).

    • Enable anti-phishing policies — configure impersonation protection for your domain and key personnel (CEO, finance, HR).
    • Enable Safe Attachments — this routes attachments through a sandbox environment before delivery to the recipient.
    • Enable Safe Links — this rewrites URLs in emails and documents and checks them at click time against Microsoft's threat intelligence.
    • Review your anti-spam policies and confirm that the quarantine is monitored — messages held in quarantine that go unreviewed can cause missed communications.
    • Enable DKIM signing for your domain — this cryptographically signs outbound emails and improves deliverability and spoofing resistance.
    • Verify DMARC is configured for your domain — a DMARC policy tells receiving mail servers how to handle emails that fail SPF and DKIM checks.
    • Disable automatic email forwarding to external addresses at the tenant level. Many business email compromise attacks configure automatic forwarding rules once an account is compromised.
    • Review external email forwarding rules on individual accounts periodically — these are sometimes configured by attackers after an account compromise.

    Data and File Storage

    • Review SharePoint site external sharing settings — confirm that external sharing is limited to known domains or disabled unless your business requires it.
    • Review OneDrive external sharing settings for individual users.
    • Disable anonymous sharing links by default — require authenticated access for any shared content.
    • Configure a retention policy for email and documents if your business has legal, regulatory, or operational requirements for data preservation.
    • Review the list of Microsoft 365 Groups and Teams to confirm there are no unmanaged external guests with access to company data.

    Device Management

    Microsoft Intune is included in M365 Business Premium and provides device management and compliance policy enforcement. Even basic Intune configuration significantly improves your security posture.

    • Enroll company-owned Windows devices in Intune for centralized management and policy enforcement.
    • Configure a baseline compliance policy — at minimum, require a PIN or password, encryption, and a current OS version.
    • Configure conditional access to require a compliant device for access to M365 services.
    • Enable Windows Autopilot for new device provisioning if you are deploying multiple devices.
    • Configure mobile device management for iOS and Android devices if employees use personal phones for work email or Teams.
    • Review device compliance status in the Intune admin center and remediate non-compliant devices.

    Monitoring and Audit Logs

    • Confirm that audit logging is enabled in the Microsoft Purview compliance portal. Audit logging is not enabled by default in all configurations.
    • Review the audit log retention period — the default is 90 days for most plans. If your business requires longer retention, upgrade to a plan with extended audit log retention or export logs to an external storage.
    • Set up alerts for high-risk activities: impossible travel, bulk mail deletion, admin role assignment changes, and external email forwarding rule creation.
    • Review the sign-in logs in the Entra ID admin center periodically to identify unusual locations or failed login patterns.

    Third-Party App Permissions

    Third-party applications that connect to Microsoft 365 through OAuth are granted permissions to read or modify data. Over time, many organizations accumulate app permissions that are no longer needed or were granted by individual users without IT oversight.

    • Review the list of enterprise applications with access to your tenant under Entra ID > Enterprise Applications.
    • Remove any applications that are no longer in use or that have excessive permissions for their stated purpose.
    • Configure a user consent policy that requires admin approval for new OAuth applications before users can grant them access.
    • Document which third-party applications have access to company data and what permissions they hold.

    Regular Review Tasks

    Security configuration is not a one-time task. The following should be reviewed on a regular schedule:

    1. 1Monthly: Review the list of active users and disable any accounts for departed employees.
    2. 2Monthly: Review admin role assignments and remove any that are no longer needed.
    3. 3Quarterly: Review external sharing settings and guest access in Teams and SharePoint.
    4. 4Quarterly: Review third-party application permissions.
    5. 5Quarterly: Review conditional access policies and confirm they are functioning as intended.
    6. 6Annually: Test your backup and recovery procedures for M365 data (note that Microsoft does not guarantee recovery of deleted data beyond the recycle bin retention period — a third-party backup is recommended for full protection).
    7. 7Annually: Conduct a full review of all security settings against Microsoft's Secure Score recommendations.

    Microsoft Secure Score (available in the Microsoft Defender portal) gives your tenant a score based on implemented security controls and recommends specific improvements. It is a useful starting point for identifying gaps and tracking progress.

    Venterprise MSP provides Microsoft 365 administration as part of managed IT services for businesses in Florida, Alabama, and Georgia. If you want a review of your current M365 security configuration or help implementing any of the settings in this checklist, we can walk through your tenant without a long-term commitment.

    Ready to Talk Through Your IT Environment?

    Venterprise MSP serves businesses throughout Florida, Alabama, and Georgia. Schedule a 15-minute call — no commitment required.

    Schedule an IT AssessmentContact Us
    ← Back to Resource Center