Microsoft 365 security settings every small firm should turn on today

Most small firms in regulated industries are running Microsoft 365 Business Premium on the settings it shipped with. Those defaults are built for quick setup, not security. No one has enabled MFA. No one has touched the email filtering policies. The Windows laptops are running antivirus software, not managed endpoint protection.

Business Premium includes identity, email, and device protections that most small firms never activate after initial setup. Enabling security defaults, applying Defender for Office 365 preset policies, activating Defender for Business, and enrolling Windows devices in basic management closes the most common attack paths without requiring a dedicated IT team or an enterprise license.

The steps below are ordered by impact. Complete them in sequence. Each one builds on the last.

What your default configuration leaves exposed

Out of the box, Business Premium does not require multi-factor authentication, does not block legacy authentication protocols, does not apply endpoint protection policies to Windows devices, and does not enforce Safe Links or Safe Attachments on email. An attacker who obtains a single password faces almost no additional friction. That is the gap this checklist closes.

Step 1: Enable security defaults

Security defaults are a single toggle in the Microsoft Entra admin center. When enabled, they require every user to register for multi-factor authentication, enforce MFA at sign-in when suspicious activity is detected, and block older authentication protocols—such as basic SMTP auth—that cannot process MFA challenges at all.

This single change eliminates the majority of credential-based attacks. It is included in every Business Premium subscription. Enable it before making any other configuration change.

Where: Microsoft Entra admin center → Identity → Properties → Manage security defaults.

When should I use Conditional Access instead of security defaults?

Security defaults and Conditional Access policies cannot run simultaneously. Security defaults are the right choice for firms without IT support because they require no ongoing management and no policy design. Conditional Access is appropriate when you need more control—requiring MFA only outside the office network, blocking sign-ins from specific countries, or applying different rules to different user groups.

If you move to Conditional Access, disable security defaults first, then create at minimum a policy requiring MFA for all users on all cloud apps. Business Premium includes the Azure Active Directory P1 license Conditional Access requires.

Step 2: Apply Defender for Office 365 preset security policies

Defender for Office 365 Plan 1 is bundled with Business Premium. Its two most important controls are Safe Links—which re-checks URLs in emails and documents at click time—and Safe Attachments, which detonates suspicious files in an isolated environment before delivery reaches the inbox.

Rather than building custom policies, apply Microsoft's Standard preset security policy. It activates recommended settings across both controls in a single step and requires no ongoing tuning to provide meaningful protection.

Where: Microsoft 365 Defender portal → Email & collaboration → Policies & rules → Threat policies → Preset security policies.

Step 3: Activate Defender for Business on Windows endpoints

Defender for Business is a managed endpoint security product included in Business Premium. It is meaningfully different from the Windows Defender that runs on an unmanaged device: it adds threat and vulnerability management, automated investigation and remediation, and a unified console where you can see the security posture of every enrolled device from one screen.

Most Windows devices can be onboarded by running a single script downloaded from the admin portal. The portal includes a step-by-step onboarding wizard.

Where: Microsoft 365 Defender portal → Assets → Devices → Onboard devices.

Step 4: Enroll Windows devices in basic Intune management

Microsoft Intune is included in Business Premium. It lets you push security baselines to Windows devices—disk encryption, screen-lock requirements, firewall configuration—from a browser-based console without touching each machine individually. The Microsoft 365 admin center includes a simplified device setup wizard designed for firms without dedicated IT staff.

Completing basic enrollment for a small team typically takes under two hours and immediately adds control over lost or stolen hardware.

Where: Microsoft 365 admin center → Devices → Windows devices.

Step 5: Review your Secure Score weekly

Microsoft Secure Score, available in the Microsoft 365 Defender portal, measures your tenant configuration against Microsoft's recommended controls and assigns a numeric score. Every open item includes a plain-language description, an impact estimate, and step-by-step remediation instructions. A ten-minute review each week surfaces gaps before they reach a client, a regulator, or a courtroom.

Where: Microsoft 365 Defender portal → Secure score.

If you can only do one thing today

Enable security defaults. Everything else on this list matters, but no other control compensates for unprotected credentials. A firm that enforces MFA and does nothing else is substantially harder to compromise than one that has deployed every other control without it.

Once the steps above are in place, a dedicated team that knows your environment can work through the remaining Secure Score items and add controls appropriate to your specific regulatory obligations—HIPAA, state privacy law, or client security requirements.