7 Microsoft 365 Security Settings Every Business Should Enable Today

Microsoft 365 is the backbone of most Canadian businesses. Email, file storage, collaboration, and identity management. It all runs through M365. But here's the problem: most businesses are using it with the default settings, which leaves significant security gaps.

We audit Microsoft 365 environments every week at ClayGen, and these are the settings we find disabled or misconfigured most often.

1. Multi-Factor Authentication (MFA)

This is number one for a reason. MFA prevents over 99% of account compromise attacks according to Microsoft's own data. Yet we still find businesses where MFA is only enabled for admins, or not enabled at all.

What to do:

• Enable MFA for all users, not just admins
• Use the Microsoft Authenticator app (not SMS, as SIM swapping is real)
• Consider conditional access policies for extra control
• Set up number matching to prevent MFA fatigue attacks

MFA is now a baseline expectation for cyber insurance underwriting in Canada. Without it, most insurers will decline coverage.

2. Security Defaults (or Conditional Access)

Microsoft offers "Security Defaults," a free, one-click setting that enables a baseline set of security measures. For businesses on Business Premium or E3/E5, Conditional Access policies give you more granular control.

What to do:

• At minimum, enable Security Defaults (Azure AD → Properties → Security Defaults)
• If you have Business Premium or higher, create Conditional Access policies instead
• Block legacy authentication protocols that bypass MFA

3. Mailbox Audit Logging

If someone accesses a mailbox they shouldn't, you need to know about it. Mailbox auditing records who accessed what and when. Microsoft enabled this by default in 2019, but some older tenants still have it turned off.

What to do:

• Verify auditing is enabled: Get-OrganizationConfig | Select AuditDisabled
• Review audit logs periodically for suspicious access patterns
• Set up alerts for unusual mailbox access

4. Anti-Phishing Policies

Microsoft 365 includes built-in anti-phishing protection, but the default policies are often too permissive. Tightening these policies catches more phishing emails before they reach your users.

What to do:

• Enable impersonation protection for executives and key staff
• Configure mailbox intelligence to detect unusual sending patterns
• Set actions to quarantine (not just add a safety tip) for detected phishing
• Add your domain to the spoof intelligence allow/block list

5. Data Loss Prevention (DLP) Policies

DLP policies prevent sensitive data from leaving your organization via email, Teams, or SharePoint. If you handle credit card numbers, SIN numbers, health records, or financial data, DLP is essential for PIPEDA compliance.

What to do:

• Enable built-in DLP templates for Canadian personal information
• Create policies for credit card numbers, SINs, and health data
• Start with "audit only" mode to avoid blocking legitimate emails
• Review DLP reports monthly and adjust policies

6. External Email Tagging

A simple but effective measure: tag emails from outside your organization so users can immediately see when an email is external. This makes it much harder for attackers to impersonate internal colleagues.

What to do:

• Enable external email tagging in Exchange admin center
• Consider adding a visual banner to external emails
• Train users to be extra cautious with tagged external messages

7. Admin Account Protection

Global admin accounts are the keys to the kingdom. If an attacker compromises a global admin, they own your entire M365 environment.

What to do:

• Create dedicated admin accounts (don't use them for daily email)
• Enable MFA with hardware security keys for admin accounts
• Limit the number of global admins (2-3 maximum)
• Use Privileged Identity Management (PIM) if available on your plan
• Review admin audit logs weekly

How to Check Your Score

Microsoft provides a free tool called Secure Score that grades your M365 security configuration. You can find it in the Microsoft 365 Defender portal. Most businesses we audit score between 30-50% on their first check. After implementing these 7 settings, that score typically jumps to 70-80%.

Need Help?

Configuring these settings correctly matters. Misconfigured MFA or overly aggressive DLP policies can lock out users or block legitimate business email. At ClayGen, we configure and manage Microsoft 365 security for Ontario businesses as part of our managed IT services. Contact us for a free M365 security review.

For the broader view of this topic, see our complete Microsoft 365 management guide.