Microsoft 365 does not arrive locked down. The subscription hands you strong security tools, and most of them sit switched off or half-configured until someone turns them on. The seven settings below close the gaps attackers use most, and almost all of them cost nothing beyond the license you already pay for. Work through them in order. The first two stop the majority of account break-ins on their own.
1. Turn on MFA for every user, not just admins
Microsoft now requires multi-factor authentication to reach the admin center, with full enforcement live as of February 9, 2026. No administrator signs in without it. That is only the floor. Attackers do not stop at administrators, and a single standard mailbox is enough to send invoice fraud under a name your customers trust. Turn MFA on for everyone. The fastest route for a small team is Security Defaults in the Microsoft Entra admin center, which switches on app-based MFA for all users in a few clicks. If you need exceptions or finer control, Conditional Access policies do the same job with more precision. Either way, give staff a couple of weeks to register the Microsoft Authenticator app before you enforce, and set aside two emergency admin accounts so nobody gets locked out.
2. Block legacy authentication
MFA only helps if attackers cannot walk around it. Old email protocols like POP3, IMAP, and SMTP AUTH predate modern sign-in and cannot prompt for a second factor. Someone with a stolen password can connect through one of them from anywhere in the world and never see an MFA screen. Security Defaults blocks legacy authentication for you. If you run Conditional Access instead, add a policy that blocks it and disable the unused protocols in Exchange Online. Check your sign-in logs first for anything still speaking the old protocols, usually a copier that scans to email or an aging line-of-business app, and update it before you flip the switch.
3. Cut down your Global Admin accounts
Every Global Administrator account is a master key to your tenant: users, licenses, security settings, and data. The more keys you hand out, the bigger your target. Keep the count small, a handful at most, and give each administrator a separate account for admin work. Do your daily email and browsing from a standard account, and save the admin login for admin tasks. If one of those everyday accounts gets phished, the attacker lands on a standard mailbox instead of the controls for your whole company.
4. Turn on Safe Links and Safe Attachments
Business Premium and the standalone Defender for Office 365 include two filters that many tenants never switch on. Safe Attachments opens incoming files in an isolated sandbox and checks them for malware before they reach a mailbox. Safe Links rewrites the URLs in email and Office documents so each link is scanned at the moment someone clicks, which catches sites that looked clean when the message first arrived. Both stop threats the standard spam filter waves through. If your plan includes them, open the Defender portal and turn them on.
5. Lock down external file sharing
Out of the box, SharePoint and OneDrive let people share files with anyone, sometimes through links that need no sign-in at all. That feels convenient, and it is how sensitive documents quietly end up public. Set sharing to require a sign-in, limit or turn off anonymous "anyone" links, and review who your team has already shared with. You can still work with outside partners. You just do it through links tied to a real identity you can revoke later.
6. Stop spoofing with SPF, DKIM, and DMARC
These three DNS records tell the rest of the internet which servers are allowed to send email using your domain. Without them, a scammer can forge messages that look like they came from your company, and receiving systems have no clean way to reject the fakes. SPF lists your legitimate senders, DKIM signs your outgoing mail, and DMARC tells other providers what to do with anything that fails the first two. Set all three, confirm your real mail still passes, then move DMARC to an enforcement policy. It protects your customers and your reputation as much as your own inbox.
7. Turn on audit logging and watch for sneaky inbox rules
When an account is compromised, one of the first moves is a hidden mailbox rule that forwards or deletes incoming mail so the real owner never sees the fraud in progress. Turn on audit logging so those actions get recorded, and set alerts for new forwarding rules and unusual sign-ins. Then actually read the alerts. Microsoft Secure Score, in the same admin area, grades your tenant against these controls and gives you a running checklist of what is still open, which makes a useful monthly review for whoever owns your IT.
None of this needs new software or a bigger plan. It needs someone to sit down, work through each setting, confirm it holds, and check it again as Microsoft keeps changing the defaults underneath you. That last part is the catch. The defaults move, and a setting that was safe last year can quietly reopen.
Want your Microsoft 365 locked down properly?
Book a free 30-minute assessment with a local Collin County engineer. We'll review your tenant settings and show you exactly where the gaps are, whether or not you hire us.
Book an assessment →