Multi-factor authentication
If a setting deserves your attention today, this is the one. A password alone gives an attacker everything once they guess it or buy it from a breach dump. Multi-factor authentication adds a second layer of security, usually a tap on your phone, so a stolen password becomes close to useless. You can turn it on through security defaults in a few minutes or control it more precisely with Conditional Access. Either way, leaving it off is the single biggest mistake I see.
Legacy authentication
Older mail protocols predate modern security, and they also ignore multi-factor authentication completely. Attackers love them for exactly that reason. They use these old paths to slip past the protection you think you have. Blocking legacy authentication closes that side door, and most businesses never touch a single thing that relies on it.
Mailbox auditing
When something goes wrong, you want a record of who did what and when. Mailbox auditing keeps that log. Without it, you are guessing after an incident instead of reading the facts. Confirm it is running across your accounts, because assuming it is on has burned plenty of owners during an investigation.
Restrict external forwarding
One of the quietest tricks in a compromised account is a hidden forwarding rule. The attacker sets your mail to send itself to an outside address, then watches everything you send and receive. You may never notice on your own. The better fix is to block automatic external forwarding through your outbound spam filter policy, so an attacker who gets into an account cannot set up that forwarding rule in the first place. Keep alerts on as a backstop for any forwarding you do choose to allow, and you get a warning the moment something slips through.
Self-service password reset
This one sounds like a convenience feature, and it is, but it also tightens security when you set it up correctly. Users reset their own passwords through verified methods instead of calling around or reusing an old one. Pair it with strong verification and you cut both your help desk load and a common weak point at the same time.
Why Microsoft 365 Business Standard is not the finish line
Here is the part many owners miss. Microsoft 365 Business Standard gives you the apps and the mailboxes, but it does not include the deeper security controls. Conditional Access, the tool that lets you set real rules around who signs in and from where, requires Microsoft 365 Business Premium. Business Standard leaves you with blunt, all-or-nothing options. Premium gives you the precision to protect a real business. If security matters to you, and it should, the license tier matters too.
Turning these settings on takes a little time, and most of them cost nothing beyond the time it took. If you want to see where your own tenant stands right now, run our Microsoft 365 security self-check and find the gaps before someone else does.