Five Microsoft 365 security settings most businesses leave turned off

Many small businesses buy Microsoft 365, they set up email, and assume the security is good to go. The platform is very capable, but almost none of the protection turns on by itself. The defaults are designed for getting you working fast, not keeping you safe. Here are five settings that sit quietly in the admin center, switched off, waiting for someone to flip them on.
Business owner approving a multi-factor authentication prompt on her phone while checking Microsoft 365 email on a laptop

Multi-factor authentication

If a setting deserves your attention today, this is the one. A password alone gives an attacker everything once they guess it or buy it from a breach dump. Multi-factor authentication adds a second layer of security, usually a tap on your phone, so a stolen password becomes close to useless. You can turn it on through security defaults in a few minutes or control it more precisely with Conditional Access. Either way, leaving it off is the single biggest mistake I see.

Legacy authentication

Older mail protocols predate modern security, and they also ignore multi-factor authentication completely. Attackers love them for exactly that reason. They use these old paths to slip past the protection you think you have. Blocking legacy authentication closes that side door, and most businesses never touch a single thing that relies on it.

Mailbox auditing

When something goes wrong, you want a record of who did what and when. Mailbox auditing keeps that log. Without it, you are guessing after an incident instead of reading the facts. Confirm it is running across your accounts, because assuming it is on has burned plenty of owners during an investigation.

Restrict external forwarding

One of the quietest tricks in a compromised account is a hidden forwarding rule. The attacker sets your mail to send itself to an outside address, then watches everything you send and receive. You may never notice on your own. The better fix is to block automatic external forwarding through your outbound spam filter policy, so an attacker who gets into an account cannot set up that forwarding rule in the first place. Keep alerts on as a backstop for any forwarding you do choose to allow, and you get a warning the moment something slips through.

Self-service password reset

This one sounds like a convenience feature, and it is, but it also tightens security when you set it up correctly. Users reset their own passwords through verified methods instead of calling around or reusing an old one. Pair it with strong verification and you cut both your help desk load and a common weak point at the same time.

Why Microsoft 365 Business Standard is not the finish line

Here is the part many owners miss. Microsoft 365 Business Standard gives you the apps and the mailboxes, but it does not include the deeper security controls. Conditional Access, the tool that lets you set real rules around who signs in and from where, requires Microsoft 365 Business Premium. Business Standard leaves you with blunt, all-or-nothing options. Premium gives you the precision to protect a real business. If security matters to you, and it should, the license tier matters too.

Turning these settings on takes a little time, and most of them cost nothing beyond the time it took. If you want to see where your own tenant stands right now, run our Microsoft 365 security self-check and find the gaps before someone else does.

Managed IT and cybersecurity for businesses that cannot afford downtime.

We do not just set it up. We keep it running.

Serving Southwest Oklahoma and surrounding areas.