10 Microsoft 365 Security Settings You're Probably Missing

Microsoft 365 is the backbone of most Australian businesses. But here's the problem: the default configuration prioritises ease of use over security. Out of the box, many critical security features are turned off.

After managing Microsoft 365 environments for hundreds of businesses, here are the ten settings we configure for every single client.

1. Enable Security Defaults or Conditional Access

At minimum, enable Security Defaults — this enforces MFA for all users and blocks legacy authentication protocols. For businesses with Microsoft 365 Business Premium or higher, Conditional Access policies give you much more granular control.

2. Block Legacy Authentication

Older email protocols like POP3, IMAP, and SMTP don't support MFA. Attackers specifically target these protocols because they only need a username and password to gain access. Block them unless you have a genuine business need.

3. Configure Anti-Phishing Policies

Microsoft Defender includes anti-phishing capabilities that detect impersonation attempts. Configure these to protect your executives and key staff — attackers commonly impersonate CEOs, CFOs, and finance staff.

4. Enable Audit Logging

Unified audit logging records user and admin activity across your Microsoft 365 environment. This is essential for investigating security incidents and is often required for compliance. Enable it and set appropriate retention periods.

5. Configure Data Loss Prevention (DLP)

DLP policies prevent sensitive information — credit card numbers, tax file numbers, medical records — from being shared externally via email or SharePoint. Set up policies for the types of sensitive data your business handles.

6. Disable Auto-Forwarding to External Addresses

One of the first things an attacker does after compromising an email account is set up auto-forwarding to an external address. This lets them silently monitor all incoming email. Create a transport rule to block external auto-forwarding.

7. Enable Safe Attachments and Safe Links

These Defender features scan email attachments in a sandbox environment and check URLs at the time of click. They catch threats that slip past initial email filtering.

8. Configure SharePoint and OneDrive Sharing

Review your external sharing settings. By default, users can share files and folders with anyone. Restrict sharing to authenticated external users and set expiration dates on shared links.

9. Set Up Alerts for Suspicious Activity

Configure alert policies for events like impossible travel (logins from two distant locations in a short time), mass file downloads, and new inbox rules. These are early warning signs of a compromised account.

10. Review and Restrict App Permissions

Users can grant third-party apps access to their Microsoft 365 data through OAuth consent. Without controls, this creates a significant data leakage risk. Restrict app consent to admin-approved apps only.

These ten settings form the baseline of our Microsoft 365 security hardening service. If you'd like us to review your current configuration, reach out for a free security assessment.