How to Set Up Microsoft 365 Security the Right Way
Out of the box, Microsoft 365 is not fully secured. Here's the step-by-step configuration every business should apply immediately after setting up their tenant.
Microsoft 365 ships with sensible defaults — but not the strongest possible security configuration. Many businesses set up M365, migrate their email, and never revisit the security settings. That's a mistake. Here's what to configure immediately after setup.
Step 1: Enable MFA for All Users
This is the single most impactful security change you can make. Go to the Microsoft 365 admin center, navigate to Users > Active users, and enable multi-factor authentication. Require all users — including admins — to register an authentication method before their next login.
Step 2: Configure Security Defaults or Conditional Access
Microsoft's Security Defaults enforce MFA for all users, block legacy authentication protocols, and require MFA for admin actions. For businesses on Business Premium or higher, Conditional Access policies offer even more granular control — blocking access from unmanaged devices or unfamiliar locations.
Step 3: Enable Microsoft Defender for Office 365
Defender for Office 365 provides safe links (checks every URL before you click), safe attachments (sandboxes email attachments before delivery), and anti-phishing protection. Even basic M365 plans include some Defender features — make sure they're turned on.
Additional Steps
- Review admin accounts — minimize the number of global administrators
- Enable audit logging — required for incident response and compliance
- Block legacy authentication protocols (IMAP, POP3, basic SMTP auth)
- Configure email authentication: SPF, DKIM, and DMARC records for your domain
- Review external sharing settings in SharePoint and OneDrive