The Microsoft 365 Security Settings Most Small Businesses Miss

When Microsoft 365 went mainstream for small businesses, it came with a promise: enterprise-grade productivity at a price SMBs could afford.

What it did not come with: enterprise-grade security configuration by default.

Every week we onboard a new client in the Las Vegas valley whose Microsoft 365 tenant has been running for years — and whose security posture reflects exactly what happens when you set up M365 using the default wizard and never look at it again. Business email compromise, compromised accounts, accidental data exposure. We see all of it, and almost all of it was preventable.

Here are the security settings that most small businesses miss, and what to do about them.

1. MULTI-FACTOR AUTHENTICATION IS STILL NOT ON FOR EVERYONE

This is the most important security control in Microsoft 365, and it's still not enabled by default for every account in most small business tenants.

Microsoft added Security Defaults in recent years, which enables MFA for all users. But many businesses have legacy configurations that predate Security Defaults, or they turned off Security Defaults to enable Conditional Access — and then never configured it properly. The result: user accounts with no MFA protection.

An account without MFA can be compromised with a single stolen password. It takes about 30 seconds for an attacker to log into your Microsoft 365 email, browse your files, set up forwarding rules to copy every email you receive, and log out without leaving a trace.

Fix: Go to the Microsoft 365 admin center, check your MFA status for every user, and enforce it with no exceptions. Every account — including shared mailboxes, admin accounts, and the one belonging to the owner who keeps saying they'll do it later.

2. EMAIL FORWARDING RULES ARE GOING UNCHECKED

Business email compromise attacks frequently work like this: an attacker gains access to an employee's email account, sets up a silent forwarding rule that copies every email to an external address, and then logs out. The employee never notices. The attacker monitors emails for weeks, learning the business's financial patterns, client relationships, and vocabulary — then uses that information to impersonate the employee in a wire fraud or invoice scam.

The terrifying part: automatic forwarding to external domains is enabled by default in most M365 tenants.

Fix: In the Exchange admin center, set an outbound spam policy that blocks or flags automatic external forwarding. Then audit existing inbox rules across all user accounts for forwarding rules you didn't create.

3. SHAREPOINT AND ONEDRIVE PERMISSIONS ARE TOO PERMISSIVE

The default sharing settings for SharePoint and OneDrive allow users to share files and folders with "Anyone with the link" — no login required. A user who accidentally pastes a sharing link into a Slack message or a BCC field has just made that document publicly accessible to anyone who gets the URL.

For most businesses, there is no legitimate reason to share documents with unauthenticated anonymous users.

Fix: In the SharePoint admin center, set the default sharing link type to "Only people in your organization" and the external sharing level to "Existing guests" or "Only people in your organization" depending on your business needs. This is a five-minute change that eliminates a significant data exposure risk.

4. LEGACY AUTHENTICATION IS STILL ENABLED

Legacy authentication protocols — think older Outlook versions, IMAP/POP mail clients, and certain third-party apps — don't support multi-factor authentication. If you have any accounts that can authenticate via legacy protocols, an attacker can use those protocols to bypass MFA entirely.

Microsoft has been pushing to block legacy authentication for years, and it's now blocked in new tenants by default. But older tenants often still have it enabled.

Fix: In Conditional Access (or via the Security Defaults), block legacy authentication protocols. Before you do, audit which apps and devices in your environment rely on them, because some line-of-business applications and older printers and scanners use these protocols and will break.

5. ADMIN ACCOUNTS ARE BEING USED FOR DAILY WORK

In most small business M365 tenants, the same account that has Global Administrator privileges is the one the owner uses to read email and browse the internet every day.

Admin accounts need elevated privileges to manage the tenant. But those same privileges mean that if the account is compromised — through a phishing email, a malware infection, or a credential stuffing attack — the attacker has complete control over your entire Microsoft 365 environment. They can create new accounts, delete users, access all mailboxes, and disable security features.

Fix: Create a separate admin account used only for administrative tasks. Your day-to-day work account should have a standard user license. The admin account should have no email, no Microsoft 365 apps, and MFA with a hardware key or authentication app — not SMS.

6. THE MICROSOFT SECURE SCORE ISN'T BEING MONITORED

Microsoft 365 has a built-in security measurement tool called Secure Score that evaluates your tenant configuration across dozens of security controls and gives you a score. It also provides specific, prioritized recommendations for improving your security posture.

Most small businesses have never looked at it.

Fix: Go to security.microsoft.com, navigate to Secure Score, and look at your score. Run through the recommended actions and implement the ones appropriate for your business. A well-managed small business tenant should score 60-70%+. If you're below 40%, you have significant security gaps.

WHERE TO START

If this list is overwhelming, start with MFA. Then block legacy authentication. Then check your sharing settings. Those three changes address the majority of the risk in a misconfigured M365 tenant and can be done in an afternoon.

If you want a complete M365 security audit — a systematic review of your tenant configuration, permissions, security settings, and user accounts — 702MSP does these regularly for Las Vegas businesses. We'll tell you exactly where you stand and what to fix. Call (702) 333-2001 or visit 702msp.com.