The Microsoft 365 Security Baseline Every Business Should Run

Microsoft 365 ships with sensible defaults for collaboration — and surprisingly relaxed defaults for security. A handful of tenant-level changes meaningfully reduces the risk of compromise without disrupting your users.

Identity

• Enforce MFA for every account, including admins and shared mailboxes
• Block legacy authentication protocols (POP, IMAP, SMTP AUTH)
• Restrict admin role assignments and use Privileged Identity Management where licensed

Email

• Enable anti-phishing and impersonation protection in Defender for Office 365
• Publish SPF, DKIM, and DMARC records for every sending domain
• Disable auto-forwarding to external recipients

Devices

• Enroll endpoints in Intune and require disk encryption
• Require a compliant device for access to email and SharePoint
• Enable Defender for Endpoint where licensing supports it

Visibility

Audit logging is on by default in newer tenants, but verify retention and alerting. When something does go wrong, the audit log is how you reconstruct what happened — and how your insurer or regulator evaluates your response.

Don't try to do this alone

Most of these settings are a single toggle. The hard part is sequencing them so users aren't surprised. If you'd like a hand, we run a fixed-scope baseline engagement that gets a typical tenant from default to hardened in a couple of weeks.