Microsoft 365 security settings most growing companies never turn on

The security you already paid for is mostly switched off

If you run a growing company on Microsoft 365, you probably already own more security than you've turned on. The settings that block the attacks you actually face are sitting in your admin portal right now, included in the license you probably already pay for, switched off or only half configured.

That isn't carelessness on your part. Microsoft built Microsoft 365 to work on day one for every kind of organization, including the ones with a decade-old printer, an IMAP email client, and no IT staff at all. So the defaults favor "it works" over "it's locked down." That's a reasonable call for Microsoft and a quiet liability for you.

This post walks the controls that matter most. For each one, the same three questions: what it stops, whether it's already on, and the one thing to check. Most of these are included in Microsoft 365 Business Premium, which is what most companies your size are already running, so the work starts with what you own. Turning these on is step one of the hardening we do for the companies we manage, and it tells us exactly where the next gaps are. Where you want an extra pair of hands to take it further, that's where we come in.

Why these settings ship turned off

It helps to assume good faith here, because the reasons are mostly sensible. This is design, not negligence.

First, compatibility comes first at launch. Blocking older sign-in methods on day one would break the legacy mail clients and custom apps that some new customers still depend on, so Microsoft left those doors open by default.

Second, some controls can't be set without knowing your business. Microsoft doesn't know which of your people are high-value targets, which devices are yours, or who needs an exception. It can't safely guess, so those settings wait for an admin to fill them in.

Third, Microsoft has been tightening defaults in waves since 2024. It has made multi-factor authentication mandatory for admin portals, started blocking file access over older sign-in protocols by default as of July 2025, and restricted third-party app consent. Those are real improvements. But they mostly protect admin access and the worst-case gaps. The controls that protect every ordinary user account are still on you.

One number frames why this is worth doing. Business email compromise, where an attacker tricks a company into sending money or data, accounted for $3.046 billion in reported losses in the FBI's 2025 internet crime report, one of the largest categories by dollar loss. Most of the settings below are the ones that stop it.

Turn on multi-factor authentication for every user

Multi-factor authentication, or MFA, means a password alone isn't enough to sign in. You add a second proof, usually a tap on your phone. Per Microsoft's own research, MFA blocks more than 99.2% of account-compromise attacks. It is the single highest-value thing on this list.

You have two ways to turn it on. The free baseline is called security defaults, and on tenants created on or after October 22, 2019 it's usually already on. It requires MFA for every user and blocks the old protocols that skip it. The more capable option is Conditional Access, which lets you set rules per app, per user, and by risk. That requires Entra ID P1, which is included in Business Premium, but it stays off until someone builds the policies. (Steps go stale fast, so keep this high level and follow Microsoft's current docs when you set it up.)

The check: confirm whether you're running on security defaults or Conditional Access, and confirm that MFA actually applies to every user, not just admins.

Block legacy authentication

Legacy authentication is the set of older sign-in methods, things like Basic Auth, IMAP, POP, and SMTP Auth, that predate MFA and simply can't enforce it. If an attacker can reach one of those doors, your second factor never gets a chance to do its job. Per Microsoft, more than 99% of password-spray attacks, where someone tries common passwords against many accounts, use these older protocols.

The good news is this is partly handled already. Security defaults block legacy authentication, and since July 2025 Microsoft blocks file access over these protocols by default for SharePoint and OneDrive across all tenants.

The check: confirm legacy authentication is blocked tenant-wide, either through security defaults or a Conditional Access policy. If something old in your environment breaks when you do, that's the point. You've just found a door that was open.

Impersonation protection: the email that fools people

Impersonation protection is the anti-phishing feature that catches an attacker pretending to be a specific person, usually one of your executives or a vendor you pay. This is what stops CEO fraud ("hey, can you wire this today?") and vendor-impersonation scams where a fake invoice arrives from a real-looking address. These are the social-engineering attacks that sail past ordinary spam filters, because nothing about the message is technically malicious.

Impersonation protection is completely off by default, for every tenant. It needs Defender for Office 365 Plan 1, which is included in Business Premium, and it needs you to name the people and vendors worth protecting. Microsoft can't guess who your CFO is or which suppliers you pay, so it can't pre-fill the list for you.

The check: open your anti-phishing policy and confirm impersonation protection is turned on, with your VIPs and key vendors added by name. This is one of the few settings that does almost nothing until you tell it who matters.

Safe Links and Safe Attachments: on, but probably minimal

Safe Links checks a link at the moment someone clicks it, so a page that looked clean when the email arrived but turned malicious later still gets caught. Safe Attachments opens attachments in an isolated environment first, so a weaponized file is detonated away from your people. Together they cover the two ways most phishing payloads land.

Calling these "off by default" isn't quite right. The Built-in protection preset gives every licensed user some baseline coverage automatically. The honest word is "under-configured," because that baseline is minimal compared to the Standard and Strict presets, which add stronger URL detonation and attachment scanning but have to be applied by an admin.

While we're here, one thing is already working: anti-spoofing, or spoof intelligence, is on by default in the default anti-phishing policy for every mailbox. It catches someone forging your own domain.

The check: find out whether your users are on Built-in protection only, or whether the Standard or Strict preset has been applied. Both Safe Links and Safe Attachments are part of Defender for Office 365 Plan 1, included in Business Premium. Moving from "minimal" to "standard" is a few clicks, not a project.

Close the email-forwarding back door

When an attacker gets into a mailbox, one of the first things they do is set up a quiet way to keep seeing the mail, or to redirect a payment thread to themselves. Forwarding rules are how they exfiltrate mail in a business email compromise.

The good news: external auto-forwarding is now off by default, through the outbound spam policy's "Automatic - System-controlled" setting, which is now functionally the same as "Off." That used to mean something looser, so it's worth confirming it's in place.

The real risk that remains is rule-based forwarding: an inbox rule an attacker creates to quietly move mail along. One thing here works in your favor and most people miss it. Mailbox auditing logs when inbox rules are added, changed, or removed, and it's on by default for every Microsoft 365 organization, including Business Premium. So the footprint is being recorded even if you've never touched the setting.

The check: confirm the outbound forwarding block is on, then review your tenant for suspicious inbox rules that nobody on your team remembers making. That last step often finds something.

Turn on the audit log

If an account is ever compromised, the difference between a clean recovery and a guessing game is whether the activity was logged. And this is the one most people get wrong.

The Unified Audit Log captures activity across email, files, Teams, and sign-ins. It's the record investigators actually need to reconstruct an incident. Microsoft's own Purview documentation states plainly that "auditing isn't enabled by default for Small and Medium Business (SMB) licenses, including Microsoft 365 Business Basic, Business Standard, and Business Premium." An admin has to turn it on. No log means no forensic record after an incident, full stop.

The check: in Exchange Online PowerShell, run Get-AdminAuditLogConfig. If UnifiedAuditLogIngestionEnabled reads True, you're covered. If it reads False, the log is off and nothing is being recorded. Turn it on, and know that nothing before that moment exists in the log. Once it's on, retention is 180 days. That's the runway you'd have to investigate, and a forensics gap is invisible right up until the day you need it.

Rein in third-party app consent

Consent phishing is a quieter attack. Instead of stealing a password, the attacker tricks a user into approving a third-party app that then has standing access to read all their mail. No password changes hands, so it can sit there unnoticed.

Microsoft tightened this in mid-2025, so by default most users can no longer approve these apps on their own. That's a meaningful improvement. But it shifts the request to you, and the admin consent workflow that lets users ask for an app and an admin review it still needs to be set up. Without it, requests either pile up or get rubber-stamped.

The check: confirm user consent is restricted, and confirm the admin consent request workflow is actually configured. The goal is a real decision each time, not a blanket yes and not a silent no.

A few quick wins

Two more worth a mention.

External sender warning tags. Microsoft 365 can add an informational banner to inbound mail from outside your organization, a small "this came from an external sender" nudge that makes impersonation attempts easier for your people to spot. It doesn't block anything, but it costs nothing and helps.

One note on licensing, because it just changed. As of July 2026, Microsoft 365 E3 now includes Defender for Office 365 Plan 1. So if you're on E3 rather than Business Premium, the email controls above, impersonation protection, Safe Links, and Safe Attachments, now apply to you too.

Turning it on is step one, not the finish line

Turning these settings on closes the easy doors, and that's most of the value. But a setting doesn't watch itself.

Impersonation protection only helps if someone keeps the VIP list current. The audit log only matters if someone reads it. And when an inbox-rule change is logged at 2am, the control that recorded it can't disable the account, pull the device off the network, or stop the wire from going out. These controls generate signals. Someone still has to watch them and act. That's the line between configuration and response, and it's where a lot of well-configured companies quietly get stuck.

Getting the configuration right is exactly what our Collaboration Security work covers: hardening the Microsoft 365 setup you probably already pay for. Watching it afterward, and acting when something fires, is what Managed Detection and Response adds. The settings keep the easy attempts out. The watching is what catches the one that gets through.

If you'd like us to walk your Microsoft 365 setup and Secure Score with you and tell you straight which of these are worth doing first, book a discovery call.