Microsoft 365 Security: Essential Settings Every Business Should Enable

Microsoft 365 is the backbone of most small business IT. From email and file storage to video conferencing and team collaboration, M365 handles the daily operations that keep Bergen County businesses running. But many organizations deploy Microsoft 365 with default settings and never revisit them, leaving significant security gaps that attackers actively exploit. Here are the essential security features you should enable and configure to protect your business.

Why Microsoft 365 Security Matters

Microsoft 365 is not just email. It contains your organization's most sensitive data and serves as the identity platform that controls access to everything else. A compromised M365 account gives attackers access to:

• All emails and attachments: Including confidential client communications, financial documents, contracts, and internal discussions.
• Files in OneDrive and SharePoint: Every document your team has stored in the cloud becomes accessible to the attacker.
• Teams conversations and files: Private team discussions, shared files, and recorded meetings are all exposed.
• The ability to impersonate the user: An attacker with access to an email account can send emails as that person, potentially tricking clients, vendors, and coworkers into transferring funds, sharing additional credentials, or opening malicious attachments.
• Potential access to connected applications: Many businesses use Microsoft 365 as their single sign-on platform. A compromised M365 account can provide access to CRM systems, accounting software, project management tools, and other connected applications.

For Bergen County businesses in industries like healthcare, legal, financial services, and accounting, a Microsoft 365 breach can also trigger regulatory reporting requirements and result in significant fines and liability. Taking the time to properly configure M365 security is one of the highest-impact investments a small business can make.

Essential Security Settings

1. Multi-Factor Authentication (MFA)

This is non-negotiable. Multi-factor authentication should be enabled for every user in your organization, with no exceptions. MFA requires users to verify their identity with a second factor beyond their password, which means that even if a password is stolen through phishing or a data breach, the attacker still cannot access the account. Microsoft provides several MFA options:

• Microsoft Authenticator app (recommended): Generates time-based codes or push notifications on the user's smartphone. This is the best balance of security and convenience for most businesses.
• SMS codes: Better than nothing, but SMS can be intercepted through SIM swapping attacks. Use app-based authentication instead whenever possible.
• Hardware security keys (FIDO2): Physical USB or NFC keys that provide the highest level of authentication security. Recommended for administrator accounts and users who handle particularly sensitive data.

Use Security Defaults (free with all M365 plans) or Conditional Access policies (requires Azure AD Premium) to enforce MFA organization-wide. Do not leave MFA as optional, because users who are not required to use it typically will not enable it on their own.

2. Conditional Access Policies

Conditional Access takes security beyond simple MFA by letting you create intelligent access rules that evaluate multiple factors before granting access. Available with Azure AD Premium (included in Microsoft 365 Business Premium), Conditional Access policies let you:

• Require MFA for risky sign-ins: When Microsoft detects a login from an unusual location, an unfamiliar device, or other risk indicators, the user is challenged with additional verification.
• Block access from certain countries: If your business only operates in the United States, there is no reason to allow logins from countries where you have no employees or clients. Geo-blocking eliminates a large volume of automated attacks.
• Require compliant devices for access: Ensure that only devices meeting your security requirements (encryption enabled, antivirus running, up-to-date patches) can access company resources.
• Block legacy authentication protocols: Automatically prevent connections using outdated protocols that cannot support modern security controls.
• Require stronger authentication for sensitive applications: Apply additional security requirements when users access high-value applications like financial systems or HR platforms.

3. Block Legacy Authentication

Older email protocols such as POP3, IMAP, and SMTP AUTH were designed in an era before modern security was a concern. These protocols do not support multi-factor authentication, which means they provide a backdoor around your MFA requirements. Attackers routinely exploit legacy authentication to gain access to accounts that have MFA enabled for modern protocols.

Block legacy authentication for all users who do not absolutely need it. Most modern email clients, mobile devices, and applications use modern authentication (OAuth 2.0) and are not affected by blocking legacy protocols. If you have specific devices or applications that still require legacy authentication, such as older multifunction printers that scan to email, work with your IT provider to find alternative solutions.

4. Configure Email Security

Email remains the primary attack vector for most businesses. Microsoft 365 includes several email protection features that should be properly configured, not left at default settings:

• Anti-phishing policies: Configure impersonation protection to detect emails that attempt to impersonate your executives, your domain, or trusted external partners. This is especially important for Bergen County businesses that regularly communicate with clients via email about financial matters.
• Safe Attachments: This feature opens suspicious attachments in a secure sandbox environment to test for malicious behavior before delivering them to the user. Enable it for all users.
• Safe Links: Rewrites URLs in emails to scan them at click-time rather than just at delivery time. This catches malicious links that were clean when the email arrived but were weaponized afterward.
• Anti-spam policies: Tune spam filtering sensitivity to match your business needs. Too aggressive, and legitimate emails get blocked. Too lenient, and phishing emails reach your users' inboxes.

For businesses on Microsoft 365 Business Premium or higher, these features are included through Microsoft Defender for Office 365. If you are on a lower-tier plan, consider upgrading to gain access to these critical protections.

5. Enable Audit Logging

The Unified Audit Log records all user and administrator activity across Microsoft 365 services. This logging is essential, but it is not always enabled by default. Ensure that it is turned on and that logs are retained for an adequate period. Audit logging is critical for:

• Investigating security incidents: When an account is compromised, audit logs tell you exactly what the attacker accessed, what emails they read or forwarded, and what files they downloaded.
• Compliance requirements: Many regulations require organizations to maintain audit trails of access to sensitive data. Healthcare practices in Bergen County, for example, need these logs for HIPAA compliance.
• Detecting unauthorized access: Regular review of audit logs can reveal suspicious patterns such as logins from unusual locations, bulk file downloads, or mailbox rule changes that indicate a compromise.
• Understanding what happened when something goes wrong: Beyond security, audit logs help troubleshoot issues, track changes, and answer questions about who did what and when.

6. Configure Data Loss Prevention (DLP)

Data Loss Prevention policies help prevent sensitive information from leaving your organization through email, Teams, SharePoint, or OneDrive. Properly configured DLP can:

• Detect sensitive data types: Automatically identify credit card numbers, Social Security numbers, health records, financial account numbers, and other regulated data types in emails and documents.
• Block or warn when sensitive data is shared externally: You can configure policies to block the transmission of sensitive data, display a warning to the user asking them to confirm the action, or simply log the event for review.
• Create custom policies for your specific data types: Every business has unique types of sensitive information. Build custom DLP policies that recognize your specific data patterns, such as client account numbers, case file identifiers, or internal classification labels.

7. Manage External Sharing

Microsoft 365 makes it easy to share files and folders with people outside your organization, which is great for collaboration but dangerous if not controlled. Without proper sharing controls, an employee can accidentally share an entire SharePoint library with the public:

• Limit who can share externally: Restrict external sharing to specific users or groups rather than allowing everyone in the organization to share content outside the company.
• Require guests to authenticate: Do not allow anonymous access links. Require external recipients to verify their identity before accessing shared content.
• Set expiration dates for sharing links: Sharing links should not remain active indefinitely. Set automatic expiration dates so that access is revoked when it is no longer needed.
• Review and audit external sharing regularly: Periodically review what content is being shared externally and with whom. Revoke access that is no longer necessary.

Admin Account Security

Administrator accounts have the highest privileges in your Microsoft 365 environment and are the most valuable targets for attackers. These accounts need extra protection beyond what you provide to regular users:

• Use dedicated admin accounts: Administrators should have a separate account for administrative tasks that is never used for daily email, web browsing, or other routine activities. This limits the exposure of admin credentials.
• Require hardware security keys for admin MFA: Admin accounts should use the strongest available authentication method. Hardware security keys (FIDO2) are the gold standard for administrative accounts.
• Minimize the number of global administrators: The fewer accounts with global admin privileges, the smaller your attack surface. Most organizations need no more than two to four global admins. Use role-based admin assignments for specific tasks.
• Use Privileged Identity Management (PIM): PIM provides just-in-time administrative access, meaning admins must explicitly activate their privileges for a limited time window rather than having permanent standing access.
• Review admin activity regularly: Monitor administrative actions through audit logs to ensure that changes are authorized and expected.

Security Monitoring

Microsoft includes several built-in security monitoring tools that every business should take advantage of. These tools provide visibility into your security posture and alert you to potential threats:

• Secure Score: Provides a numerical score representing your organization's security posture, along with specific recommendations for improvement. Work through the recommendations systematically to improve your score over time.
• Security Dashboard: An overview of current threats, active alerts, and security trends across your M365 environment. Review it regularly to stay aware of emerging risks.
• Alert Policies: Configure automatic notifications for suspicious activity such as unusual login patterns, bulk file deletions, mail forwarding rule changes, and other indicators of compromise. Make sure alerts go to someone who will actually act on them.

Getting Your Microsoft 365 Security Right

Configuring Microsoft 365 security properly requires both technical knowledge and an understanding of your business needs. At Bergen Computer Solutions, we help businesses throughout Bergen County conduct Microsoft 365 security assessments, implement the essential controls described above, and provide ongoing monitoring to ensure your environment stays secure. Whether you are setting up Microsoft 365 for the first time or want to review the security of an existing deployment, contact us for a free consultation. A few hours of proper configuration can prevent months of recovery from a preventable breach.