Microsoft 365 Security: 10 Best Practices Every Business Should Enable
A concrete Microsoft 365 hardening checklist — MFA, conditional access, DKIM/DMARC, alerts and the exact settings to flip today.
Why default Microsoft 365 is not secure enough
A fresh M365 tenant ships with weak defaults: legacy authentication is often allowed, MFA is optional, and there is no automatic quarantine of suspicious sign-ins. Attackers know this.
The 10-point hardening checklist
- Enforce MFA for every user via Security Defaults or Conditional Access.
- Block legacy authentication (POP, IMAP, SMTP basic auth).
- Enable Conditional Access to require compliant devices and block risky sign-ins.
- Set up DKIM, SPF, and DMARC on every sending domain (p=quarantine minimum).
- Enable Safe Links and Safe Attachments (Defender for Office 365).
- Turn on mailbox auditing for every user.
- Restrict tenant-wide external sharing in SharePoint and OneDrive.
- Alert on impossible-travel sign-ins.
- Enforce password-less or FIDO2 keys for admins.
- Enable retention policies on Exchange and Teams (7-year default is common).
Common mistakes we see
- Global admin accounts used for daily email
- Break-glass account with no monitoring
- Users self-inviting external guests to sensitive Teams
- No offboarding checklist when someone leaves
Free M365 security review
The Network Guy 209 offers a free M365 tenant assessment for California businesses — we score your tenant against the CIS Microsoft 365 Benchmark and hand you the report.
Frequently Asked Questions
Is Microsoft 365 Business Premium enough?
Yes for most SMBs — it includes Defender, Intune and Conditional Access. But the license alone doesn't configure anything; a technician has to enable and tune the policies.
What is Conditional Access?
A policy engine that lets you require MFA, compliant devices, or block sign-ins from specific countries, IPs, or risk levels. It's the single most powerful security lever in M365.
Need reliable IT support for your business?
The Network Guy 209 provides Managed IT Services, Cybersecurity, Cloud Solutions, Microsoft 365, Network Installation, Server Management, Data Backup, Disaster Recovery, and Website Development for businesses throughout Manteca, Stockton, Tracy, Lathrop, Ripon, Modesto, Lodi, Sacramento, the Bay Area, and across California.
Managed IT & cybersecurity experts serving Manteca, Stockton, Modesto, Tracy and the Central Valley.
Get more IT insights like this
Monthly tips on cybersecurity, Microsoft 365, and small-business IT — written for Central Valley owners.
