Skip to main content

Top 10 Microsoft 365 Security Settings Every Business Should Enable

Why Default M365 Settings Are Not Enough

Microsoft 365 ships with reasonable defaults, but "reasonable" is not the same as "secure." Out-of-the-box, your tenant is missing several critical protections that attackers actively look for. Enabling these ten settings costs nothing extra and can dramatically reduce your risk.

1. Enable Multi-Factor Authentication (MFA) for All Users

MFA is the single most effective control against account takeover. In Microsoft 365, navigate to Azure Active Directory > Security > Conditional Access and create a policy that requires MFA for all users on all apps. Alternatively, enable Security Defaults if you're on a basic plan — it enforces MFA automatically.

2. Turn On Microsoft Defender for Office 365 Safe Links

Safe Links rewrites URLs in emails and Office documents, checking them in real time before your users click. Go to Microsoft 365 Defender > Policies & Rules > Threat Policies > Safe Links and create a policy covering all recipients.

3. Enable Safe Attachments

Safe Attachments detonates suspicious email attachments in a sandbox before delivering them to your inbox. Under the same Threat Policies menu, create a Safe Attachments policy and set the action to Dynamic Delivery — users receive the email instantly while the attachment is being scanned.

4. Block Legacy Authentication Protocols

Protocols like POP3, IMAP, and SMTP AUTH do not support MFA. Attackers use them specifically to bypass your MFA policies. Create a Conditional Access policy to block all legacy authentication clients.

5. Enforce Microsoft Secure Score Recommendations

Visit security.microsoft.com > Secure Score. Your score shows exactly which protections are missing and ranks them by impact. Work through the recommended actions from highest to lowest impact.

6. Enable Unified Audit Logging

Audit logs record every admin and user action across your tenant. Without them, investigating a breach is guesswork. Go to Compliance Center > Audit and confirm logging is turned on.

7. Configure External Email Warning Tags

Add a visual warning banner to all emails that originate from outside your organisation. This simple measure stops users from being tricked by spoofed internal addresses. Enable it under Exchange Admin Center > Mail Flow > Rules.

8. Restrict Mailbox Delegation and Auto-Forwarding

Attackers who compromise an account often set up silent auto-forwarding to an external address to steal data. Block outbound auto-forwarding by editing the outbound spam filter policy and setting Automatic forwarding rules to Off.

9. Enable Azure AD Password Protection

This feature blocks commonly used passwords and custom banned terms you define. It works for both cloud accounts and on-premises Active Directory. Configure it under Azure AD > Security > Authentication Methods > Password Protection.

10. Review and Restrict App Consent Permissions

OAuth phishing attacks trick users into granting third-party apps full access to their mailbox. Under Azure AD > Enterprise Applications > User settings, disable user consent for apps and require admin approval instead.

Need Help Securing Your Microsoft 365 Tenant?

Decoding IT provides Microsoft 365 security reviews and managed configuration for businesses across India and the UAE. Contact us to schedule a free 30-minute assessment.


Not sure if your Microsoft 365 tenant is configured correctly? We offer a free 30-minute Microsoft 365 health check — we'll look at your security settings, licensing, and user setup and tell you exactly what needs attention. No sales pitch, no obligation. Book your free check here.