Microsoft 365 has become the backbone of daily operations for businesses across North Carolina. Email, file storage, collaboration, video meetings, and productivity tools all run through a single platform. That concentration makes M365 an incredibly attractive target for attackers. A compromised Microsoft 365 account gives an attacker access to email, OneDrive files, SharePoint documents, Teams conversations, and potentially the entire organization's data. Despite this, the majority of small and mid-sized businesses are running M365 with default security settings that leave significant gaps. This guide covers the configurations that matter most.
Enable Multi-Factor Authentication for Every Account
This is the single most important security step you can take in Microsoft 365, and it should be implemented on day one. MFA requires users to verify their identity with a second factor, typically a code from the Microsoft Authenticator app, in addition to their password. Microsoft's own data shows that MFA blocks more than 99.9% of account compromise attacks. Despite this, a staggering number of businesses still have MFA disabled or only enabled for administrator accounts. Enable MFA for every user, including shared mailboxes and service accounts where possible. Use the Microsoft Authenticator app rather than SMS codes, because SIM-swapping attacks can intercept text messages. Configure MFA through Conditional Access policies if you have Azure AD Premium licensing, which gives you granular control over when and where MFA is required.
Configure Conditional Access Policies
Conditional Access is the traffic control system for your M365 environment. It evaluates every login attempt against a set of conditions you define and then grants, limits, or blocks access accordingly. At minimum, configure policies that block sign-ins from countries where your business has no operations, require MFA for all external network access, block legacy authentication protocols that cannot support MFA, require compliant devices for access to sensitive data, and force password changes when a user's risk level is elevated. These policies work together to create multiple layers of defense around your accounts and data. Without Conditional Access, any valid username and password combination works from anywhere in the world, which is exactly what attackers exploit.
Harden Email Security Settings
Email is the primary attack vector for business compromise, and Microsoft 365 includes powerful email security features that most businesses never configure. Start with Exchange Online Protection baseline settings, then layer on advanced anti-phishing policies that use mailbox intelligence to detect impersonation attempts targeting your executives and finance team. Enable Safe Attachments to detonate suspicious files in a sandbox before delivering them to inboxes. Configure Safe Links to rewrite and scan URLs at time of click rather than time of delivery, catching links that are weaponized after the initial email passes through filters. Set up DMARC, DKIM, and SPF records for your domain to prevent attackers from spoofing your email address when targeting your customers, vendors, and partners.
Lock Down SharePoint and OneDrive Sharing
Default sharing settings in SharePoint and OneDrive are often far more permissive than businesses realize. By default, users may be able to share files and folders with anyone, including people outside your organization, using anonymous links that require no authentication. Review and tighten these settings. Restrict external sharing to specific partner domains if possible, or at minimum require external recipients to authenticate before accessing shared content. Disable anonymous sharing links entirely unless there is a specific business need. Set expiration dates on sharing links so that temporary access does not become permanent. Enable auditing on sensitive document libraries so you can track who accesses what and when. These controls prevent both accidental data exposure and intentional exfiltration.
Set Up Data Loss Prevention Policies
Data Loss Prevention (DLP) policies automatically detect and protect sensitive information across Exchange, SharePoint, OneDrive, and Teams. Configure policies to identify sensitive data types relevant to your business, such as Social Security numbers, credit card numbers, HIPAA-protected health information, or financial account numbers. When DLP detects sensitive data being shared inappropriately, it can warn the user, block the action, or notify an administrator. For regulated businesses, DLP is often a compliance requirement, but even non-regulated companies benefit from preventing employees from accidentally emailing spreadsheets full of customer data to the wrong recipient. Start with Microsoft's built-in sensitive information types and customize from there based on your specific data protection needs.
Enable Comprehensive Audit Logging
Unified Audit Logging records user and administrator activity across all M365 services. This data is essential for detecting suspicious behavior, investigating incidents, and demonstrating compliance. Verify that unified audit logging is enabled in your tenant, because it is not always on by default. Configure retention policies to keep logs for at least 12 months, longer if your industry regulations require it. Set up alerts for high-risk activities such as mail forwarding rule creation, mass file downloads, administrator role changes, and login attempts from unusual locations. When a security incident does occur, detailed audit logs are often the only way to determine what happened, what was accessed, and how the attacker got in.
Manage Mobile Devices and Applications
With employees accessing M365 from personal phones, tablets, and laptops, mobile device management is critical. At minimum, use Microsoft Intune or Basic Mobility and Security to enforce device-level protections such as requiring a passcode, encrypting device storage, and enabling remote wipe for lost or stolen devices. Application protection policies add another layer by controlling how corporate data flows between apps on a device. For example, you can prevent users from copying data from Outlook or Teams into personal apps or from saving corporate files to unmanaged cloud storage. These policies protect your data without requiring employees to surrender their personal devices for full management.
Partner with an M365 Security Specialist
Microsoft 365 has hundreds of security settings spread across multiple admin centers. Configuring them correctly requires deep knowledge of both the platform and the threat landscape. Misconfigurations are common and often invisible until an incident exposes them. PCG manages Microsoft 365 environments for businesses across North Carolina, handling everything from initial secure setup to ongoing monitoring and optimization. If your M365 tenant was set up with default settings, or if you are not sure whether your current configuration meets security best practices, our team can conduct a thorough security assessment and bring your environment up to the standard your business requires.