You bought Microsoft 365 licenses. Your users have their passwords. You think you’re secure. But the default configuration of Microsoft 365 is not secure. Microsoft gives you the tools, but you have to turn them on. Here are five security settings every US business should enable immediately.
Number one: Security defaults. This is a one-click setting that enforces multi-factor authentication for all users, blocks legacy authentication (like old Outlook clients that don’t support MFA), and automatically protects privileged actions. Go to Azure AD portal, Properties, and turn on Security defaults. It takes thirty seconds and stops about 99 percent of password spray attacks.
Number two: Conditional Access policies. Security defaults are great for small businesses. For anything larger, you need Conditional Access. The most important policy: require MFA for all cloud apps except when users are on the corporate trusted IP range. This means your employees only get a second login challenge when they work from home or Starbucks. It balances security and convenience.
Number three: Block legacy authentication. Protocols like POP3, IMAP4, and SMTP do not support MFA. Attackers love them. You should block these protocols entirely unless you have a specific legacy device like an old scanner or a manufacturing machine that can’t be updated. In Conditional Access, create a policy that blocks all clients using legacy authentication. You’ll see the number of failed login attempts drop to nearly zero overnight.
Number four: Turn on audit logging. By default, Microsoft 365 does not log all actions unless you enable it. Go to the Purview compliance portal, turn on unified audit log, and set retention to at least 180 days for the standard logs and maybe longer for critical events. If you ever get breached or audited, you need to know who accessed what and when. Without logs, you’re blind.
Number five: Set up Data Loss Prevention policies. DLP prevents users from accidentally sending sensitive data like social security numbers or credit card info via email or Teams. Create a simple policy that detects patterns like SSNs or driver’s license numbers and warns the user before they send. It doesn’t block productivity — it prevents mistakes. Mistakes that can cost you a compliance fine or a client relationship.
These five settings will take you from a default, vulnerable Microsoft 365 tenant to one that is secure enough for most regulated industries. Of course, if you need help configuring them — or if you want a full security assessment — we do that every day for US businesses.