Microsoft 365 is the backbone of most businesses. Email, files, collaboration, identity — it all runs through M365. But most tenants are running with default settings that leave critical gaps in security. We audit M365 environments for new clients every month, and the same problems appear in nearly every one. No MFA on admin accounts. Default sharing permissions. No backup. No email authentication.
This guide covers the security configurations every business should have in place. These aren't advanced enterprise controls — they're the baseline. If your Microsoft 365 tenant doesn't have these configured, you have gaps that attackers are actively exploiting.
1. Enforce Multi-Factor Authentication for Every User
This is the single most important security control in your M365 tenant. MFA requires users to verify their identity with a second factor — typically a phone notification or authenticator app — in addition to their password. Without MFA, a stolen password gives an attacker full access to email, files, Teams, and everything else in your tenant.
The mistake most businesses make is enabling MFA as optional or only for admin accounts. MFA must be enforced for every user, every time, with no exceptions. Security defaults in M365 can enable basic MFA, but for proper control you should use Conditional Access policies (requires Azure AD P1 licensing, included in Microsoft 365 Business Premium).
What we configure: Conditional Access policies that require MFA for all users, block legacy authentication protocols (which bypass MFA), and require re-authentication from new devices or locations. Admin accounts get additional restrictions including phishing-resistant MFA methods.
2. Configure Conditional Access Policies
MFA alone isn't enough. Conditional Access evaluates the context of every login — where the user is, what device they're using, what application they're accessing, and whether the login looks risky — and applies the appropriate level of verification or blocks the attempt entirely.
Key Conditional Access policies every business should have:
- Require MFA for all users, all cloud apps — the foundation policy
- Block legacy authentication — older protocols like POP3, IMAP, and SMTP basic auth don't support MFA and are the most common attack vector
- Require compliant devices — only allow access from devices managed by your organization (requires Intune)
- Block sign-ins from high-risk locations — countries where your business has no operations
- Require password change on high-risk sign-ins — when Azure AD detects a login that looks compromised
- Session timeout policies — force re-authentication after a defined period, especially for sensitive applications
3. Eliminate Shared Admin Accounts
This is one of the most common and most dangerous configurations we find. Multiple people sharing a single Global Administrator account, often with a password written on a sticky note or saved in a shared document. If that account is compromised, the attacker has unrestricted access to your entire tenant — they can delete data, create backdoor accounts, export your entire mailbox, and disable every security control you have.
Every person who needs admin access should have their own dedicated admin account, separate from their daily-use account. Admin accounts should have the strongest MFA requirements, be excluded from any policies that relax security controls, and be audited regularly. Use role-based access control (RBAC) to give each admin only the specific permissions they need — not Global Admin for everyone.
4. Configure Email Authentication: SPF, DKIM, and DMARC
Email authentication prevents attackers from sending emails that appear to come from your domain. Without it, anyone can send an email that looks like it came from your CEO's address. These three protocols work together:
- SPF (Sender Policy Framework) — a DNS record that tells receiving servers which mail servers are authorized to send email on behalf of your domain
- DKIM (DomainKeys Identified Mail) — adds a cryptographic signature to outgoing email that receiving servers can verify to confirm the message wasn't modified in transit
- DMARC (Domain-based Message Authentication, Reporting and Conformance) — tells receiving servers what to do when an email fails SPF or DKIM checks — and sends you reports about who's sending email using your domain
The goal is to get your DMARC policy to p=reject, which tells receiving servers to block any email claiming to be from your domain that doesn't pass authentication. Most businesses start with p=none (monitoring only) and gradually tighten the policy as they verify all legitimate email sources are properly configured.
Why this matters: Without DMARC at p=reject, an attacker can send a phishing email to your finance team that appears to come from your CEO's exact email address. SPF/DKIM/DMARC at reject policy makes this impossible. This is especially critical for Calgary businesses handling financial transactions, legal documents, or sensitive client data.
5. Lock Down SharePoint and OneDrive Sharing
Default M365 sharing settings are dangerously permissive. Out of the box, users can share files and folders with anyone — including people outside your organization — with a single click. No approval required. No expiration date. No audit trail that anyone actually reviews.
We typically configure:
- External sharing restricted — limit sharing to authenticated external users only (no anonymous links)
- Default link type set to "People in your organization" — so accidental sharing doesn't go external
- Expiration on external sharing links — 30-day maximum, with re-authentication required
- Site-level permissions — not everything should be accessible to everyone in the company
- Sensitivity labels — classify documents (Confidential, Internal Only, Public) and enforce sharing restrictions based on classification
- DLP policies — prevent accidental sharing of sensitive data like credit card numbers, SIN numbers, or health information
6. Govern Microsoft Teams
Teams is often the least governed part of an M365 tenant. Users create teams freely, add external guests without oversight, share files across channels with no retention policy, and nobody is reviewing who has access to what. Over time, this creates a sprawling mess of teams, channels, and files with no clear ownership or access control.
Governance doesn't mean locking Teams down so people can't use it. It means setting boundaries:
- Control who can create Teams — limit team creation to specific roles or require approval
- Guest access policies — define who can invite external guests and what guests can access
- Naming conventions — enforce consistent team naming so people can find what they need
- Expiration policies — automatically archive inactive teams after a defined period
- Retention policies — ensure chat and file data is retained according to your compliance requirements
- Channel moderation — for sensitive channels, require message approval from owners
7. Back Up Your Microsoft 365 Data
This is the one that surprises most business owners: Microsoft does not back up your data. Microsoft guarantees platform availability (the service will be running) but not data protection (your files won't be accidentally deleted, corrupted, or encrypted by ransomware). If a user deletes a critical SharePoint site, an admin account is compromised and data is exported, or ransomware encrypts your OneDrive files — Microsoft's built-in retention is limited and often not sufficient for recovery.
You need a third-party backup solution that covers:
- Exchange Online — mailboxes, calendars, contacts
- SharePoint Online — sites, document libraries, lists
- OneDrive for Business — individual user files
- Microsoft Teams — conversations, files, settings
Backups should run at least daily, with point-in-time recovery capability going back at least 30 days. Monthly recovery testing is essential — a backup you've never tested is a backup you can't trust.
Common misconception: "We have Office 365, so our data is in the cloud and safe." Being in the cloud protects against hardware failure at Microsoft's data centres. It does not protect against accidental deletion, malicious insiders, ransomware, or account compromise. Those are your responsibility.
8. Enable and Monitor the Secure Score
Microsoft 365 includes a built-in security assessment tool called Secure Score. It analyzes your tenant configuration and gives you a percentage score based on how many recommended security controls you've implemented. It also provides a prioritized list of actions you can take to improve your score.
Most tenants we audit for Calgary and Airdrie businesses start around 30-40% on their first assessment. After implementing the configurations in this guide, scores typically climb to 70-80%. The goal isn't necessarily 100% — some recommendations may not apply to your business — but anything below 60% indicates significant gaps.
Review your Secure Score monthly. New recommendations appear as Microsoft adds features and as the threat landscape evolves. It's the single best dashboard for understanding your tenant's security posture at a glance.
9. Configure Audit Logging and Alerts
Even with strong preventive controls, you need visibility into what's happening in your tenant. Unified Audit Logging should be enabled (it's off by default in some configurations) and you should have alerts configured for high-risk activities:
- New inbox forwarding rules created (a sign of account compromise)
- Mass file downloads or deletions
- Admin role assignments
- Logins from impossible travel locations
- External sharing of sensitive documents
- Failed MFA attempts (brute force indicators)
- Changes to Conditional Access policies
These alerts should go to your IT team or managed security provider — not to a shared inbox that nobody checks. Real-time alerting on high-risk events is what allows you to catch a compromise in minutes rather than discovering it weeks later.
10. Implement Sensitivity Labels and Data Loss Prevention
Sensitivity labels let you classify documents and emails based on their content — Public, Internal, Confidential, Highly Confidential. Once a label is applied, it travels with the document. A file labeled "Confidential" can be automatically encrypted, restricted from external sharing, and watermarked. This works across Word, Excel, PowerPoint, Outlook, SharePoint, and Teams.
Data Loss Prevention (DLP) policies automatically detect sensitive content — credit card numbers, Social Insurance Numbers, health records, financial data — and prevent it from being shared inappropriately. When a user tries to email a spreadsheet containing client SIN numbers to an external address, DLP blocks the send and notifies the user and the admin.
For Alberta businesses operating under PIPEDA and PIPA, sensitivity labels and DLP are practical tools for meeting your data protection obligations.
The Configuration Checklist
Here's a summary of everything covered in this guide. If you can't confidently check off every item, your M365 tenant has gaps:
MFA enforced for all users via Conditional Access
Not security defaults — proper Conditional Access policies with no exceptions.
Legacy authentication blocked
POP3, IMAP, SMTP basic auth — all disabled via Conditional Access.
No shared admin accounts
Individual admin accounts with role-based permissions and enhanced MFA.
SPF, DKIM, and DMARC configured
DMARC at p=reject (or on a clear path to reject from p=quarantine).
SharePoint/OneDrive sharing restricted
No anonymous links. External sharing requires authentication. Expiration enforced.
Teams governed
Creation controlled, guest policies defined, retention configured.
Third-party M365 backup in place
Exchange, SharePoint, OneDrive, Teams backed up daily. Recovery tested monthly.
Secure Score above 60%
Reviewed monthly with action items tracked.
Audit logging enabled with active alerts
High-risk events generate real-time notifications to your IT team.
Sensitivity labels and DLP configured
Sensitive data classified and protected from accidental or malicious sharing.
The Bottom Line
Microsoft 365 is powerful, but its default settings are designed for ease of use — not security. Every business running M365 needs to actively configure security controls rather than assuming the defaults are sufficient. The configurations in this guide are not premium add-ons or enterprise-only features — most are included in Microsoft 365 Business Premium, which is the licensing tier most SMBs should be on.
If you're not sure where your tenant stands, start with the Secure Score. It will tell you exactly what's configured and what's missing. Or bring in someone who configures M365 tenants professionally — the gaps are often invisible to the people using the system every day.
Get a free M365 security review.
We audit your Microsoft 365 tenant — identity controls, email authentication, sharing permissions, backup, and governance — and give you a clear report on what's configured, what's missing, and what to prioritize. No obligation.
Book a Free IT AssessmentLearn more about our Microsoft 365 services · Managed IT in Calgary