Out of the box, Microsoft 365 is wide open. Here's the security baseline we apply to every client in the first 30 days. None of it requires the top SKU.
Why this matters
Microsoft 365 default configuration is permissive. Legacy authentication enabled. No MFA enforcement. External sharing wide open. No conditional access. No device management. We see new clients with this default state every month.
Block legacy authentication
Legacy auth bypasses MFA. Block it on day one with a conditional access policy. Some line-of-business apps will break, briefly. Fix them. Don't leave legacy enabled.
Mandate MFA for everyone
MFA on every account, no exceptions. Service accounts get phone-resistant methods. Break-glass admin accounts get strong methods and physical security. No 'except for the CEO' carve-outs.
Conditional access tier 1
Block legacy auth. Require MFA. Block sign-ins from countries you don't do business in. Require compliant device for sensitive admin roles. Most SMBs are fine with five to seven well-tuned policies.
Sharing settings
Default external sharing should not be 'anyone with the link.' Set SharePoint and OneDrive to authenticated guest by default. Allow per-site overrides for the few cases where anonymous is actually needed.
device management compliance
Every laptop and phone enrolled. Compliance policies require encryption, screen lock, OS version, and EDR running. Tie compliance to conditional access so non-compliant devices can't access company data.
Mailbox rules audit
Auto-forward rules to external addresses are a common compromise indicator. Disable auto-forwarding by policy. Audit existing rules quarterly.
Privileged identity
Use Privileged Identity Management or its equivalent. Standing admin access is high risk. Move admins to just-in-time elevation with approval and audit.
Data loss prevention
Turn on DLP policies for at least credit card numbers, SIN numbers, and PHI. Tune to alerts before block, then promote to block where appropriate.
Review cadence
Microsoft adds and changes security controls quarterly. Review your secure score and conditional access policies quarterly. Document what changed and why.