Out of the box, Microsoft 365 is configured for convenience, not security. Legacy authentication is enabled. MFA is not enforced. External sharing is unrestricted. There are no Conditional Access policies. No device management requirements. We see new clients with this exact default state every month. Here is the baseline we apply in the first 30 days of every engagement, in order of priority, with no fluff.
Why Default M365 Configuration Is a Problem
Microsoft makes M365 permissive by default because restrictive defaults break things for new customers who haven't planned their configuration. That's a reasonable product decision. It creates a real security problem for businesses that onboard and never tighten the settings.
The default configuration allows:
- Legacy authentication protocols (IMAP, POP3, basic SMTP) that bypass MFA entirely
- Any user to share files externally with a link anyone can access, no account required
- External email forwarding rules set by users without admin visibility
- Devices to access company data regardless of compliance status
- Admin roles without MFA enforcement
Every one of these is actively exploited. This isn't theoretical.
1. Block Legacy Authentication, Day One
Legacy authentication protocols bypass MFA. Block them on day one with a Conditional Access policy targeting all users and all apps, with the Legacy Authentication client apps condition selected. This will break some line-of-business applications that use basic auth, fix those applications, don't leave legacy auth enabled to accommodate them.
Check what broke by monitoring the Conditional Access sign-in logs for a week after the policy goes to enforcement. Applications that fail will appear in the logs. Each one needs to be assessed: modernise the app, replace it, or document a risk-accepted exception.
2. Enforce MFA for All Users, No Exceptions
MFA enforced via Conditional Access on every user account, every sign-in. No carve-outs for the CEO, the bookkeeper, or service accounts. Each exception is an attack surface.
For admin accounts: require phishing-resistant MFA (FIDO2 keys or Microsoft Authenticator with FIDO2). Enable Microsoft Authenticator number matching for all users to prevent MFA fatigue attacks. Block SMS-based MFA for any privileged role.
3. Configure Conditional Access Tier 1
Five to seven well-tuned Conditional Access policies cover most SMBs:
- Block legacy authentication (as above)
- Require MFA for all users
- Block sign-ins from countries where you have no business
- Require MFA always (no trusted locations that bypass it)
- Require compliant device for access to sensitive data and admin portals
- Block access for high-risk sign-ins (requires Entra ID P2, included in M365 Business Premium)
Don't create dozens of policies. Overlapping policies generate unexpected conflicts and blocks. Start minimal and add only when there's a specific requirement.
4. Restrict External Sharing
Default SharePoint and OneDrive sharing allows "Anyone with the link", anonymous sharing with no account required. Set the tenant-wide default to "New and existing guests" (authenticated external access only). Allow per-site anonymous sharing overrides only where it's genuinely required for a specific workflow.
Review existing sharing links. Run the SharePoint sharing report to identify what has been shared externally and to whom. Revoke anonymous links that have no ongoing business purpose.
5. Enable Device Compliance via Intune
Enrol every company device in Microsoft Intune. Set compliance policies requiring:
- Disk encryption (BitLocker)
- Screen lock with PIN or biometric
- Current OS version (within the last major release)
- EDR (Defender for Business) running and reporting healthy
Tie compliance to Conditional Access: non-compliant devices cannot access company data. This ensures that unmanaged or compromised devices don't maintain access even if credentials are valid.
6. Audit and Block Mailbox Rules
Auto-forwarding rules to external addresses are one of the most common post-compromise indicators. An attacker who gains access to an email account often sets an auto-forward rule to exfiltrate email silently, then comes back later for data they've accumulated.
Run the Exchange admin centre report for auto-forwarding rules. Block all auto-forwarding to external domains via transport rule, with a documented exception process for specific legitimate use cases (rare). Review inbox rules on high-risk accounts (executives, finance, admin) for unusual redirect rules.
7. Privileged Identity Management
Admin accounts should not have standing admin access. Use Microsoft PIM (Privileged Identity Management, included in Entra ID P2 / Business Premium) to implement just-in-time admin access: admin roles must be activated explicitly, are time-limited, and require MFA and a justification.
At minimum: no permanent Global Administrator assignments except for break-glass accounts. Day-to-day admin work done via role-eligible activation, not standing admin sessions. Break-glass accounts stored in a physical safe with monitored access logging.
8. Review and Harden Sharing Settings for Microsoft Teams
Teams external access and guest access controls are separate from SharePoint. Review:
- External access (federation with other M365 tenants): restrict to specific trusted domains if possible
- Guest access: ensure guests cannot enumerate other guests or access channels they haven't been explicitly added to
- Meeting settings: anonymous join for external meetings should require a lobby hold for non-guests
Frequently Asked Questions
Do we need M365 Business Premium to implement this baseline? Most of it. Conditional Access, Intune, and Defender for Business are all in Business Premium. Business Basic and Standard users can implement Security Defaults and some Exchange controls, but the full baseline requires Business Premium or higher. For SMBs with any cyber insurance requirements, Business Premium is the right tier.
How often should we review M365 security settings? At minimum annually. After any significant change (new staff in admin roles, new SaaS tool connected to M365, M365 feature updates). North Star includes a quarterly M365 security review in managed IT plans.
Talk to a Prince George-based IT team about implementing this baseline, call 672-983-1174 or book a free assessment at northstarit.ca.
Want this in your inbox?
We send a short monthly note with one cybersecurity or IT topic that BC business owners should know about. No sales pitch.
Get the monthly note Read more Insights