The Microsoft 365 security checklist every SMB should review
A practical overview of MFA, admin roles, mailbox security, sharing permissions, and account recovery controls.
Microsoft 365 is the backbone of most Israeli SMB operations – email, file storage, and collaboration all in one platform. But the default configuration is optimized for ease of use, not security. Here are the key controls every small business should review before assuming their environment is protected.
1. Enable Multi-Factor Authentication for Every User
MFA is the single most effective protection against account takeover. Microsoft reports that MFA blocks over 99% of automated credential attacks. For Microsoft 365, MFA should be mandatory for all users – not just admins. Without it, a stolen or guessed password gives an attacker full access to your email, files, and business data.
Start by enabling Security Defaults in the Microsoft 365 admin center. This requires MFA for all users and blocks legacy authentication protocols that bypass MFA. For more granular control, use Conditional Access policies if your plan includes them.
2. Audit Your Admin Accounts
Too many admin accounts is a common mistake. Each global admin account is a high-value target – if compromised, an attacker can modify your entire Microsoft 365 environment. Best practice for most SMBs: fewer than five global admin accounts, each a dedicated admin-only account separate from the person's daily email account.
Regular users who occasionally need elevated access should have it granted temporarily through Privileged Identity Management, not permanently assigned. Review your admin role assignments at least quarterly.
3. Review External Sharing Settings in SharePoint and OneDrive
By default, SharePoint and OneDrive may allow broad external sharing. Check the sharing settings in the SharePoint admin center and restrict to 'Existing guests' or 'Specific people' rather than 'Anyone with the link.' This prevents accidental data exposure when employees share files with clients or vendors.
4. Configure Anti-Phishing and Email Security Policies
Microsoft Defender for Office 365 provides anti-phishing, Safe Links, and Safe Attachments. Review your default anti-phishing policies and enable: impersonation protection for key executives and your domain; mailbox intelligence for context-aware detection; and Safe Links scanning for URLs in emails and documents.
Phishing is the most common entry point for ransomware and business email compromise attacks against Israeli SMBs. A properly configured Defender policy catches a significant share of these attempts before they reach inboxes.
5. Enable the Unified Audit Log
The Unified Audit Log records sign-ins, admin activities, file access, and configuration changes. It must be manually enabled and is sometimes off by default. Without it, you have no visibility into what happened during or after a security incident. Enable it immediately in the Microsoft Purview compliance portal.
6. Review Active Accounts and Licenses Monthly
Deactivated employees who still have active accounts are a quiet security risk – their accounts can be compromised without anyone noticing. Establish a process to immediately deactivate accounts on an employee's last working day. Conduct a monthly review of all active users and remove any that no longer belong.
7. Use Conditional Access (Microsoft 365 Business Premium and above)
Conditional Access lets you require MFA based on location, block sign-ins from non-compliant devices, and restrict access using risk signals. At minimum, configure a baseline policy that requires MFA for all users from all locations. If your employees work from multiple devices or locations, Conditional Access is one of the highest-value security controls available.
Where to start with your Microsoft 365 review
This checklist is a starting point, not a complete security program. If you are not sure where your Microsoft 365 environment stands, ask NetFortress for a configuration review. We check M365 security settings for Israeli SMBs and hand back a prioritised action list in plain language – no jargon.
Frequently asked questions
Is Microsoft 365 secure by default?
No. Microsoft 365's default settings prioritise ease of use over security, so most new tenants ship without enforced MFA, with broad external sharing, and with the audit log switched off. Microsoft secures the underlying platform, but configuring your tenant securely – and keeping it that way – is your responsibility.
What is the single most important Microsoft 365 security setting?
Multi-factor authentication (MFA) for every user. Microsoft reports MFA blocks over 99% of automated account-takeover attacks, and a stolen password is far less useful to an attacker once MFA is enforced. Enable it for all users, not just admins.
How many global admin accounts should we have?
As few as possible – for most SMBs, fewer than five. Each global admin is a high-value target, so keep admin accounts separate from everyday email accounts and grant elevated access only when it is needed rather than permanently.
How often should we review our Microsoft 365 security?
Review admin roles and active accounts at least quarterly, and deactivate departing employees on their last day. Sharing settings, anti-phishing policies, and Conditional Access should be revisited whenever your team or way of working changes.
Do we need extra backup for Microsoft 365?
Yes. Microsoft operates a shared-responsibility model: it keeps the service running, but retaining and recovering your data is up to you. A dedicated backup for Exchange, SharePoint, OneDrive, and Teams protects you from accidental deletion, departing staff, and ransomware.
Related articles
Microsoft 365 Business Premium: the security you already pay for but probably do not use
Business Premium bundles enterprise-grade security most small businesses never switch on: Defender for Business EDR, Conditional Access, Intune, data loss prevention, and advanced email defence. Here is what is included and how to turn it into real protection.
Read articleSPF, DKIM, and DMARC: stop attackers spoofing your business email
Three DNS records decide whether a stranger can send email that looks exactly like it came from your company. Most small businesses have them half-configured or missing. Here is what SPF, DKIM, and DMARC do, in plain language, and how to roll them out without breaking your email.
Read articleA practical cybersecurity checklist for Israeli SMBs with no in-house IT team
Plenty of small businesses run without anyone whose job is IT. This is a plain checklist you can work through yourself, grouped by how much difference each item makes, so an owner or office manager can see where they stand.
Read articleRelated services
Cloud Services / Microsoft 365
Microsoft 365 setup, identity security, permissions review, and secure configuration for the cloud environment your business runs on.
Learn moreManaged Cybersecurity
Security controls, risk reduction, and practical protection against the attack paths that affect Israeli SMBs most.
Learn moreReady to secure your business without building an internal IT team?
Book a free consultation and get a practical first look at your IT and Microsoft 365 security posture.