Microsoft 3653 min read

The Microsoft 365 security checklist every SMB should review

A practical overview of MFA, admin roles, mailbox security, sharing permissions, and account recovery controls.

#Microsoft 365#MFA#Email Security#SMB

Microsoft 365 is the backbone of most Israeli SMB operations – email, file storage, and collaboration all in one platform. But the default configuration is optimized for ease of use, not security. Here are the key controls every small business should review before assuming their environment is protected.

1. Enable Multi-Factor Authentication for Every User

MFA is the single most effective protection against account takeover. Microsoft reports that MFA blocks over 99% of automated credential attacks. For Microsoft 365, MFA should be mandatory for all users – not just admins. Without it, a stolen or guessed password gives an attacker full access to your email, files, and business data.

Start by enabling Security Defaults in the Microsoft 365 admin center. This requires MFA for all users and blocks legacy authentication protocols that bypass MFA. For more granular control, use Conditional Access policies if your plan includes them.

2. Audit Your Admin Accounts

Too many admin accounts is a common mistake. Each global admin account is a high-value target – if compromised, an attacker can modify your entire Microsoft 365 environment. Best practice for most SMBs: fewer than five global admin accounts, each a dedicated admin-only account separate from the person's daily email account.

Regular users who occasionally need elevated access should have it granted temporarily through Privileged Identity Management, not permanently assigned. Review your admin role assignments at least quarterly.

3. Review External Sharing Settings in SharePoint and OneDrive

By default, SharePoint and OneDrive may allow broad external sharing. Check the sharing settings in the SharePoint admin center and restrict to 'Existing guests' or 'Specific people' rather than 'Anyone with the link.' This prevents accidental data exposure when employees share files with clients or vendors.

4. Configure Anti-Phishing and Email Security Policies

Microsoft Defender for Office 365 provides anti-phishing, Safe Links, and Safe Attachments. Review your default anti-phishing policies and enable: impersonation protection for key executives and your domain; mailbox intelligence for context-aware detection; and Safe Links scanning for URLs in emails and documents.

Phishing is the most common entry point for ransomware and business email compromise attacks against Israeli SMBs. A properly configured Defender policy catches a significant share of these attempts before they reach inboxes.

5. Enable the Unified Audit Log

The Unified Audit Log records sign-ins, admin activities, file access, and configuration changes. It must be manually enabled and is sometimes off by default. Without it, you have no visibility into what happened during or after a security incident. Enable it immediately in the Microsoft Purview compliance portal.

6. Review Active Accounts and Licenses Monthly

Deactivated employees who still have active accounts are a quiet security risk – their accounts can be compromised without anyone noticing. Establish a process to immediately deactivate accounts on an employee's last working day. Conduct a monthly review of all active users and remove any that no longer belong.

7. Use Conditional Access (Microsoft 365 Business Premium and above)

Conditional Access lets you require MFA based on location, block sign-ins from non-compliant devices, and restrict access using risk signals. At minimum, configure a baseline policy that requires MFA for all users from all locations. If your employees work from multiple devices or locations, Conditional Access is one of the highest-value security controls available.

Where to start with your Microsoft 365 review

This checklist is a starting point, not a complete security program. If you are not sure where your Microsoft 365 environment stands, ask NetFortress for a configuration review. We check M365 security settings for Israeli SMBs and hand back a prioritised action list in plain language – no jargon.

Frequently asked questions

Is Microsoft 365 secure by default?

No. Microsoft 365's default settings prioritise ease of use over security, so most new tenants ship without enforced MFA, with broad external sharing, and with the audit log switched off. Microsoft secures the underlying platform, but configuring your tenant securely – and keeping it that way – is your responsibility.

What is the single most important Microsoft 365 security setting?

Multi-factor authentication (MFA) for every user. Microsoft reports MFA blocks over 99% of automated account-takeover attacks, and a stolen password is far less useful to an attacker once MFA is enforced. Enable it for all users, not just admins.

How many global admin accounts should we have?

As few as possible – for most SMBs, fewer than five. Each global admin is a high-value target, so keep admin accounts separate from everyday email accounts and grant elevated access only when it is needed rather than permanently.

How often should we review our Microsoft 365 security?

Review admin roles and active accounts at least quarterly, and deactivate departing employees on their last day. Sharing settings, anti-phishing policies, and Conditional Access should be revisited whenever your team or way of working changes.

Do we need extra backup for Microsoft 365?

Yes. Microsoft operates a shared-responsibility model: it keeps the service running, but retaining and recovering your data is up to you. A dedicated backup for Exchange, SharePoint, OneDrive, and Teams protects you from accidental deletion, departing staff, and ransomware.

Ready to secure your business without building an internal IT team?

Book a free consultation and get a practical first look at your IT and Microsoft 365 security posture.