For most small and mid-sized businesses, Microsoft 365 is the business: email, files, Teams, calendars and the identities that tie them together. That also makes it the single most valuable target an attacker can hit, and the default settings are not as locked down as most owners assume. The good news is that the controls to secure it are usually already included in the plans you own. This checklist walks through the highest-impact steps, in order, to protect your accounts, email, data and devices.
Why Microsoft 365 is attackers' favorite target
When an attacker gets into one Microsoft 365 account, they often get the keys to the business: the inbox, the files in OneDrive and SharePoint, the contacts, and a trusted identity to attack everyone else from. That's why credential theft and business email compromise consistently cause the most financial damage to small businesses.
A single reused or phished password can be enough. From inside a mailbox, attackers quietly read messages, set up forwarding rules, and wait for a real invoice or wire request to hijack. Securing Microsoft 365 is less about exotic threats and more about closing the doors that get tried first.
Lock down accounts first
Identity is the new perimeter. Before anything else, make a stolen password useless on its own by requiring multi-factor authentication, and reduce the ways an attacker can get in at all.
Administrator accounts are the highest-value targets, so they need the strongest protection and should be used sparingly. Day-to-day work should never happen from a global admin account.
- Require multi-factor authentication for every user, no exceptions
- Use Conditional Access to block risky sign-ins and legacy authentication
- Protect and minimize admin accounts; use separate accounts for admin tasks
- Disable legacy protocols (POP, IMAP, basic auth) that bypass MFA
- Enforce strong, unique passwords and alert on impossible-travel sign-ins
Secure email, the number-one attack vector
Most breaches start in the inbox. Microsoft 365 includes layered email protection, but key pieces are often left off or unconfigured. Turning them on dramatically cuts phishing and impersonation.
Email authentication records (SPF, DKIM and DMARC) are easy to overlook and quietly critical: they stop attackers from spoofing your domain and help your legitimate mail land. Pair them with anti-phishing policies and link and attachment scanning.
- Enable anti-phishing, Safe Links and Safe Attachments policies
- Configure SPF, DKIM and DMARC so your domain can't be spoofed
- Tag external email so staff can spot impersonation at a glance
- Alert on suspicious mailbox forwarding rules, a classic compromise sign
- Make reporting phishing a single click, and train staff to use it
Protect your data and devices
Once accounts and email are secure, control where your data can go and what happens on the devices that touch it. Oversharing in SharePoint and OneDrive, and unmanaged personal devices, are common quiet risks.
One thing many owners get wrong: Microsoft does not back up your data for you. Under Microsoft's shared-responsibility model, you are responsible for retaining and recovering your own content, so a separate, tested Microsoft 365 backup is essential to recover from accidental deletion, ransomware or a departing employee.
- Add a third-party Microsoft 365 backup; Microsoft does not back up your data for you
- Review external sharing settings in SharePoint and OneDrive
- Use data-loss-prevention rules to stop sensitive data from leaving
- Manage devices (Intune) so only healthy, encrypted devices get access
- Set retention policies appropriate to your industry
Turn on the security you already pay for, including Copilot
Microsoft gives you a built-in scorecard called Secure Score that measures your configuration and recommends prioritized improvements. It's the fastest way to see where you stand and what to fix next.
If you're adding Microsoft 365 Copilot, governance matters: Copilot can surface any content a user already has access to, so messy SharePoint permissions become a data-exposure risk. Tighten access and turn on audit logging before rolling it out broadly. Note that the strongest controls, like Conditional Access, data-loss prevention and Intune, typically require Microsoft 365 Business Premium or higher, which is well worth it for most businesses.
- Check Microsoft Secure Score and work the prioritized recommendations
- Turn on unified audit logging so you can investigate incidents
- Right-size SharePoint and OneDrive permissions before deploying Copilot
- Confirm your licensing (Business Premium) includes the controls you need
- Review security settings on a schedule; defaults and threats both change
Key Takeaways
- One compromised Microsoft 365 account can expose your whole business; identity comes first.
- MFA, Conditional Access and disabling legacy auth stop the most common attacks.
- Email is the top attack vector: enable anti-phishing and set SPF, DKIM and DMARC.
- Microsoft does not back up your data; a separate, tested backup is essential.
- Use Secure Score, and fix SharePoint permissions before rolling out Copilot.



