What Small Businesses Should Check in Microsoft 365 Before There Is a Problem

Microsoft 365 is configured by default for ease of access, not for security. Most small businesses set it up, get email working, and never revisit the settings. That approach works fine until it does not — and when it does not, the consequences can range from a compromised account to a business-wide email breach.

This checklist covers the areas that matter most. It is not a comprehensive security audit — that requires hands-on access to your tenant — but it is an honest starting point for a business owner or office manager who wants to understand what to look for and why it matters.

1. Multi-Factor Authentication (MFA)

MFA is the single most impactful security control you can implement in Microsoft 365. A leaked or phished password alone is not enough to access an MFA-protected account. Without MFA, a leaked password is a fully compromised account.

What to check:

• Is MFA enabled for all users, or just some? Partial MFA enforcement creates gaps — the weakest account becomes the easiest target.
• Are admin accounts protected by MFA? Admin accounts are the highest-value targets in any M365 tenant and should have MFA enforced without exceptions.
• Are users using the Microsoft Authenticator app, or are they relying on SMS codes? SMS-based MFA is better than nothing but is more vulnerable to SIM-swapping attacks than app-based authentication.

What good looks like: MFA required for all users via Conditional Access policy, with admin accounts requiring the strongest available MFA method.

2. Conditional Access Policies

Conditional Access is the policy engine that controls who can access M365 resources, from where, on what devices, and under what conditions. Without Conditional Access policies, MFA enforcement is often inconsistent and legacy authentication protocols can bypass it entirely.

What to check:

• Does your tenant have any Conditional Access policies configured? (Requires Azure AD P1 license or higher, included in Microsoft 365 Business Premium)
• Is legacy authentication blocked? Legacy protocols like IMAP, POP, and older ActiveSync clients bypass modern Conditional Access and represent a significant risk.
• Is there a policy requiring MFA for all users, or are there gaps?

What good looks like: At minimum, two policies — one requiring MFA for all users, one blocking legacy authentication protocols.

3. Admin Role Assignments

Global Administrator is the most powerful role in Microsoft 365. Users with this role can access everything, change anything, and add new accounts with equivalent access. Most small businesses have more Global Admins than they need — often including departed employees and vendor accounts that were never cleaned up.

What to check:

• Who has Global Administrator? List them. Does the list match who should have it?
• Are there accounts assigned Global Admin that are not actively used by current staff?
• Are vendor or contractor accounts still active after the engagement ended?
• Are any admin roles assigned to shared or generic accounts rather than named individuals?

What good looks like: Two to three named Global Admin accounts maximum for a small business. All admins protected by MFA. No vendor accounts with active admin access after project completion.

4. Email Forwarding Rules

One of the first things attackers do after compromising an email account is create a forwarding rule — silently sending copies of all incoming email to an external address. These rules often persist for months or years, undetected, because nobody is looking for them.

What to check:

• Review inbox rules for all user accounts, particularly executives and finance staff.
• Check tenant-level external forwarding settings in Exchange Admin Center — Microsoft now provides options to block or restrict automatic forwarding.
• Are there any forwarding rules pointing to personal email addresses (Gmail, Yahoo, etc.)?

What good looks like: No automatic external forwarding rules in place. Tenant-level setting configured to restrict or block automatic forwarding to external domains.

5. Email Authentication Records (DMARC, DKIM, SPF)

These DNS records authenticate your outgoing email and tell receiving mail servers that messages from your domain are legitimate. Without them, your domain is easier to spoof — attackers can send email that appears to come from your domain.

What to check:

• Does your domain have an SPF record? You can verify using a free online SPF lookup tool.
• Is DKIM enabled for your domain in Microsoft 365? (Exchange Admin Center → Email authentication)
• Does your domain have a DMARC record? Start with a monitoring-only policy (p=none) before enforcement.

What good looks like: All three records configured, with DMARC at minimum at p=quarantine for established domains.

6. SharePoint and OneDrive Sharing Settings

Default M365 sharing settings are permissive. "Anyone with the link" sharing is enabled in many tenants, which means documents can be shared publicly without any authentication. For businesses handling client information, this is a significant risk.

What to check:

• What is your tenant-level sharing setting? (SharePoint Admin Center → Policies → Sharing)
• Are "Anyone" links allowed, or is sharing restricted to specific people?
• Are guest access permissions appropriate for your business type?

What good looks like: Sharing restricted to "New and existing guests" at minimum. "Anyone" links disabled for businesses handling client or confidential data.

7. Microsoft Secure Score

Microsoft Secure Score is a built-in tool in the Microsoft 365 Defender portal that provides a numerical score of your security posture based on your current settings. It also provides a prioritized list of improvement actions with estimated impact on your score.

What to check:

• Visit security.microsoft.com and review your current Secure Score.
• Review the recommended actions list — what are the top five highest-impact improvements?
• Note which recommendations require additional licensing vs. which are configuration changes only.

Secure Score is not a comprehensive security measure — it reflects Microsoft's view of your tenant settings, not a holistic security assessment — but it is a useful starting point for identifying obvious gaps.

Putting This Into Practice

If you work through this checklist and find significant gaps — particularly around MFA enforcement or admin access — those should be addressed before anything else. The most common attack path against small business M365 tenants is a phished password on an account without MFA, often belonging to someone with more access than they need.

If you want a more thorough review than a checklist can provide — one that involves direct access to your tenant settings and produces a written findings report — that is what a Microsoft 365 security review involves. The checklist tells you what to look for. A review tells you exactly what you have.