Microsoft 365 security baselines, the 10 settings that matter most

Microsoft 365 ships with sane defaults for functionality and permissive defaults for security. The product works out of the box for email, files, meetings and identity, but almost every mid-market tenant has 15 to 30 discoverable security gaps in its default configuration that a modest configuration pass would close.

The good news: Microsoft publishes documented security baselines (the CIS Microsoft 365 Benchmarks, the Microsoft 365 Apps security baseline) that codify good practice. The bad news: those baselines are long, and a 300-setting configuration checklist produces configuration theater without proportional security improvement. Most of the risk reduction comes from a narrow set of high-leverage settings.

Here are the 10 settings we implement first at every mid-market Microsoft 365 tenant, with honest notes on which license tier each requires.

1, multi-factor authentication on every account

License required: E3, Business Premium or higher for conditional access-driven MFA. Any tier has baseline MFA enforcement.

The single most impactful control in any identity-driven environment. Settings:

• Enforce MFA for all users via Conditional Access policy (not via legacy per-user MFA)
• Require MFA for all external access to M365 services
• Block legacy authentication protocols (IMAP, POP, SMTP auth, EWS for older clients)
• Enforce phishing-resistant factors (FIDO2 keys or passkeys) for administrative accounts

The most common mid-market failure mode: MFA enforced for most users but with exceptions for “just this one service account” or “the founder” that remove the protection for the accounts attackers target hardest.

2, Conditional Access blocking legacy authentication

License required: E3, Business Premium or higher.

Legacy authentication protocols (IMAP, POP, SMTP auth) cannot enforce MFA. Any account accessed via legacy protocols bypasses MFA entirely. The Conditional Access policy “Block legacy authentication” is one of the single highest-leverage changes available in M365 and takes roughly 10 minutes to configure.

Common deployment obstacle: a single legacy application or integration using basic auth. The remediation is almost always “upgrade or replace that application.” Occasionally a narrow exception is needed, but the exception should be scoped to the specific application, not to all legacy auth.

3, administrative account segregation

License required: Any tier, with E3+ for full capability.

Administrative accounts (Global Administrator, Privileged Role Administrator, others) should be distinct from daily-use accounts.

Settings:

• Named admin accounts separate from mailbox accounts
• Admin accounts have no mailbox (eliminates email-based phishing risk)
• MFA with phishing-resistant factors on all admin accounts
• Conditional Access policy requiring admin access only from compliant devices
• Privileged Identity Management (P1+) for just-in-time privileged access where the tier supports it

The most common failure: one admin does every task from their daily-use account. A single phishing success compromises both identity and admin rights.

4, external sharing controls on SharePoint and OneDrive

License required: Any tier.

SharePoint and OneDrive default to permissive external sharing. Review and tighten:

• Set organization-level external sharing to “New and existing guests” (not anonymous)
• Disable anonymous links for SharePoint document libraries unless a specific business use case requires them
• Enable external user verification (guests re-verify every 60 to 90 days)
• Restrict external sharing in any site holding material confidential content

This setting frequently exposes material confidential data to the open internet. A single misconfigured share link can result in a privacy incident.

5, Defender for Office 365 safe links and safe attachments

License required: E5 or Defender for Office 365 add-on. Business Premium has a subset.

Microsoft Defender for Office 365 (formerly Advanced Threat Protection) provides:

• URL rewriting with click-time protection (Safe Links)
• Attachment sandboxing (Safe Attachments)
• Impersonation detection
• Anti-phishing policies with configurable strictness

Enabling Defender for Office 365 is one of the largest email-security upgrades available in M365. The add-on runs $2 to $5 per user per month on top of E3. Business Premium includes limited Defender features.

6, DMARC in enforcement mode

License required: None (DNS-level setting).

Domain-based Message Authentication, Reporting and Conformance (DMARC) prevents spoofing of the firm’s email domain. Most mid-market firms have DMARC configured in “monitor” mode (p=none) where violations are logged but not blocked.

Moving to enforcement:

• Start with p=none to collect data
• Review reports to identify legitimate senders (marketing platforms, payroll, etc.)
• Configure SPF and DKIM for all legitimate senders
• Move to p=quarantine when reports show clean alignment
• Progress to p=reject for full enforcement

Enforcement mode is what actually prevents brand-spoofing attacks. Monitor mode provides intelligence but no protection.

7, audit log retention extended to 12 months

License required: E5 for 12-month retention by default. E3 gets 90 days; can be extended via add-ons.

The default Microsoft 365 unified audit log retention is 90 days on E3. For incident investigation, compliance evidence and customer security questionnaire responses, 12-month retention is the working minimum.

Settings:

• Verify audit logging is enabled (it is by default in most tenants now)
• Configure retention policies for longer retention where required
• Verify audit log collection is flowing to SIEM or MDR provider if one exists

8, Microsoft Defender for Endpoint or equivalent EDR

License required: E5 or Defender for Endpoint add-on ($5/user/month).

Microsoft Defender for Endpoint (formerly Defender ATP) provides EDR on Windows (and now macOS, Linux) endpoints with tight integration with the broader M365 security stack.

For mid-market firms already on M365, Defender for Endpoint is often the simplest EDR deployment because management, telemetry and licensing live in the same admin console.

Alternative: third-party EDR (CrowdStrike, SentinelOne, Huntress) that integrates into M365 via Defender XDR connectors. Decision depends on operational preference and existing vendor relationships.

9, Conditional Access risk-based policies

License required: E5 (Identity Protection) or Entra ID P2.

Conditional Access can evaluate sign-in risk (unusual location, anonymous IP, leaked credentials) and user risk (compromised account indicators) in real time, and require additional verification or block sign-in when risk is elevated.

Settings:

• Sign-in risk: require MFA at “medium” or higher
• User risk: require password change at “high”
• Block sign-in at “high” risk when feasible

This layer catches account compromise attempts in progress, even after credentials are phished.

Firms on E3 can implement a simplified version with baseline Conditional Access policies (location-based, device-based) but without the risk-evaluation layer.

10, Intune device compliance and baseline

License required: E3 (Intune included) or Business Premium.

Managing endpoints with Intune provides:

• Enforced disk encryption (BitLocker/FileVault)
• Enforced firewall and antivirus configuration
• Compliance-based Conditional Access (block non-compliant devices from accessing corporate data)
• Deployment of security configuration baselines

The Conditional Access integration is the highest-leverage part. “Allow access to M365 only from Intune-compliant devices” converts identity-based access into device-verified access, closing a common gap where personal or unmanaged devices authenticate successfully to corporate resources.

The license-tier reality

Honest summary of what each common tier enables:

• Business Basic / Business Standard: Baseline MFA and SharePoint sharing controls. No Conditional Access, limited Defender.
• Business Premium: Conditional Access, basic Intune, Defender for Business (lighter than Defender for Endpoint). The best mid-market value for firms under 300 users.
• E3: Full Conditional Access, Intune, longer retention. Needs add-ons for Defender for Endpoint and Defender for Office 365.
• E5: Everything. Defender for Endpoint, Defender for Office 365, Identity Protection, eDiscovery, compliance tools, audit log retention.

For mid-market firms, Business Premium is usually the right fit up to 300 employees. E3 + specific add-ons becomes justifiable above that. E5 makes sense for firms in regulated industries or with heavy compliance requirements.

The implementation sequence

For a typical 100-employee firm on Business Premium or E3, the 10 settings above take roughly 2 to 4 weeks to deploy well:

• Week 1: MFA enforcement (settings 1 and 2), administrative account segregation (setting 3)
• Week 2: SharePoint external sharing review (setting 4), Defender for Office 365 (setting 5 if licensed)
• Week 3: DMARC enforcement progression (setting 6), audit log retention (setting 7)
• Week 4: EDR deployment (setting 8), Conditional Access risk policies (setting 9 if licensed), Intune baseline (setting 10)

User impact is usually low if communicated in advance. MFA rollout produces the most help desk tickets; the other settings are mostly invisible to users.

Where we fit

Atticus Rowan implements these 10 baseline settings as a standard element of every M365-anchored managed engagement. The configuration is documented, tested and maintained. Drift detection catches when a setting is changed without authorization.

Beyond the 10 baselines, there are another 20 to 40 settings worth implementing depending on the firm’s tier, risk profile and regulatory requirements. The 10 above are the universal floor.

If your M365 tenant has not been reviewed against a security baseline in the past 12 months, or you are sizing up which license tier to buy for your next renewal, schedule a discovery call. We can walk through the current configuration and scope the gap-closure work.