Microsoft 365 Security Checklist for SMBs

Microsoft 365 is the default operating system for small businesses. Email, file storage, collaboration, identity — everything runs through it. That makes it the single highest-value target in your organization, and attackers know it.

Phishing attacks targeting Microsoft 365 tenants increased 58% in 2024. Microsoft is now the most impersonated brand in credential phishing campaigns, with 45% of phishing emails masquerading as Microsoft notifications. Meanwhile, 64% of businesses experienced a Business Email Compromise (BEC) attack in 2024, with average losses of $150,000 per incident.

The problem is not Microsoft 365 itself — it is that 99% of cloud breaches result from preventable misconfigurations (Gartner). Most security features exist but are not turned on by default. This Microsoft 365 security checklist walks you through 40+ hardening steps aligned with CISA SCuBA baselines and CIS Benchmarks that you can implement today — many of them at no additional cost.

Quick Summary

MFA blocks 99%+ of credential attacks — enable it for every user, not just admins.
58% increase in phishing attacks targeting M365 tenants in 2024.
64% of businesses experienced BEC attacks in 2024 (avg. $150K loss).
99% of cloud breaches are from preventable misconfigurations (Gartner).
Microsoft is the #1 impersonated brand in phishing (45% of credential phishing emails).
This checklist covers 40+ hardening steps across Entra ID, Exchange, Teams, SharePoint, and Defender.
Aligned with CISA SCuBA baselines, CIS M365 Foundations Benchmark, and Microsoft best practices.

Why Your Microsoft 365 Tenant Is a High-Value Target

The Threat Landscape

Statistic	Source
MFA blocks over 99% of credential-based attacks	Microsoft
58% increase in phishing attacks targeting M365 tenants (2024)	Hoxhunt / AI-Techpark
64% of businesses experienced BEC attacks in 2024; avg. $150K loss per incident	Hoxhunt 2024
Microsoft is the #1 impersonated brand in phishing (45% of credential emails)	Multiple sources 2024
99%+ of cloud breaches from preventable misconfigurations	Gartner 2025
40% of BEC emails are now AI-generated	Hoxhunt 2025
Phishing is the attack method in 33.3% of all email attacks analyzed	Hornetsecurity 2024
43.3% of healthcare email breaches involved Microsoft 365	BusinessWire 2025
Microsoft Teams phishing attacks surged since April 2024	Microsoft / SCWorld
CISA mandated SCuBA compliance for federal M365 tenants by June 2025	CISA BOD 25-01

Your M365 tenant is not just email — it is your identity provider (Entra ID), your file storage (OneDrive/SharePoint), your collaboration platform (Teams), and often your security stack (Defender). A single compromised admin account can give an attacker access to everything.

The Microsoft 365 Security Checklist

Section 1: Identity and Access — Entra ID (Azure AD)

This is the most critical category. If an attacker owns your identity, they own your company.

Enable MFA for all users — Turn on Security Defaults (free) or configure Conditional Access MFA policies. MFA blocks 99%+ of credential attacks.
Block legacy authentication — Disable POP3, IMAP, SMTP AUTH, and older Office client protocols. They bypass MFA entirely.
Enforce Microsoft Authenticator or FIDO2 — Discourage SMS-based MFA (SIM swap risk). Push notification or hardware keys are preferred.
Limit Global Administrator accounts — Maintain no more than 2-4 Global Admins. Use least-privilege roles for daily operations.
Enable Privileged Identity Management (PIM) — Require just-in-time activation for admin roles (Business Premium / Azure AD P2).
Create emergency access (break-glass) accounts — At least 2 cloud-only accounts excluded from Conditional Access, with strong passwords stored securely offline.
Implement Conditional Access policies — Start with: require MFA for all users, block legacy auth, require compliant devices for sensitive apps, block risky sign-ins.
Enable sign-in risk and user risk policies — Use Identity Protection to automatically block or challenge risky logins.
Disable user consent to third-party apps — Prevent OAuth consent phishing by requiring admin approval for all app registrations.
Review and remove stale guest accounts — Audit external (B2B) guest accounts quarterly and remove any that are no longer needed.

Section 2: Email Security — Exchange Online

Email is the #1 attack vector. Harden it aggressively.

Configure SPF records — Publish an SPF TXT record that includes all authorized sending sources. Use -all (hard fail).
Enable DKIM signing — Generate and publish DKIM keys for all custom domains.
Implement DMARC — Set up a DMARC record starting with p=quarantine and move to p=reject after monitoring. Do not leave DMARC in p=none permanently.
Enable anti-phishing policies — Configure impersonation protection for executives and high-value targets. Enable mailbox intelligence.
Enable Safe Links — Rewrite and scan URLs in emails at time of click (Defender for Office 365).
Enable Safe Attachments — Detonate attachments in a sandbox before delivery (Defender for Office 365).
Block external email forwarding — Create a transport rule or use anti-spam outbound policy to block automatic forwarding to external addresses.
Enable audit logging for mailboxes — Ensure mailbox audit logging is on (enabled by default since 2019, but verify).
Add external sender warnings — Configure a mail flow rule to prepend "[EXTERNAL]" to subjects or add a banner to emails from outside your organization.
Restrict who can create distribution groups — Prevent users from creating unrestricted distribution groups that external senders can use.

Section 3: Device and Endpoint Security

Enroll devices in Microsoft Intune — Require device enrollment for accessing company data (Business Premium).
Require device compliance — Create Conditional Access policies that block non-compliant devices from accessing M365 resources.
Enable BitLocker encryption — Require full-disk encryption on all Windows devices via Intune compliance policy.
Enforce application protection policies — Use Intune App Protection to container corporate data on mobile devices (prevent copy/paste to personal apps).
Require automatic OS updates — Configure update rings to enforce timely patching on managed devices.

Section 4: Microsoft Teams Security

Teams is now an active phishing and social engineering vector.

Restrict external access — Allow external communication only with approved, whitelisted domains — not everyone.
Disable anonymous meeting join — Require authentication for all meeting participants.
Block file uploads from external users — Prevent guests from sharing files in Teams channels.
Disable third-party app installation by users — Require admin approval for all Teams apps.
Restrict who can create teams — Limit team creation to specific security groups to prevent sprawl.
Train employees on Teams-based phishing — Attackers impersonate IT help desks in Teams chats to deploy ransomware via remote access tools.

Section 5: SharePoint and OneDrive Security

Set default sharing to "Specific people" — Change from "Anyone with the link" to "Specific people" to prevent accidental public sharing.
Disable anonymous sharing links — Or set expiration dates (7-30 days max) on any anonymous links.
Block sync from unmanaged devices — Allow OneDrive sync only from Intune-managed or domain-joined devices.
Enable sensitivity labels — Classify documents as Public, Internal, Confidential, or Restricted and apply encryption automatically.
Audit external sharing activity — Review SharePoint Admin Center sharing reports monthly.

Section 6: Monitoring, Logging, and Response

Review Microsoft Secure Score weekly — Access at security.microsoft.com. Prioritize high-impact improvement actions.
Enable unified audit log — Verify that the unified audit log is enabled in the Microsoft Purview compliance portal.
Set up alert policies — Create alerts for: unusual mail forwarding rules, mass file downloads, admin role changes, impossible travel sign-ins.
Run CISA SCuBAGear assessment — Download the free SCuBAGear tool from CISA and scan your tenant against SCuBA baselines.
Enable Microsoft Defender for Office 365 attack simulation — Run monthly phishing simulations to test employee awareness (Business Premium).
Create an incident response procedure for M365 — Document who to call, how to disable compromised accounts, and how to review audit logs during an incident.

Prioritization Guide: What to Do First

If you cannot implement everything immediately, follow this priority order:

Priority	Action	Cost	Impact
🔴 P0 — Today	Enable MFA for all users (Security Defaults)	Free	Blocks 99%+ credential attacks
🔴 P0 — Today	Block legacy authentication	Free	Closes MFA bypass
🔴 P0 — Today	Configure SPF + DKIM + DMARC	Free	Prevents email spoofing
🟠 P1 — This Week	Limit Global Admin accounts to 2-4	Free	Reduces admin attack surface
🟠 P1 — This Week	Block external email forwarding	Free	Prevents data exfiltration
🟠 P1 — This Week	Set SharePoint sharing to "Specific people"	Free	Prevents accidental data exposure
🟡 P2 — This Month	Enable anti-phishing policies	Business Premium	Stops impersonation attacks
🟡 P2 — This Month	Restrict Teams external access	Free	Blocks Teams-based phishing
🟡 P2 — This Month	Enable Safe Links + Safe Attachments	Business Premium	Sandboxes malicious content
🟢 P3 — This Quarter	Deploy Intune + device compliance	Business Premium	Enforces endpoint security
🟢 P3 — This Quarter	Enable sensitivity labels	Business Premium	Automates data classification
🟢 P3 — This Quarter	Run SCuBAGear assessment	Free	Validates against CISA baselines

Common Mistakes When Securing Microsoft 365

Enabling MFA for admins only — Attackers target regular user accounts and escalate from there. MFA must cover every user, every account.
Ignoring email authentication — Without SPF, DKIM, and DMARC at p=reject, anyone can send email that appears to come from your domain. This is the most common phishing enabler.
Leaving legacy auth enabled — Even one legacy protocol left open creates a backdoor that bypasses all your MFA investment.
Over-provisioning admin roles — Ten people do not need Global Admin. Use dedicated roles (Exchange Admin, SharePoint Admin, User Admin) with minimum scope.
Treating SharePoint as a private file system — Default sharing settings often allow "Anyone with a link" access. One miscofigured link can expose your entire client database to the internet.
Ignoring Microsoft Secure Score — It is a free, always-updated dashboard that tells you exactly what to fix. Review it weekly, not annually.
No backup strategy for M365 — Microsoft's retention policies are not a backup solution. Use a third-party backup tool for Exchange, OneDrive, and SharePoint.

Frameworks and Standards Referenced

Framework	Relevance
CISA SCuBA (BOD 25-01)	Secure Configuration Baselines for M365 services — mandatory for federal agencies, recommended for all organizations
CIS Microsoft 365 Foundations Benchmark	Consensus-based hardening guide for Entra ID, Exchange, Teams, SharePoint, OneDrive
Microsoft Security Defaults	Free baseline: enforces MFA, blocks legacy auth, protects privileged roles
NIST SP 800-63B-4	Authentication and MFA guidelines
Zero Trust Architecture	Verify explicitly, least privilege access, assume breach — core to Conditional Access design

Citations and References

Microsoft — MFA blocks over 99% of credential-based attacks. MFA required for all M365 admin center sign-ins by February 2026.
Hoxhunt / AI-Techpark 2024 — 58% increase in phishing targeting M365 tenants. Microsoft is the #1 impersonated brand.
Hoxhunt 2025 — 64% of businesses experienced BEC attacks in 2024; avg. loss $150K. 40% of BEC emails are AI-generated.
Gartner 2025 — Over 99% of cloud breaches result from preventable misconfigurations or user errors.
Hornetsecurity 2024 — Analysis of 55.6 billion emails: phishing is the top attack (33.3%), malicious URLs second (22.7%).
CISA BOD 25-01 — Mandated SCuBA compliance for federal M365 tenants. SCuBAGear assessment tool available for free.
CIS (Center for Internet Security) — M365 Foundations Benchmark covering Entra ID, Exchange, Teams, SharePoint, Power Platform.
Microsoft / SCWorld 2024 — Teams phishing attacks surged since April 2024; attackers impersonate IT help desks and deploy ransomware via RMM tools.

How Cyberlords Can Help

Your Microsoft 365 tenant is only as secure as its configuration — and most tenants are configured for convenience, not security.

At Cyberlords, we help small businesses:

Conduct a full Microsoft 365 security audit — We scan your tenant against CISA SCuBA baselines, CIS Benchmarks, and Microsoft best practices, then deliver a prioritized remediation report.
Implement hardening from this checklist — We configure MFA, Conditional Access, email authentication, Defender policies, and Intune enrollment so your team does not have to.
Run phishing simulations — We use Defender for Office 365 Attack Simulation to test your employees and provide targeted training.
Monitor and respond — Our managed security services provide continuous monitoring of your M365 environment with incident response support.

If you need help securing your Microsoft 365 environment, contact the Cyberlords team today.

Frequently Asked Questions

What is the most important Microsoft 365 security setting?

Multi-Factor Authentication (MFA). Microsoft confirms that MFA blocks over 99% of credential-based attacks, making it the single most effective control you can implement. Enable it for every user — not just administrators. At minimum, turn on Security Defaults, a free feature that enforces MFA across your entire tenant. For more granular control, upgrade to Conditional Access policies (Business Premium) which allow you to require MFA based on user, location, device, and risk level.

Is Microsoft 365 secure by default?

No. Microsoft 365 provides an extensive suite of security features, but most are not enabled by default. Gartner estimates that over 99% of cloud breaches result from preventable misconfigurations — not product vulnerabilities. You must proactively configure MFA, Conditional Access, anti-phishing policies, email authentication (SPF/DKIM/DMARC), audit logging, data loss prevention, and sharing restrictions. This checklist guides you through the essential configurations.

What is CISA SCuBA and why does it matter?

CISA SCuBA (Secure Cloud Business Applications) is a program that provides security configuration baselines for Microsoft 365 services including Entra ID, Exchange Online, Teams, SharePoint, and OneDrive. Under Binding Operational Directive 25-01, federal agencies were required to implement all SCuBA baselines by June 2025. While not mandatory for private businesses, CISA strongly recommends all organizations adopt these baselines. The free SCuBAGear assessment tool automatically checks your tenant against SCuBA configurations.

Do I need Microsoft 365 Business Premium for security?

Business Premium provides advanced features including Conditional Access, Defender for Office 365 Plan 1, Intune device management, and Azure Information Protection. For comprehensive security, it is strongly recommended. However, even on Business Basic or Standard, you can enable Security Defaults (free MFA for all users), configure email authentication (SPF/DKIM/DMARC), block legacy authentication, restrict SharePoint sharing, limit admin roles, and implement many other checklist items at no extra cost.

How do I protect Microsoft 365 from phishing attacks?

Layer multiple defenses: enable anti-phishing policies in Defender for Office 365 with impersonation protection for executives, configure DMARC/DKIM/SPF for email authentication to prevent domain spoofing, block legacy authentication protocols, train employees with Defender's attack simulation tool, enable Safe Links (URL scanning at click time) and Safe Attachments (sandbox detonation), restrict external email forwarding, and add external sender banners. Phishing attacks targeting M365 tenants increased 58% in 2024, so defense-in-depth is essential.

Should I block legacy authentication in Microsoft 365?

Yes, immediately. Legacy authentication protocols (POP3, IMAP, SMTP AUTH, older Office clients) do not support MFA, creating a direct bypass of your most important security control. Attackers routinely target legacy protocols specifically because they circumvent MFA. Microsoft Security Defaults block legacy authentication automatically. If you use Conditional Access instead of Security Defaults, create a dedicated policy to block legacy auth for all users, all cloud apps.

How do I secure Microsoft Teams against attacks?

Restrict external access so only approved, whitelisted domains can send messages to your users — do not allow open federation with the entire internet. Disable anonymous meeting join to require authentication. Block file uploads from external participants. Disable user installation of third-party Teams apps without admin approval. Most importantly, train employees on Teams-based phishing: since April 2024, attackers have impersonated IT help desks in Teams chats, using remote access tools to deploy ransomware.

What is Microsoft Secure Score and how do I use it?

Microsoft Secure Score is a free security posture measurement available at security.microsoft.com. It analyzes your tenant configuration and provides a percentage score along with specific improvement actions ranked by impact. Each action includes step-by-step instructions. Review your Secure Score weekly, prioritize high-impact and easy-to-implement actions first, and track your score over time. It is one of the best free tools available for improving M365 security and provides a measurable way to demonstrate security progress to leadership.

microsoft 365 security checklist overview

Key decisions, risks, and implementation actions for microsoft 365 security checklist.