Microsoft 365 Security Hardening for SMBs: What Default Settings Leave Exposed
· by Dmitry Ivakin
Most small businesses set up Microsoft 365, create their user accounts, and assume the job is done. It is not. Microsoft ships every new tenant with default settings that are deliberately permissive — low friction for new users, but low security for your business data. The company responsible for your email, files, and internal communications has decided, by default, that convenience matters more than protection.
That is not a criticism. It is a design choice for mass adoption. But it means that every small business running Microsoft 365 without deliberate security hardening has the same predictable gaps — and attackers know exactly where to look.
This article walks through what a Microsoft 365 security assessment actually examines, which default settings create the most serious exposure, and what a properly hardened tenant looks like.
What is Microsoft Secure Score — and why it matters
Microsoft Secure Score is a built-in measurement of your tenant's security posture, expressed as a percentage. A score of 100% would mean every available security recommendation has been implemented. A score of 25% — which is common in new or unmanaged tenants — means three quarters of the recommended controls are missing.
Secure Score is useful not because the number itself matters, but because it gives you a concrete, prioritised list of what is missing. Each recommendation shows the potential score improvement, the estimated implementation effort, and a direct link to the configuration screen where you fix it.
In our experience assessing small business tenants, the starting Secure Score typically falls between 20% and 40%. That range represents a tenant where:
- Multi-Factor Authentication is not enforced for most or all users
- Admin accounts have no additional protection beyond a password
- Email threat filters are running at permissive default thresholds
- Devices connecting to company data have no compliance checks applied
- Audit logging may not even be enabled
Getting a typical small business tenant from 30% to 70%+ is achievable in a single focused engagement. The controls required are well-documented, Microsoft provides the tools, and the changes do not require expensive third-party software.
The six most common security gaps in small business M365 tenants
1. Multi-Factor Authentication Not Enforced
This is the single highest-impact gap in most tenants. When MFA is not enforced, a stolen or guessed password is all an attacker needs to access email, SharePoint, Teams, and every file your business has stored in the cloud.
Microsoft offers several ways to enforce MFA. Security Defaults enable basic MFA for all users and are free with every Microsoft 365 subscription. Conditional Access policies — available on most Business Premium and above plans — give you more granular control, requiring MFA based on user risk level, device compliance status, and sign-in location. If you are unsure which plan includes these controls, see our Microsoft 365 Business Standard vs Premium comparison.
The most common objection is user friction. In practice, with modern authentication apps like Microsoft Authenticator, MFA adds five seconds to a sign-in. Most users stop noticing it within a week. The protection it provides against credential-based attacks is not comparable to any other single control.
2. Admin Accounts With No Additional Protection
Global administrator accounts have unlimited access to your entire Microsoft 365 environment — every mailbox, every file, every configuration. In most unmanaged tenants, these accounts are protected only by a password, used for day-to-day tasks, and sometimes shared between multiple people.
Proper admin account hygiene requires: dedicated admin accounts that are separate from daily-use accounts, MFA enforced without exception, and a break-glass emergency access account. The break-glass account is a permanent global admin account used only when all other admin access is lost — locked out due to a misconfigured Conditional Access policy, for example. It should have a strong password stored securely offline, cloud-only identity (no sync from on-premise Active Directory), and an alert configured to fire any time it is used.
Most small business tenants have none of this. The global admin account is the owner's personal Microsoft 365 account, used daily, with no MFA, and no emergency access plan.
3. Email Security Running at Default Thresholds
Microsoft 365 includes Microsoft Defender for Office 365 in Business Premium and several Enterprise plans. The question is not whether you have it, but whether it is configured. Out of the box, anti-phishing policies run at their lowest protection thresholds. Safe Links — which rewrites URLs in emails and scans them in real time — may not be enabled. Safe Attachments — which detonates suspicious files in a sandbox before delivering them — often is not configured.
The practical consequence: a phishing email that imitates your CEO asking for an urgent bank transfer, or a PDF attachment carrying a malware payload, passes through default filters more easily than it should. Anti-phishing policies with impersonation protection, tuned to your specific domain and executive names, catch these attacks that default settings miss.
DMARC, DKIM, and SPF records are the external side of email security — they tell receiving mail servers that email claiming to come from your domain is legitimate. Without them, anyone can send email that appears to come from your address. Many small businesses have SPF configured but are missing DKIM and DMARC, leaving the door open for domain spoofing.
4. No Conditional Access Policies
Conditional Access is the policy engine that sits between a user trying to sign in and the resources they are trying to access. Without it, a valid username and password — or even just a valid MFA token — grants full access from anywhere, on any device, including personal phones with no security controls, coffee shop computers, or locations that should never have access to company data.
At minimum, Conditional Access should require compliant devices for access to sensitive applications, block legacy authentication protocols that bypass MFA entirely, and apply stricter requirements for admin sign-ins. More sophisticated configurations use sign-in risk scores from Microsoft Entra ID Identity Protection to require step-up authentication when unusual patterns are detected — impossible travel, unfamiliar locations, credential exposure on the dark web.
5. Devices Not Enrolled in Intune
If your users access Microsoft 365 from devices that are not enrolled in Microsoft Intune, you have no visibility into whether those devices are patched, encrypted, or running security software. You cannot remotely wipe a device if it is lost or stolen. You cannot enforce a PIN or screen lock. You have no way to apply consistent security baselines across your fleet.
Intune enrollment is included in Microsoft 365 Business Premium at no additional cost. Enrolling devices gives you device compliance policies that Conditional Access can check at sign-in, automatic encryption enforcement via BitLocker, Windows Update rings that ensure patches are deployed promptly, and the ability to remotely wipe company data from a device without affecting personal data.
6. No Security Alerts Configured
If an attacker gains access to a user account and sets up a silent forwarding rule to copy all incoming email to an external address, how long would it take you to notice? In most unmanaged tenants, the answer is months — or never, until a client reports receiving fraudulent emails.
Microsoft 365 has built-in alert policies that can notify you immediately when high-risk events occur: mailbox forwarding rules created, bulk file downloads from SharePoint, suspicious sign-in activity, admin privilege changes. These alerts are not enabled by default. Configuring them takes under an hour and gives you visibility into activity that would otherwise be invisible until damage is done. That gap — between what Microsoft provides by default and what actually protects you — is where most incidents begin.
What happens during a security assessment
A Microsoft 365 security assessment is a structured review of your tenant against a defined security baseline, followed by hands-on remediation of every gap found. It is not a report of recommendations that you then implement yourself — it is configuration work done directly in your tenant, with documentation of every change made.
The process follows a consistent sequence:
- Baseline measurement: Current Secure Score is recorded. Every active policy, admin role assignment, email security configuration, and device management setting is reviewed and documented.
- Gap analysis report: Every missing control is listed with its risk rating and a plain-language explanation of what an attacker could do if the gap is exploited. This report is shared with you before any changes are made.
- Remediation: Gaps are fixed in priority order — MFA and admin account protection first, then email security, then endpoint management, then monitoring and alerting.
- Final report: Secure Score after remediation is recorded. A before-and-after comparison documents every control implemented, with screenshots of key configurations for your records.
The final report serves as compliance evidence — useful if you are subject to GDPR requirements for technical security measures, if your cyber insurance policy requires documented security controls, or if an enterprise client asks for your security posture as part of vendor due diligence.
Realistic Secure Score targets
Not every Secure Score recommendation makes sense for every organisation. Some controls require specific licence tiers. Others involve trade-offs between security and user experience that depend on your business context. A realistic target for a well-hardened small business tenant — without requiring the most advanced licence tiers — is 65% to 80%.
| Secure Score Range | What It Typically Means |
|---|---|
| 0% – 30% | Default or near-default settings. MFA likely missing. Significant exposure. |
| 31% – 55% | Some controls in place — possibly Security Defaults enabled — but major gaps remain in email security, endpoint, or monitoring. |
| 56% – 75% | Solid baseline. MFA enforced, key email policies configured, Intune in use. Remaining gaps are advanced controls. |
| 76% – 100% | Advanced posture. Privileged Identity Management, Defender for Endpoint, and full compliance frameworks in place. |
Moving from the 20–40% range to 65–75% is the highest-value work. The controls in that range — MFA, Conditional Access, email threat protection, device management, alerting — address the attacks most likely to affect a small business. Going from 75% to 95% involves more advanced controls that add incremental protection but require significantly more configuration effort and often a higher licence tier.
Get a Microsoft 365 Security Assessment
If you have been running Microsoft 365 without deliberate security hardening, a security assessment is the most practical starting point. It gives you a clear picture of where you stand, fixes the gaps that matter most, and produces documentation you can use for compliance and insurance purposes.
We work with small businesses that have no in-house IT security expertise — the assessment is designed to be understandable, not just technically thorough. Every change is explained before it is made, and the final report is written for a business owner, not a security engineer.