Microsoft 365 has become the de-facto productivity platform for small businesses across the East Valley. But the default configuration is built for a hypothetical generic customer that doesn’t really exist. Out of the box, M365 leaves several security gaps that ransomware operators and phishing scammers exploit constantly.
Here are the seven Microsoft 365 settings every small business should review and update — most of which can be changed in under an hour.
1. External Sharing on SharePoint and OneDrive
By default, anyone in your organization can generate “anyone with the link” sharing links from SharePoint or OneDrive. That includes links to entire folders. Once those links exist, they live forever — they get pasted into emails, vendor portals, and personal devices, and you have no central record of what was shared with whom.
The fix is to restrict external sharing to “specific people only” by default, and to scope link expirations and reauthentication on the rare cases where broader sharing is genuinely needed.
2. MFA Not Enforced for Every User
“We have MFA” usually means “we have MFA for the admins.” Standard users — and especially shared mailboxes and service accounts — are often still on password-only access. That’s exactly where attackers focus, because they know the admins are watched.
Conditional Access policies should require MFA for every user, with break-glass exceptions documented and audited. If you’re still on Security Defaults, you’re getting a basic version of this; a real Conditional Access deployment is significantly stronger.
3. Mailbox Auto-Forwarding to External Addresses
This is the single most common business-email-compromise pattern we see. An attacker phishes a credential, logs in, sets up a silent forwarding rule that copies every inbound email to an external address, and then patiently watches your communications for weeks looking for invoice-redirect opportunities.
External auto-forwarding should be disabled tenant-wide, with exceptions whitelisted explicitly. Microsoft now disables this by default for new tenants, but older tenants are often still wide open.
4. Audit Logging Off (or Retention Too Short)
If you have a security event and need to investigate what happened, your audit logs are the difference between “we know exactly what they did” and “we have no idea what they touched.” On many tenants we audit, logging is either disabled or set to the minimum 90-day retention — which is shorter than the average attacker dwell time.
Turn unified audit logging on. Extend retention to at least one year if your license includes it. Six months is the floor we’d accept for any client.
5. Application Consent Wide Open
By default, any user in your tenant can grant a third-party application access to their own mailbox, files, and calendar. Attackers exploit this with consent-grant phishing — they trick a user into “logging in” to a malicious app, and now that app has persistent access that survives password changes and even MFA.
Lock down user consent to only allow apps from verified publishers, and route everything else through admin approval.
6. DKIM and DMARC Not Configured
Your domain’s email authentication records (SPF, DKIM, DMARC) are what stops other people from spoofing email from your domain. Out of the box, M365 will create an SPF record for you, but DKIM is off by default and DMARC requires you to publish it manually.
Without DMARC in enforcement mode, an attacker can send “from” yourdomain.com to your customers and partners with a high deliverability rate. We see this used in vendor-impersonation fraud constantly. Setting all three records correctly is a one-time job that costs nothing and pays off forever.
7. No Conditional Access for Risky Sign-Ins
If you have Microsoft Entra ID P1 or P2 — which most M365 Business Premium tenants do — you have the ability to block or step up authentication for sign-ins coming from anonymous IPs, unfamiliar countries, or impossible-travel scenarios. Most tenants we audit aren’t using these policies at all.
Even a basic policy that blocks sign-ins from outside the United States and requires MFA on anything Microsoft flags as risky will stop a meaningful percentage of the credential-stuffing attempts your tenant is seeing every day.
The Pattern
None of these are advanced configurations. They don’t require additional licenses for most M365 Business Premium tenants. They’re the difference between a tenant that’s “set up” and one that’s actually configured for a specific business with specific risk.
If you’re not sure which of these are in place on your own tenant, that’s exactly the kind of audit we run during onboarding. Most clients are surprised at how much default exposure they’ve been carrying.
