Serving Plant City, Tampa & Central Florida 📞 (508) 243-7410 ✉ brendan@beardedbytes.com

5 Microsoft 365 Settings That Dramatically Improve Security

Most small businesses leave critical Microsoft 365 security settings at their defaults. Here are the 5 changes every Florida business owner should make today.

Microsoft 365 security shield illustration with lock icons on a navy gradient background

I’ve set up Microsoft 365 for dozens of small businesses across Plant City, Tampa, and the surrounding area. And I’ll tell you something that surprised me when I first started doing this work: almost every account I walk into has the same security gaps. Same defaults, same risks, same low-hanging fruit that attackers love.

Microsoft gives you a solid security foundation in 365 — but most of it is turned off by default. The out-of-the-box settings prioritize ease of setup over protection, which makes sense for getting people productive fast. What doesn’t make sense is leaving those settings untouched for the next three years.

Here are the five changes I make at every client, in order of impact. Most of these take under 15 minutes to configure. A few require navigating Microsoft’s admin portal, which I’ll walk you through. If you’d rather have someone handle it for you, reach out for a free consultation — this is exactly the kind of thing we do in an afternoon.


1. Turn On Multi-Factor Authentication for Every User

This one isn’t optional anymore. If you only do one thing on this list, do this.

Multi-factor authentication (MFA) means that logging into Microsoft 365 requires two things: your password and a second verification step — usually a prompt on your phone or a six-digit code from an app. Even if an attacker gets someone’s password (through phishing, a data breach, or a lucky guess), they still can’t log in without that second factor.

Microsoft’s own data says MFA blocks over 99% of account compromise attacks. That number is staggering, and it explains why it’s the first thing every cybersecurity framework recommends.

How to enable it:

  1. Go to the Microsoft 365 admin center
  2. Navigate to Users > Active users
  3. Click Multi-factor authentication in the top menu
  4. Select all your users and click Enable

I’d also recommend enabling Security Defaults if you’re not using a more advanced policy setup. It’s under Azure Active Directory > Properties > Manage Security Defaults. This turns on MFA organization-wide and disables legacy authentication protocols — which brings me to the next item.


2. Block Legacy Authentication

This is the one that trips up a lot of businesses. Legacy authentication refers to older login protocols — things like basic auth over IMAP, SMTP, or POP3 — that don’t support MFA. They’re relics from the early days of email, and Microsoft kept them around for compatibility.

Here’s the problem: attackers know these protocols can’t be protected by MFA. So they specifically target them. I’ve seen accounts where MFA was turned on, but attackers still got in because legacy auth was still active on an old shared mailbox.

If you don’t have any employees using 15-year-old email clients or legacy devices that require these protocols, block them entirely.

How to block legacy auth:

  1. In the admin center, go to Azure Active Directory > Security > Conditional Access
  2. Create a new policy that blocks legacy authentication clients
  3. Scope it to all users, and set it to block access when the authentication type is “Exchange ActiveSync clients” and “Other clients”

If you enabled Security Defaults in step 1, this is already handled for you. Double-check by going to Azure AD > Sign-in logs and filtering by “Legacy authentication” to confirm you’re not seeing active connections.


This one requires Microsoft 365 Business Premium or a Defender for Office 365 add-on — it’s not in the base Business Basic plan. If you’re paying for it, though, and it’s not configured, you’re leaving serious protection on the table.

Safe Links rewrites every URL in your emails through Microsoft’s scanning service. When someone clicks a link, it checks in real time whether that destination is malicious. If it is, the user gets a warning instead of landing on the phishing page.

Safe Attachments opens every email attachment in a sandboxed virtual environment before it reaches your inbox. If the attachment tries to do something malicious — like run PowerShell, call out to an external server, or drop a file in a temp folder — it gets blocked before your employee ever sees it.

I can’t tell you how many times I’ve watched these policies catch something that would have otherwise compromised an account. Phishing emails in the Tampa Bay area are increasingly sophisticated — I’ve seen fakes that look indistinguishable from real DocuSign, QuickBooks, and Microsoft notifications.

How to enable them:

  1. Go to the Microsoft Defender portal
  2. Under Email & Collaboration > Policies & Rules > Threat Policies
  3. Click Safe Attachments → create a new policy, apply it to your domain, and set action to Block
  4. Click Safe Links → create a policy, apply to your domain, enable “Track user clicks” and “Let users click through to original URL” as appropriate

Set it and leave it running. You’ll get periodic reports showing what it blocked.


4. Configure an External Email Warning Banner

This one is simple, takes two minutes, and has saved clients from phishing attacks more than once.

When an email comes from outside your organization, your employees often can’t tell at a glance. The display name might say “IT Support” or “Your Bank” and look completely legitimate. By adding an external sender warning banner — a small yellow notice at the top of the email that says “This email came from outside your organization” — you give your team an instant visual cue to slow down.

It doesn’t block anything. It just creates a moment of friction before someone clicks a suspicious link.

How to enable it:

  1. In the Microsoft Defender portal, go to Policies & Rules > Threat Policies > Anti-phishing
  2. Edit the default policy (or create a new one)
  3. Under Safety tips & indicators, enable Show first contact safety tip and Show user impersonation safety tip

You can also configure this via a mail flow rule in the Exchange admin center if you want more control over the banner text.


5. Set Up Audit Logging and Admin Alerts

Most small businesses have no idea when something suspicious happens in their Microsoft 365 tenant. Audit logging is how you change that.

When audit logging is enabled, Microsoft records every meaningful action in your environment: logins, file accesses, admin changes, mail forwarding rules, password resets. If something goes wrong — an account is compromised, someone exports your contacts list, a forwarding rule gets created that silently copies all your email to an outside address — you’ll have a record of it.

That last one is worth calling out specifically. One of the most common things I see after a business email compromise is a hidden inbox forwarding rule. An attacker gets into an account, sets up a rule that forwards all email to an external address, then changes the password back. The legitimate user doesn’t notice anything wrong. The attacker sits there reading your email for weeks or months, waiting for invoices to intercept or sensitive information to harvest.

Audit logging catches this. Admin alerts notify you immediately when it happens.

How to enable audit logging:

  1. In the Microsoft Defender portal, go to Audit
  2. If auditing is off, click Start recording user and admin activity

Set up critical alerts:

  1. Go to Policies & Rules > Alert policy
  2. Review the default alerts — make sure these are active: “Email forwarding rules,” “Suspicious email sending patterns,” and “Admin privilege elevation”
  3. Set notification email to whoever manages your IT (or to my team, if we’re managing your account)

Pair this with a monthly log review and you’ve got basic visibility into what’s happening in your environment.


Where to Start If You’re Overwhelmed

I’ll be honest — the Microsoft admin portal is not friendly to non-technical users. It’s a maze of nested menus, and Microsoft keeps reorganizing it. If you’ve read through this list and thought “I have no idea where to start,” that’s completely normal.

Here’s my suggested order of operations for a small business just getting started:

  1. Enable MFA immediately — this is the single highest-impact change you can make
  2. Turn on Security Defaults — it covers several of these items automatically
  3. Enable audit logging — so you have a record of what’s happening
  4. Add the external email banner — easy win, visible to your whole team
  5. Configure Safe Links and Safe Attachments if you have Business Premium

If you’re on a lower-tier Microsoft 365 plan, items 1, 3, and 4 are available to you without any upgrade. Items 2 and 5 may require a plan change — it’s worth the conversation.

We work with small businesses across Plant City, Tampa, Lakeland, and Hillsborough County to make sure their Microsoft 365 environments are set up securely from day one — not audited after an incident. If you want someone to walk through your current settings and identify gaps, schedule a free consultation. We’ll tell you exactly where you stand and what it would take to fix it.

And if you’re wondering about your broader security posture beyond email — things like endpoint protection, network security, or password management — take a look at our cybersecurity services for a full picture of what we offer.

Tags: #microsoft 365#cybersecurity#small business#florida#mfa#email security

Need help with this in your business?

Bearded Bytes provides on-site IT support, cybersecurity, and managed services across Plant City and the Tampa Bay area. Book a free consultation.

Talk to Brendan →