Microsoft 365 & Entra ID Security: Best Practice for Small Businesses

Why Microsoft 365 Security Is Worth Your Attention

Microsoft 365 is the most widely deployed productivity platform in the world, which makes it the most targeted. Threat actors know that a compromised Microsoft account often provides access to email, SharePoint files, OneDrive storage, Teams conversations, and potentially the entire Azure or Entra ID directory.

The good news is that Microsoft provides powerful security tooling — much of it included in the licences most businesses already hold. The challenge is that it often isn't configured out of the box. Default settings are designed for usability, not security.

This guide covers the security controls that every organisation should have in place, regardless of size.

Multi-Factor Authentication (MFA): Non-Negotiable

MFA requires users to verify their identity with a second factor — typically an authentication app — in addition to their password. Even if an attacker obtains a user's password, they cannot access the account without the second factor.

In Microsoft 365, MFA can be enforced via

Security Defaults

A baseline configuration from Microsoft that enables MFA for all users and blocks legacy authentication. Free with all Microsoft 365 subscriptions. Suitable for smaller organisations that don't need per-user control. Enables MFA using the Microsoft Authenticator app, SMS, or a phone call.

Conditional Access Policies (Entra ID P1/P2)

The enterprise-grade approach. Conditional Access lets you define rules such as 'require MFA when signing in from outside the UK', 'block legacy authentication protocols', or 'require a compliant device for access to SharePoint'. Available with Microsoft 365 Business Premium, E3 with the Entra ID P1 add-on, or E5.

For most small businesses, Conditional Access is the right choice — the additional licence cost is modest and the control it provides is significantly superior to Security Defaults.

At minimum, the following Conditional Access policies should be in place:

Require MFA for all users for all cloud apps.

Block legacy authentication (SMTP AUTH, POP3, IMAP, basic auth) — these protocols cannot support MFA and are a primary attack vector.

Require MFA for all administrator roles.

Block sign-in from countries you have no business presence in.

Administrator Accounts: Separate, Privileged, and Rarely Used

Global Administrator is the most powerful role in Microsoft 365. Accounts holding this role can do anything — including deleting all your data, modifying billing, or granting access to a third party. The rules for admin accounts are simple:

Never use a Global Admin account for day-to-day work. Create a separate admin account used only for administrative tasks.

Global Admin accounts should not have email associated with them — they should be cloud-only, licensed-only accounts with no mailbox.

Require phishing-resistant MFA (FIDO2 security keys or Windows Hello for Business) for all admin accounts. Password + authenticator app is not sufficient for these accounts.

Apply the principle of least privilege. Assign the minimum necessary role — use Exchange Administrator for email tasks, SharePoint Administrator for SharePoint, and so on. Reserve Global Admin for genuine necessity.

If you have Entra ID P2 (included in Microsoft 365 E5 or available as an add-on), enable Privileged Identity Management (PIM) — which means admin roles are activated on-demand with justification and approval, rather than permanently assigned.

Entra ID (Azure AD): Identity Security

Entra ID is Microsoft's identity platform — the directory that manages your users, devices, and access policies. Securing it is synonymous with securing Microsoft 365.

Self-Service Password Reset (SSPR)

Enable SSPR with multiple verification methods. This reduces helpdesk load but also ensures users don't fall back to insecure channels when locked out.

Password Protection

Entra ID can enforce a banned password list — blocking common passwords and variations of your organisation name. Enable this under Authentication Methods. Microsoft's global banned list is supplemented by your own custom additions.

Identity Protection (Entra ID P2)

Detects suspicious sign-in events using machine learning — things like sign-ins from anonymous IPs, atypical travel, leaked credentials, or password spray patterns. Configure risk-based Conditional Access policies to automatically require MFA or block sign-in when risk is detected.

Audit Logs and Sign-In Logs

Review these regularly. In Entra ID, sign-in logs show every authentication event — who signed in, from where, using which device and client. Setting up log retention (default is 30 days for P1 and 90 days for P2) and forwarding to a SIEM or Azure Monitor is good practice. At minimum, alert on admin sign-ins, failed sign-ins above a threshold, and sign-ins from outside expected geographies.

Secure Score: Your Ongoing Security Benchmark

Microsoft Secure Score is available in the Microsoft 365 Defender portal (security.microsoft.com). It gives you a score out of a maximum based on your current configuration against Microsoft's recommendations, broken down by category: Identity, Devices, Apps, and Data.

It's useful not just as a benchmark but as a prioritised to-do list. Each recommendation shows estimated impact, implementation effort, and a direct link to make the change. Reviewing and acting on Secure Score improvements is one of the highest-return uses of IT security time.

Exchange Online: Protecting Your Email

Email is the primary attack vector for most organisations. The following controls should be in place:

Defender for Office 365 (Plan 1 included in Business Premium): Enables Safe Links (URL rewriting and scanning), Safe Attachments (sandboxing of email attachments), and Anti-Phishing policies. These add significant protection over baseline Exchange Online Protection.

DKIM and DMARC: Domain-based authentication that prevents attackers from spoofing your domain. DKIM signs outgoing email with a cryptographic signature; DMARC tells receiving servers what to do with mail that fails authentication. Misconfigured or absent DMARC is a major contributor to business email compromise impersonating legitimate senders.

SPF: Specifies which mail servers are authorised to send email on your domain's behalf. Must be present and accurate.

Block auto-forwarding: Attackers who compromise an account frequently set up a forwarding rule to an external address. A mail flow rule or Outbound Spam Policy blocking external auto-forwarding should be standard.

Audit mailbox access: Enable mailbox auditing (on by default since 2019) and review the audit logs if you suspect compromise.

SharePoint and OneDrive: Data Governance

Oversharing is the silent data risk in Microsoft 365. It's easy for staff to share a SharePoint link externally with 'Anyone with the link' — providing unauthenticated access to documents with no expiry. Sensible defaults to set:

Set the default sharing level to 'Specific people' rather than 'Anyone'.

Restrict external sharing to verified domains where possible.

Apply expiry dates to external sharing links.

Use Microsoft Purview (previously Compliance Centre) to apply sensitivity labels to confidential documents — restricting access, preventing forwarding, and applying encryption.

Device Management: Intune and Conditional Access

A Conditional Access policy requiring a 'compliant device' means that only devices enrolled in Microsoft Intune and meeting your defined compliance standards can access Microsoft 365 resources. Compliance standards might include:

BitLocker encryption enabled.

Antivirus active and up to date.

OS version within supported range.

Screen lock with PIN or biometric.

This means a personal device — or a company device that hasn't been enrolled and configured — can be blocked from accessing corporate data entirely, or directed to a limited-access view. For organisations handling sensitive data, this is a significant risk reduction.

---