Microsoft 365 comes with powerful security controls out of the box — but most small and medium businesses in New Jersey and New York City never turn them on. The default settings prioritize ease of use over protection, which leaves organizations exposed to phishing attacks, credential theft, ransomware, and accidental data leaks. This guide walks you through the eight most important security configurations in M365, with step-by-step navigation paths so your team can follow along without needing a dedicated IT department. At Minuswires, we help NJ and NYC businesses implement and maintain these settings as part of our managed IT security offering.
1. Enable Multi-Factor Authentication (MFA) for Every Account
MFA is the single highest-impact security control you can enable. Microsoft reports that MFA blocks over 99.9% of automated credential-stuffing attacks. Without it, a stolen password is all an attacker needs to access your email, files, and business applications.
Where to go:Microsoft 365 Admin Center → Users → Active users → Multi-factor authentication (top menu bar).
- Select all users in the list (check the box in the header row).
- Click Enable in the right-hand panel. Users will be prompted to register an MFA method on next sign-in.
- For stronger control, navigate to Azure Active Directory (Entra ID) → Security → Conditional Access and create a policy requiring MFA for all users and all cloud apps. This approach lets you set exceptions (e.g., company devices on the office network) and is preferred over the legacy per-user MFA toggle.
- Recommend that all users install the Microsoft Authenticator app and register it as their primary MFA method. Avoid SMS codes where possible — they are vulnerable to SIM-swapping attacks.
2. Configure Conditional Access Policies
Conditional Access policies act as the gatekeeper for every sign-in to your Microsoft 365 environment. They evaluate signals — user identity, device compliance, location, and sign-in risk — and decide whether to allow, block, or challenge access with MFA.
Where to go:Microsoft Entra admin center (entra.microsoft.com) → Protection → Conditional Access → Policies.
Recommended baseline policies for NJ/NYC small businesses:
- Require MFA for all users: Applies to all cloud apps, all users (exclude a break-glass emergency admin account from this policy).
- Block legacy authentication:Older protocols like IMAP, POP3, and basic auth cannot enforce MFA and are a common attack vector. Set conditions to “Client apps: Exchange ActiveSync clients and Other clients” and block access.
- Require compliant device for sensitive apps: Require that devices accessing SharePoint or the Azure portal are enrolled in Intune and marked compliant (patched, encrypted, antivirus active).
- Sign-in risk policy: If you have Azure AD Premium P2, enable Identity Protection and create a policy that requires MFA when sign-in risk is medium or high, and blocks sign-in when risk is high.
3. Enable Anti-Phishing Protection with Defender for Office 365
Microsoft Defender for Office 365 (included in Microsoft 365 Business Premium) provides anti-phishing, anti-malware, Safe Links, and Safe Attachments policies that go well beyond the basic Exchange Online Protection every tenant gets by default.
Where to go:Microsoft 365 Defender portal (security.microsoft.com) → Email & Collaboration → Policies & Rules → Threat policies.
- Anti-phishing policy: Click Anti-phishing→ Edit the default policy. Enable impersonation protection and add your executives and domain as protected senders. Set the action for impersonated users to “Quarantine the message.” Enable mailbox intelligence and spoof intelligence.
- Safe Attachments: Create a Safe Attachments policy covering all recipients. Set the action to Block — this sandboxes attachments before delivery and removes any that are found to be malicious.
- Safe Links:Create a Safe Links policy for email and Office apps. Enable “Track when users click Safe Links” and “Do not allow users to click through to the original URL” for high-risk destinations.
- Use the Configuration Analyzer: In the Threat policies page, clickConfiguration analyzerto compare your current settings against Microsoft's Standard and Strict preset security profiles and see exactly what needs to change.
4. Set Up Data Loss Prevention (DLP) Policies
DLP policies automatically detect sensitive information — Social Security numbers, credit card numbers, medical record identifiers — and prevent it from leaving your organization via email, Teams, SharePoint, or OneDrive. For New Jersey businesses that handle customer or employee personal data, DLP is a key part of meeting the state's data privacy obligations.
Where to go:Microsoft Purview compliance portal (compliance.microsoft.com) → Data loss prevention → Policies → Create policy.
- Choose a template — Microsoft provides pre-built templates for U.S. PII, financial data, HIPAA, and PCI-DSS. Start with the U.S. Personally Identifiable Information (PII) Data template.
- Apply the policy to Exchange email, SharePoint sites, OneDrive accounts, and Teams chat and channel messages.
- For your first policy, set the action to Audit only for two weeks to understand what content would be flagged before switching to blocking.
- Add business justification overrides where needed — for example, allow HR to share SSNs internally with a documented reason and manager approval workflow.
- Configure DLP alerts to notify your security admin when high-volume incidents occur (e.g., more than 10 sensitive items shared externally within an hour).
5. Configure Secure Email: SPF, DKIM, and DMARC
Email authentication records published in your domain's DNS tell receiving mail servers how to verify that messages from your domain are legitimate. Without these records, anyone can send an email that appears to come from your business. Gmail and Microsoft now reject unauthenticated bulk email, making these records essential for deliverability as well as security.
- SPF: Add a TXT record to your DNS:
v=spf1 include:spf.protection.outlook.com -all. The-allflag (hard fail) rejects mail from unauthorized senders. - DKIM:In the Microsoft 365 Defender portal → Email & Collaboration → Policies & Rules → Threat policies → Email authentication settings, select your domain and click Enable under DKIM. Microsoft will display two CNAME records to add to your DNS; add them, then enable.
- DMARC: After SPF and DKIM are passing, publish a DMARC record:
v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100. Start withp=quarantineand graduate top=rejectonce you have reviewed aggregate reports and confirmed no legitimate senders are failing.
6. Enable and Configure Audit Logging
Audit logging records user and admin activity across Exchange Online, SharePoint, OneDrive, Teams, and Azure AD. Without it, you cannot investigate a security incident after the fact — you will have no record of who accessed what, when files were deleted, or when an admin changed a security policy.
Where to go:Microsoft Purview compliance portal → Audit → Start recording user and admin activity.
- Audit logging is on by default in most M365 plans, but verify it is active by running a test search in the Audit log search interface.
- Retention is 90 days on standard plans and 1 year on Microsoft 365 E3/Business Premium. If your compliance requirements need longer retention, add an Audit (Premium) license.
- Set up alert policies for high-risk events: admin privilege escalation, mass file downloads, forwarding rules created on mailboxes, and failed login spikes.
- Export audit logs monthly to a secure storage location (Azure Blob Storage or a SIEM tool) so records are available beyond the tenant retention window.
7. Control Guest Access in Teams and SharePoint
By default, Microsoft 365 allows internal users to invite external guests into Teams channels and SharePoint sites. Without governance controls, sensitive business data can be shared with personal email accounts outside your organization with no visibility or oversight.
Teams guest access settings:Microsoft Teams admin center (admin.teams.microsoft.com) → Users → Guest access.
- Disable guest access capabilities you do not need: private channel creation, IP video, screen sharing, and file sharing for guests can all be restricted independently.
- SharePoint sharing settings:SharePoint admin center → Policies → Sharing. Change the external sharing level from Anyone to New and existing guests or Only people in your organization if guest access is not required.
- Enable guest access expiration in Azure AD: go to Microsoft Entra ID → External Identities → External collaboration settings and set guest access reviews to run every 90 days.
- Require guests to use MFA via a Conditional Access policy scoped to guest users — this ensures external collaborators are held to the same authentication standards as internal staff.
8. Harden Teams and SharePoint Security Settings
Beyond guest access, Teams and SharePoint have additional security knobs that are worth reviewing for any NJ or NYC business that stores client files, contracts, or internal documentation in Microsoft 365.
- Sensitivity labels:In Microsoft Purview → Information protection, create sensitivity labels (e.g., Confidential, Internal, Public) and apply them to Teams and SharePoint sites to control who can access and share content within each classification.
- Disable “Anyone” links globally: In the SharePoint admin center, set the default link type to Specific people so that sharing a file requires explicitly naming recipients rather than generating an anonymous link.
- Block downloading on unmanaged devices:In the SharePoint admin center → Access control → Unmanaged devices, set access to Allow limited, web-only access. This prevents users from downloading files to personal devices.
- Teams app governance:In the Teams admin center → Teams apps → Manage apps, review which third-party apps are allowed. Block all apps by default and maintain an approved allowlist for applications your business actually uses.
- Private channel controls:Restrict who can create private channels in Teams to prevent shadow IT — set this in Teams admin center → Teams policies.
Implementing all eight of these configuration areas puts a Microsoft 365 tenant significantly ahead of the default out-of-the-box posture. For most small businesses in New Jersey and New York City, this baseline is sufficient to satisfy cyber liability insurance requirements, reduce phishing risk, and protect client data. The configurations described here should be reviewed at least quarterly — Microsoft updates the Defender and Entra platforms regularly, and new threat policies become available over time.
Minuswires works with businesses across NJ and NYC to implement, audit, and maintain Microsoft 365 security configurations as part of our managed IT security engagements. If you need help getting these settings right — or want a security audit of your current M365 environment — reach out for a free consultation.
Frequently Asked Questions
How do I enable MFA for all users in Microsoft 365?
In the Microsoft 365 admin center, go to Users > Active users, then select Multi-factor authentication from the top menu. Select all users, then click Enable. For a more robust approach, use Conditional Access policies in the Azure AD admin center (Microsoft Entra ID) to require MFA based on conditions like sign-in risk or device compliance status.
What is Conditional Access in Microsoft 365 and why does it matter?
Conditional Access is a Microsoft Entra ID (formerly Azure AD) feature that enforces access policies based on conditions such as user location, device health, and sign-in risk level. For example, you can require MFA only when a user signs in from outside the office network, or block access entirely from countries you do not do business with. It is one of the most effective identity security controls available in Microsoft 365.
What is the difference between SPF, DKIM, and DMARC for email security?
SPF (Sender Policy Framework) lists the IP addresses authorized to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound messages so recipients can verify they were not altered in transit. DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving mail servers what to do when a message fails SPF or DKIM checks — either quarantine it or reject it outright. All three work together to prevent email spoofing and phishing that impersonates your domain.
Does my small business really need Data Loss Prevention (DLP) policies?
Yes — especially if you handle customer financial data, medical records, Social Security numbers, or any personally identifiable information (PII). DLP policies in Microsoft 365 automatically detect and block sensitive content from being emailed outside your organization or shared via OneDrive and SharePoint with unauthorized recipients. Many compliance frameworks, including HIPAA and PCI-DSS, either require or strongly recommend DLP controls, and New Jersey's data breach notification law (NJSA 56:8-163) creates liability when sensitive data is improperly disclosed.
Need help securing your Microsoft 365 environment?
Minuswires helps NJ and NYC businesses configure, audit, and maintain Microsoft 365 security settings. Book a free consultation to review your current setup.
Get a Free Consultation