Microsoft 365 security hardening for UK SMEs: a practical guide

Microsoft 365 is the productivity backbone for the majority of UK small and medium businesses. Email, documents, video calls, and collaboration all flow through a single Microsoft tenant — which makes that tenant one of the most valuable targets an attacker can access. Microsoft 365 security hardening for UK SMEs is not about buying additional software. It is about correctly configuring what you already pay for. Most SMEs have not done this.

Default Microsoft 365 settings prioritise ease of access. That is a reasonable choice for a product aimed at millions of organisations with different needs, but it is the wrong posture for your business once you understand what default settings leave exposed.

Why attackers target Microsoft 365 tenants

Microsoft 365 is attractive to attackers precisely because it is so widely used and so often misconfigured. A compromised Microsoft 365 account gives an attacker access to email — for reading sensitive communications, intercepting invoices, and launching further phishing attacks from a trusted address — as well as SharePoint files, Teams conversations, and often the single sign-on credentials that unlock other business systems.

The NCSC's 2024 Cyber Security Breaches Survey identified phishing as the most common attack vector against UK businesses, and the majority of successful phishing attacks target Microsoft 365 credentials. Business email compromise (BEC) — where attackers use access to an email account to redirect supplier payments or request urgent wire transfers — cost UK businesses hundreds of millions of pounds last year.

The good news is that the most impactful attacks are preventable with configuration changes that cost nothing beyond the time to make them.

Start with Microsoft Secure Score

Before making any changes, open the Microsoft 365 Defender portal (security.microsoft.com) and navigate to Secure Score. This tool gives your tenant a score out of 100 and lists specific recommended actions ranked by the improvement they would generate.

Secure Score is your baseline and your roadmap. Screenshot it before you start hardening so you can demonstrate progress. Share the score quarterly with your leadership team — it is one of the clearest ways to show that security investment is producing measurable improvement.

A newly created tenant with default settings typically scores in the 30-45 range. A well-hardened SME tenant should reach 70-80. Scores above 85 require controls (such as Microsoft Defender for Identity) that are usually only cost-justified in enterprise environments.

Work through the recommended actions in order of score gain versus implementation effort. Some high-value changes take five minutes. Others require planning around user experience.

Enforce multi-factor authentication for all users

If you implement only one change from this guide, make it this one. Multi-factor authentication (MFA) blocks over 99% of password-based account compromise attacks, according to Microsoft's own telemetry. It is the single most impactful security control available to UK SMEs.

How you enforce MFA depends on your Microsoft 365 licence tier.

Security Defaults (all licences): The simplest option. Security Defaults is a pre-configured set of baseline policies that Microsoft maintains. Enabling it requires no configuration knowledge and forces MFA for all users using the Microsoft Authenticator app or SMS. It also blocks legacy authentication protocols that cannot support MFA. For very small businesses with no dedicated IT resource, Security Defaults is the right starting point.

Conditional Access (Business Premium / E3 / E5): More powerful and more flexible than Security Defaults. Conditional Access lets you enforce MFA based on conditions — requiring MFA from all locations, or only from outside the office network, or with a lower friction experience for trusted managed devices. You cannot use both Security Defaults and Conditional Access simultaneously — if you have Business Premium or above, disable Security Defaults and implement Conditional Access policies directly.

Do not use per-user MFA (the legacy method). It is inconsistent, does not block legacy authentication, and is harder to manage than either Security Defaults or Conditional Access.

When rolling out MFA to an existing user base, communicate in advance. Explain why MFA is being added, which app users need to install, and when the requirement takes effect. A phased rollout — admins first, then department by department — reduces helpdesk load and resistance.

Protect admin accounts with dedicated credentials

Every Microsoft 365 tenant has Global Administrator accounts. These accounts can do anything in the tenant: reset passwords, change security settings, add users, and access all data. They are also the highest-value target for attackers.

Several hardening steps apply specifically to admin accounts.

Separate admin credentials from regular user accounts. Your IT administrator should have a day-to-day user account ([email protected]) for email and productivity, and a separate admin account ([email protected] or a similar convention) used only for administrative tasks. The admin account should not have a mailbox. This separation means that a phishing attack against the day-to-day account does not immediately yield admin-level access.

Require phishing-resistant MFA for admins. For admin accounts, go beyond standard MFA. Use FIDO2 hardware security keys (such as YubiKey) or the certificate-based authentication options available in Microsoft Entra ID. These are not phishable in the way that push notifications are — an attacker who has stolen your admin password cannot complete authentication without the physical key.

Minimise the number of Global Administrators. Many SME tenants have multiple people assigned as Global Administrator because it was the easiest way to give them access to something. Audit your Global Admins and reduce to the minimum needed — typically two accounts for redundancy. Assign narrower roles (Exchange Administrator, SharePoint Administrator, etc.) where full global access is not required.

Enable Privileged Identity Management (PIM) if you have Azure AD P2. PIM makes admin access just-in-time: admins activate elevated permissions for a defined time window when needed, rather than holding them permanently. This dramatically reduces the window of exposure if an admin account is compromised.

Block legacy authentication protocols

Legacy authentication refers to older protocols like SMTP AUTH, IMAP, POP3, and basic authentication that do not support MFA. Attackers use these protocols to bypass MFA entirely — if your tenant allows legacy authentication, an attacker with a stolen password can authenticate through POP3 even if MFA is enabled.

If you have enabled Security Defaults, legacy authentication is already blocked. If you are using Conditional Access, create a policy that blocks all legacy authentication protocols for all users and all applications. The only exception is if you have line-of-business applications that require legacy protocols — audit these carefully, and plan to replace or update them.

You can check whether legacy authentication is actively being used in your tenant before blocking it. In the Microsoft Entra portal, navigate to Sign-in logs and filter by client app. Look for entries showing "Exchange ActiveSync", "IMAP", "POP3", or "SMTP". If you see regular traffic from these protocols, identify the source before blocking so you can manage the transition.

Configure Defender for Office 365 anti-phishing policies

Microsoft 365 includes Defender for Office 365 with anti-phishing, anti-malware, and safe links capabilities. The default policies provide basic protection but leave several important settings unconfigured.

In the Microsoft 365 Defender portal under Email & Collaboration > Policies & Rules > Threat Policies, review and strengthen each policy.

Anti-phishing: Enable impersonation protection for your key executives and domain. This detects emails that appear to come from your CEO or your own domain but are actually external. Set the action to quarantine (not just junk folder). Enable mailbox intelligence to improve detection accuracy.

Safe Links: Ensure Safe Links rewrites URLs in emails and checks them at click time. This protects against time-of-click attacks where a link is clean when delivered but malicious by the time someone clicks it. Enable Safe Links for Teams as well as email.

Safe Attachments: Enable Safe Attachments with Dynamic Delivery if your licence includes it. This detonates attachments in a sandbox before delivering them, with minimal delay to the user experience. Configure it for SharePoint and OneDrive as well.

DMARC, DKIM, and SPF: These three DNS-based email authentication standards are not Microsoft 365 settings per se, but they are critical to the overall email security picture. SPF and DKIM are configured in your DNS and tell receiving servers that your Microsoft 365 is authorised to send on behalf of your domain. DMARC tells receiving servers what to do if SPF and DKIM checks fail — ideally, quarantine or reject the message. The NCSC provides clear guidance on configuring all three for UK organisations. If these are not in place, your domain can be spoofed by attackers to send phishing emails that appear to come from your address.

Enforce device compliance with Intune

If your Microsoft 365 licence includes Intune (included in Business Premium), you can require that only compliant, managed devices access company data. This closes a significant gap that MFA alone cannot address: a user authenticated on a malware-infected personal device.

Enrol company-owned devices into Intune. This gives you visibility into device health and lets you push security configurations (disk encryption, screen lock, OS patching requirements) centrally.

Create Conditional Access policies requiring compliant devices for access to sensitive applications like email and SharePoint. Users on unmanaged devices are either blocked or directed to a limited access experience.

Configure compliance policies to require: BitLocker encryption, a minimum OS version (to ensure devices are patched), a PIN or password, and antivirus running and up to date.

For organisations where BYOD (bring your own device) is unavoidable, Intune App Protection Policies (MAM without enrollment) let you enforce data handling rules on managed apps on personal devices without requiring full device management. This is a practical middle ground for many UK SMEs.

Control external sharing and guest access

Default Microsoft 365 settings allow broad external sharing. Users can share SharePoint files with anyone via link, and Teams can invite external guests from any organisation. For most SMEs, this level of openness creates unnecessary risk.

Review your external sharing settings in the SharePoint admin centre and Teams admin centre. Apply the principle of least privilege: allow only what the business genuinely needs.

For SharePoint and OneDrive: Change the default sharing type from "Anyone (anonymous links)" to "New and existing guests" or "Existing guests only". Set default link expiry dates for external links (30 days is a reasonable starting point). Restrict external sharing to specific domains where you have established supplier relationships.

For Teams: Review whether external access (federation with other organisations) and guest access are both required. Guest access is typically needed for collaboration with suppliers; external access for one-on-one calls and chats. Both can be restricted to specific domains.

Review existing sharing: Run a SharePoint report on shared files to understand what is currently shared externally and with whom. Many organisations discover files shared via anonymous links that have been sitting accessible for years.

Monitor with audit logs and alerts

You cannot defend what you cannot see. Microsoft 365 includes unified audit logging and alert policies that are underused by most SMEs.

Ensure unified audit logging is enabled in the Microsoft Purview compliance portal. Audit logs capture user and admin activity across Exchange, SharePoint, Teams, and Azure AD. For most licences, logs are retained for 90 days; E5 and Microsoft 365 Business Premium with add-ons can extend this.

Create alert policies for high-risk activities: mass file download or deletion (potential data exfiltration or ransomware), inbox rule creation (a common attacker technique to forward email to external addresses), admin role changes, and new risky sign-in patterns.

Review sign-in logs monthly in the Microsoft Entra portal. Look for sign-ins from unexpected geographies, sign-in attempts outside business hours for administrative accounts, and risky sign-ins flagged by Azure AD Identity Protection.

For SMEs without a dedicated security operations function, integrating Microsoft 365 alerts into a simple email-based notification process — where security alerts go to a monitored mailbox — is a low-cost way to maintain visibility without a SIEM.

Align with Cyber Essentials

The UK government's Cyber Essentials certification scheme covers five technical controls, and a correctly hardened Microsoft 365 tenant contributes directly to three of them: secure configuration, user access control, and malware protection. If Cyber Essentials is on your roadmap — and for most UK SMEs working with public sector clients, it should be — treating Microsoft 365 hardening as the foundation of your compliance programme is efficient use of effort.

If you work with public sector organisations or hold personal data at any scale, the GDPR compliance requirements for data security also align directly with the controls described here. A hardened tenant, with data loss prevention policies and audit logging enabled, substantially reduces your exposure to ICO enforcement under the UK GDPR.

A practical hardening sequence for UK SMEs

You do not need to implement every control simultaneously. A pragmatic sequence:

Week 1: Enable MFA for all users (Security Defaults if under Business Premium; Conditional Access otherwise). Block legacy authentication. Change admin accounts to separate credentials.

Week 2: Review and strengthen Defender for Office 365 policies — anti-phishing impersonation protection, Safe Links, Safe Attachments. Verify SPF, DKIM, and DMARC records in DNS.

Week 3: Review and restrict external sharing settings in SharePoint and Teams. Enable unified audit logging if not already active.

Month 2: Begin Intune device enrolment for company-owned devices. Create Conditional Access policy requiring compliant devices for email access.

Ongoing: Review Secure Score monthly. Check sign-in logs for anomalies. Update Conditional Access policies as your device estate changes.

Getting help with Microsoft 365 security hardening

For most UK SMEs, the controls described here are implementable without external help if you have someone internally with the time and confidence to work through them systematically. Microsoft's documentation is thorough, and the Secure Score recommended actions include direct links to configuration steps.

If your organisation lacks internal IT resource, or if you want independent assurance that your configuration is correct, security consulting support can accelerate this process significantly and provide documentation suitable for Cyber Essentials or ISO 27001 audit purposes.

The IT compliance services required for certifications like Cyber Essentials Plus or ISO 27001 begin with evidence of technical controls — and a hardened Microsoft 365 tenant is a strong foundation for that evidence base.

A well-configured Microsoft 365 tenant is not a guarantee against all attacks. It is a substantial reduction in the probability of the most common ones — credential compromise, phishing, and business email compromise — that represent the majority of cyber incidents affecting UK SMEs today.