If you’re paying for Microsoft 365 Business Standard or Premium, you’re already paying for security features that most small businesses have never turned on. They’re not hidden - they’re just not configured by default, and the setup isn’t obvious if you’re not digging around in the admin portal.

Here’s what matters most, in order of impact.

Multi-factor authentication (MFA) - enforce it, don’t just offer it

Microsoft 365 lets you offer MFA. By default on most plans, users can set it up if they want. That’s not the same as requiring it.

Go to the Microsoft 365 Admin Center → Azure Active Directory → Security → MFA. Enable Security Defaults, or better yet, use Conditional Access (more on that below) to require MFA for all users. One compromised Microsoft 365 account with no MFA is enough to expose your entire business - emails, files, contacts, everything.

Password spray attacks against Microsoft 365 accounts are common and mostly automated. MFA stops the vast majority of them cold.

Conditional Access: smarter than a blanket policy

If you’re on Microsoft 365 Business Premium, you have access to Conditional Access policies. These let you get more specific: require MFA only when signing in from outside the office, block access from certain countries, require a compliant device before allowing access to sensitive data.

The most useful starting policy for most small businesses: require MFA for any sign-in that isn’t from a trusted network or managed device. This adds security without annoying your team when they’re in the office on a known machine.

These are in Microsoft Defender for Office 365 (available on Business Premium). They add real-time scanning to links and attachments in email:

Safe Links rewrites URLs in emails. When someone clicks a link, it checks the destination in real time against Microsoft’s threat intelligence. If it’s been flagged as malicious since the email was sent - even minutes before the click - the link gets blocked.

Safe Attachments detonates email attachments in a sandbox before delivery. If an attached file tries to execute malicious code when opened, it’s caught before it ever reaches your user.

Neither of these is a substitute for training and awareness. But they’re good catches for the times someone clicks before thinking.

Audit logging: know what’s happening

Microsoft 365 logs most user and admin activity, but audit logging has to be explicitly enabled. Go to the Compliance Center → Audit and turn it on.

Why it matters: if you ever have a security incident - unauthorized access, a data breach, an account compromise - audit logs are often the difference between understanding what happened and guessing. They show you login history, file access, email forwarding rules, admin changes. Without them, forensics after an incident is largely blind.

Turn it on now, before you need it.

Email forwarding rules: the quiet threat

This one gets missed constantly. A common attack pattern: an attacker compromises a Microsoft 365 account, sets up an auto-forwarding rule to send all incoming email to an external address, then covers their tracks. The rule runs silently in the background, potentially for weeks.

In your Microsoft 365 admin portal, check the mail flow rules for each user. Look specifically for forwarding rules to external addresses that weren’t set up intentionally. If you find one you didn’t create, treat it as a serious incident.

You can also create a policy that blocks external forwarding by default - which prevents this class of attack entirely.

Where to go from here

Start with MFA enforcement - this week, not eventually. Then audit logging, then Safe Links/Attachments if you’re on Business Premium. The Conditional Access policies are worth setting up but require a bit more configuration work.

If you want someone to walk through your Microsoft 365 security posture and tell you what’s actually configured versus what should be, reach out to DarkHorse IT. We do this for businesses around Fargo-Moorhead regularly and it usually takes less than a day.