KOM CLOUDSERVICE
All Insights

Microsoft 365 Security Checklist for Small Business

Twelve Microsoft 365 security settings every small business should have on, written as plain questions you can ask your IT person. No jargon needed.

Microsoft 365 ships with most of its security features turned off by default. That’s not an accident (Microsoft leaves the choices to you), but it means a brand-new tenant is not a secure one. The good news: you don’t need to understand the settings yourself. You just need to know what to ask for.

Here are twelve concrete checks, written as plain questions you can put to whoever manages your Microsoft 365. If the answer to any of them is “no” or “not sure,” you’ve found something worth fixing.

The checklist

  1. Is multi-factor authentication (MFA) on for every single account? MFA (the second step, usually a code or app approval on top of your password) is the single most effective control there is. “For most people” isn’t good enough; the one account without it is the one attackers find. Ask specifically about admin accounts, which are the biggest prize.

  2. Is legacy authentication blocked? Old email protocols from before MFA existed can be used to log in without it, a side door that makes your MFA pointless. Turning these off closes the door. Almost no modern business still needs them.

  3. Are Conditional Access policies in place? These are rules that decide when a login is allowed. For example, you can block sign-ins from countries you don’t operate in, or require extra verification from an unrecognized device. They turn “correct password” into “correct password, from a reasonable place, on a known device.”

  4. Are admin accounts separate from everyday accounts? The account someone uses to read email and browse the web should not also be the one that can reconfigure your whole tenant. Separate admin accounts mean a phished day-to-day login can’t hand an attacker the keys to everything.

  5. Are mail-forwarding rules and inbox rules audited? One of the first things an attacker does after breaking into a mailbox is set a quiet rule that forwards copies of your email to them, or auto-deletes their own messages so you don’t notice. Someone should be periodically reviewing every account for rules nobody set on purpose.

  6. Are anti-phishing and anti-malware policies configured? Microsoft 365 can screen incoming mail for impersonation, malicious links, and dangerous attachments, but the stronger protections have to be switched on and tuned. Default-on is not the same as configured-well.

  7. Is audit logging turned on? If something goes wrong, audit logs are how you find out what happened: who logged in, from where, what changed. Turn this on before an incident. After the fact, if it wasn’t already recording, the history you need simply doesn’t exist.

  8. Do you have real backup, beyond the recycle bin? This is the one most businesses get wrong. Microsoft keeps deleted items for a limited window, but that is retention, not backup. It won’t save you from ransomware, a rogue employee, or a deletion you discover months later. Ask whether you have separate, tested backup of email and files, and when it was last verified by actually restoring something.

  9. Are the devices accessing your data managed? Laptops and phones that touch company email should be enrolled in device management so a lost or stolen one can be locked or wiped remotely, and so only devices meeting your standards get in. An unmanaged personal laptop is an invisible gap.

  10. Is guest and external sharing reviewed? Over time, files and folders get shared with outside people, contractors come and go, and “anyone with the link” access piles up. Someone should periodically review who outside your company can reach your data, and revoke what’s stale.

  11. Is there an offboarding process when someone leaves? When an employee departs, their access should be revoked the same day and their sign-in sessions ended. Dormant accounts with live passwords are a favorite way back in. They’re easy to forget.

  12. Has anyone looked at your Microsoft Secure Score? Microsoft gives every tenant a running security score with specific, prioritized recommendations. It’s a free, built-in report card. If no one has opened it, that’s the fastest way to see where you stand.

What to do with this list

You don’t have to act on all twelve at once, and you don’t have to become an expert. Print this, hand it to your IT person or provider, and ask them to walk you through each one. A good answer sounds like “yes, here’s how,” not “we’ll look into it.” Getting a Microsoft 365 tenant configured this way, and keeping it that way as people and devices change, is exactly the ongoing work KOM Cloud Service handles for clients, alongside the managed detection and response that watches for the break-ins these settings are meant to prevent.

If you’d rather have a certified engineer just check your setup against this list for you, book a free 15-minute consult and we’ll tell you honestly where you stand.

Talk to the person who'll actually run your IT.

Book a free 15-minute consult. No sales pitch from a stranger, just a straight conversation about what your business needs.

Book your free consult

Or call (732) 701-7012

Monthly agreements, not multi-year lock-ins  ·  No call centers, ever