Security · IT Support
Secure Microsoft 365 for Small Business: 6-Step Guide
7 July 2026

Reviewed by Blake Smith, Head of Service at LBT, who leads the team that configures and secures Microsoft 365 environments for LBT's managed clients. Last updated July 2026. Microsoft changes its admin centre navigation and licensing tiers periodically, so exact menu labels may shift — the underlying settings described here remain the right ones to look for.
If your business runs on Microsoft 365 and nobody owns security full-time, you're not alone — and you're not stuck. Most small businesses buy M365 for email, Teams and Office apps, flick on the default settings, and never go back. That's the gap attackers are counting on.
This is a practical, hands-on guide for whoever configures Microsoft 365 day to day. If you're after the leadership-level case for why this matters — licensing tiers, real risk, and what to ask before signing off — see our executive guide to M365 business security.
Here's the reality: 43% of UK businesses reported a cyber breach or attack in the last 12 months, and phishing is the most common attack vector, hitting 38% of them (GOV.UK Cyber Security Breaches Survey 2025). Meanwhile, Microsoft's own VP for Identity Security disclosed that as of early 2024, MFA protected only around 38% of Microsoft Entra ID accounts globally — despite Microsoft's own research showing MFA blocks more than 99.2% of account compromise attempts (Microsoft Learn). That gap between "available" and "actually configured" is where small businesses get hit.
The good news: you don't need an IT department to start closing it. This guide walks you through six practical, sequential steps to lock down Microsoft 365 — no jargon, no consultants required to get started, just concrete actions you can complete this week. Grab admin access to your M365 tenant and let's get into it.
Before you change anything: document and secure at least one "break-glass" emergency admin account — a credential kept outside your normal MFA and Conditional Access rules, with its password stored securely offline. Tightening MFA and Conditional Access is exactly the kind of change that can lock everyone (including you) out if something's misconfigured, and a break-glass account is your safety net while you work through the steps below.
Step 1: Lock Down Every Admin Account First
Before you touch anything else, secure the accounts with the keys to the kingdom. A compromised admin account isn't just one mailbox lost — it's every mailbox, every file, every user in your business.
Reduce who has admin rights
Most small businesses over-assign admin roles because it's easier at setup time and nobody revisits it. Go to the Microsoft 365 admin centre, open Active users, and check who holds Global Administrator status.
- Aim for no more than two Global Admins.
- Move everyone else to a role that matches what they actually do (e.g., User Administrator, Billing Administrator) using role-based access control.
- Remove admin rights entirely from any account that's a normal daily-use mailbox.
Set up a dedicated admin account
Nobody should use their everyday email account to perform admin tasks. Create a separate admin account (e.g., admin-jane@yourbusiness.com) with no mailbox attached, used only for administrative work. This limits the blast radius if a phishing email lands in a day-to-day inbox.
Enable MFA on admin accounts — no exceptions
This is non-negotiable. Every account with elevated privileges must have multi-factor authentication enforced with zero exceptions, including for the owner or MD. Attackers specifically hunt for privileged accounts because one login unlocks everything.
Step 2: Turn On Multi-Factor Authentication for Every User
MFA is the single highest-impact step in this entire guide. As referenced above, Microsoft's own numbers show a large share of accounts still don't have it switched on at all — and small businesses without a dedicated IT function are the most likely to be in that gap, simply because nobody's gone back to turn it on since the tenant was first set up. Fix that today.
How to enable it
- In the Microsoft Entra admin centre, go to the Protection or Security section to find MFA and sign-in security settings (Microsoft renames and reorganises this navigation periodically, so search "MFA" or "Security defaults" in-portal if the exact menu path has moved).
- If you're on Business Premium or above, use Security Defaults or, better, Conditional Access policies (covered in Step 3) rather than the legacy per-user MFA toggle — it's more flexible and easier to manage as you grow.
- Choose an authenticator app (Microsoft Authenticator is free and built for this) over SMS codes — SMS can be intercepted via SIM-swap attacks, while app-based and phishing-resistant methods are far more robust.
- Set a rollout date, tell your team why it matters in one sentence ("this stops someone logging in as you from anywhere in the world"), and give them a 48-hour window to register their device.
Table: MFA methods, ranked
| Method | Security level | Recommended use |
|---|---|---|
| Passkey / FIDO2 security key | Highest | Admins, finance, owners |
| Microsoft Authenticator app (push/passwordless) | High | All staff |
| Authenticator app (time-based code) | High | All staff |
| SMS text code | Moderate | Fallback only |
| Voice call code | Moderate | Fallback only |
Once everyone is enrolled, disable legacy authentication protocols (like POP and IMAP) that don't support MFA at all — they're a well-known backdoor around it.
Step 3: Set Up Basic Conditional Access Rules
Conditional Access is where Microsoft 365 security stops being all-or-nothing and starts being smart. Instead of asking for MFA every single time (which trains people to click "approve" without thinking — a tactic called MFA fatigue), you set rules based on risk.
You'll need Microsoft 365 Business Premium or an Entra ID P1 licence for full Conditional Access. If you're on a lower tier, this is a strong reason to upgrade — the cost is minor compared to the cost of a single business email compromise incident.
Three conditional access policies to create first
- Block legacy authentication — stops old protocols bypassing MFA entirely.
- Require MFA for unfamiliar or higher-risk situations — such as sign-ins from new locations, unmanaged devices, or outside your trusted networks. This is available on Business Premium (Entra ID P1). Full automated risk-based sign-in detection — where Microsoft's own risk engine scores each login and responds dynamically — is a Microsoft Entra ID P2 feature and sits on top of what Business Premium includes, so check which licence you're on before assuming it's already covered.
- Require compliant or managed devices for admin access — only allow admin tasks from devices you recognise and trust, not any laptop, anywhere.
Start with these three. You can layer in more granular rules (blocking sign-ins from specific countries, restricting access by time of day, or upgrading to full risk-based Conditional Access with Entra ID P2) once the basics are bedded in and your team is used to the new normal.
find out your organisation's Technology Resilience Score
Step 4: Harden Email Against Phishing and Business Email Compromise
Email is still the number one way attackers get in — phishing is the most common attack vector against UK businesses, cited in the Cyber Security Breaches Survey 2025 as affecting 38% of them in the past year. Business email compromise built on top of a successful phish is increasingly automated, too — stolen inboxes and credentials are bought and sold, then used for invoice fraud and payment redirection scams.
Configure these settings in Microsoft Defender
- Turn on Safe Links and Safe Attachments (Microsoft 365 Business Premium or Defender for Office 365) — this scans links and files in real time before your team can click them.
- Set up anti-phishing policies to flag domain impersonation — this catches lookalike domains (e.g., "yourcompany-invoices.com") trying to impersonate you or your suppliers.
- Enable impersonation protection for your most-targeted people — typically the MD, finance lead and anyone who authorises payments.
- Turn on mailbox auditing so you can see if rules have been secretly added to forward or delete emails — a classic sign of a compromised inbox.
- Set up an external sender warning banner so staff instantly see when an email originates outside your organisation.
Train your team on the two-minute check
Technology catches most threats, but not all. Before anyone actions a payment or urgent request by email, they should check: does the sender's actual email address match who it claims to be, and would this person normally ask for this by email at all? Make this a standing rule, not a one-off training session.
Step 5: Manage and Protect Mobile Devices
Your data doesn't stay on desks anymore — it's on phones, tablets and laptops that leave the building every day. If a device is lost, stolen, or simply unmanaged, that's an open door into your business data.
Basic mobile device management with Microsoft Intune
Microsoft 365 Business Premium includes Intune, which gives you control without needing a full IT team to run it.
- Set up Conditional Access to require enrolled devices — this means only devices you've registered can access company email and files.
- Enforce a device passcode/PIN and encryption as a baseline requirement before any device can connect.
- Create an app protection policy so company data inside Outlook, Teams and OneDrive can be wiped remotely without touching someone's personal photos and apps — essential for BYOD (bring your own device) setups.
- Enable remote wipe for lost or stolen devices, and document who's responsible for triggering it.
- Block unmanaged personal devices from downloading company email if you can't guarantee they meet a minimum security bar.
This step matters just as much for a five-person business as a fifty-person one — a lost phone with an unlocked mail app is exactly the same risk regardless of headcount.
Step 6: Confirm Your Backup and Recovery Position
Here's a fact that catches small businesses out constantly: Microsoft 365 does not fully back up your data the way most people assume. Deleted items, retention policies and version history are not the same as a proper, independent backup — and ransomware or accidental deletion can still cause permanent loss.
What to check and set up
- Confirm your retention policies in the Microsoft 365 compliance centre — know exactly how long deleted mail and files are recoverable before they're gone for good.
- Turn on versioning in SharePoint and OneDrive so you can roll back files to an earlier point if they're corrupted or encrypted.
- Implement a genuine third-party backup solution for Exchange Online, SharePoint, OneDrive and Teams data — this is the single biggest gap in most small business M365 setups.
- Test a restore, not just a backup — schedule a trial recovery of a file or mailbox every quarter so you know it actually works when you need it.
- Document who is responsible for backup checks — assign a name, not just a task, so nothing quietly stops working unnoticed.
This checklist gets you configured. It doesn't, on its own, make you compliant — for the fuller picture on UK GDPR obligations and what's actually your responsibility versus Microsoft's, see our Microsoft 365 security and UK GDPR compliance guide.
Your Microsoft 365 Security Checklist, at a Glance
| # | Action | Effort | Priority |
|---|---|---|---|
| 1 | Reduce and secure admin accounts | Low | Critical |
| 2 | Enable MFA for all users | Medium | Critical |
| 3 | Set up core Conditional Access policies | Medium | High |
| 4 | Configure anti-phishing and email protection | Medium | High |
| 5 | Roll out basic mobile device management | Medium | Medium |
| 6 | Verify and test backup/recovery | Low | High |
Work through these in order. Each step builds on the last — there's little point locking down email if your admin accounts are still wide open.
Frequently Asked Questions
Do I need Microsoft 365 Business Premium to do all of this?
Some steps — Conditional Access, Intune device management, and Defender for Office 365 anti-phishing tools — require Business Premium or an added security licence. Basic MFA and admin account hygiene can be done on any M365 plan starting today.
How long does it take to secure Microsoft 365 properly?
A small business with 5–20 users can realistically complete Steps 1, 2 and 6 in a single afternoon. Conditional Access and mobile device management typically take a few days to configure and roll out properly across a team.
Will enabling MFA annoy my staff?
There's a short adjustment period, but modern MFA (via the Microsoft Authenticator app) takes seconds once set up, and Conditional Access rules mean most people won't be prompted repeatedly for trusted devices. The disruption of a business email compromise incident is far greater.
Does Microsoft 365 back up my data automatically?
No. Microsoft operates on a shared responsibility model — it keeps the infrastructure running, but protecting against data loss, accidental deletion and ransomware recovery is your responsibility. A dedicated backup solution is essential.
What's the single most important step if I can only do one thing this week?
Enable MFA on every account, starting with admins. Microsoft's own research shows it blocks more than 99.2% of account compromise attempts (Microsoft Learn), and it takes under an hour to roll out.
Check Whether Your Microsoft 365 Setup Is Actually Secure
Working through this checklist puts you well ahead of most small businesses — but ticking off six steps yourself is different from having someone independently confirm nothing's been missed. That's what our Technology Resilience Score™ is built for: it measures your organisation's ability to prevent, withstand, and recover from technology and cyber risks, scored from 1.0 to 5.0, so you know precisely where you stand and what to prioritise next.
Don't guess whether your Microsoft 365 environment is actually secure. get an independent check on your Microsoft 365 security and get a clear, actionable picture of your current score — plus the fastest path to strengthening it and freeing your business to grow with confidence.
Is your business's technology environment resilient?
Find out how prepared you really are to keep operating and recover quickly if disruption hits — with a free Technology Resilience Score™.