How to Lock Down Your Microsoft 365 Tenant (A Practical Security Checklist)
Your Microsoft 365 tenant holds your email, your files, your contacts, and your business communications. For most small businesses, it is the most valuable and most exposed part of their IT setup. A misconfigured tenant is one of the most common ways small businesses get compromised. Here is how to lock yours down.
1. Turn On Multi-Factor Authentication for Every Account
If there is one thing on this list to do today, it is this. MFA requires a second verification step when someone logs in, so a stolen password alone is not enough to access your tenant.
Go to the Microsoft 365 admin center, open Users, then Active users, and enable MFA for every account. Pay special attention to admin accounts. A compromised admin account gives an attacker full control over your tenant and everything in it.
2. Enable Security Defaults
Microsoft 365 includes Security Defaults, a free set of baseline protections built by Microsoft. They enforce MFA, block legacy authentication protocols, and protect privileged actions.
If you have not set up custom Conditional Access policies, turn on Security Defaults now. They cover the most common attack patterns and require no ongoing management. For most small businesses, this is the right starting point.
3. Audit Your Admin Accounts
Most small businesses have more global admin accounts than they need. Every admin account is a high-value target for attackers. Reduce global admins to the minimum required, ideally one or two people.
Use dedicated admin accounts that are only used for administrative tasks. Do not use your regular day-to-day email account as an admin account. Every admin account should have MFA enforced without exception.
4. Review Third-Party App Permissions
Every app your team connects to Microsoft 365 gets granted permissions to your tenant. Over time, these permissions accumulate. Some apps ask for more access than they actually need.
In the admin center, go to Settings, then Org settings, then Integrated apps. Review what apps have been granted access and remove anything that is no longer in use or that you do not recognize. This is a commonly overlooked risk.
5. Set Up Email Authentication Records
SPF, DKIM, and DMARC are DNS records that protect your domain from being used to send phishing emails. Without them, attackers can send emails that appear to come from your domain and use your name to deceive your clients.
These records tell receiving mail servers that only your authorized mail servers can send on your behalf. Setup requires access to your DNS provider and about thirty minutes. If you are not sure how to do this, your IT provider should handle it for you.
6. Tighten SharePoint and OneDrive Sharing Settings
By default, Microsoft 365 allows users to share files externally with anyone who has the link. For most small businesses, this is too permissive.
In the SharePoint admin center, review your sharing settings. Set external sharing to 'Existing guests only' or 'Only people in your organization' unless you have a specific business reason for broader sharing. Audit who currently has access to shared files.
7. Verify That Audit Logging Is Active
Microsoft 365 audit logging records user and admin activity across your tenant. If a breach happens, audit logs tell you what was accessed, when, and from where.
Audit logging is turned on by default in most plans, but it is worth verifying. In the Microsoft Purview compliance portal, confirm that audit logging is active and that logs are retained for at least 90 days.
None of this requires an enterprise IT team. It requires time and attention. If you want help reviewing your Microsoft 365 tenant security, we offer free tenant security reviews for businesses in the Chicago area. We will go through your configuration and tell you exactly what needs attention.
ITM Consulting
Questions about your IT setup?
We work with small businesses and accounting firms across the Chicago area. Schedule a free 30-minute consultation and we will tell you honestly what we see.