Hardening guide: securing Microsoft 365 for small businesses
After auditing 20+ small business M365 tenants this year, here's my hardening checklist:
Identity
- Enable Security Defaults (or Conditional Access if P1+)
- Block legacy authentication protocols
- Require MFA for all users (not just admins)
- Configure break-glass emergency access accounts
- Configure SPF, DKIM, and DMARC (p=reject target)
- Enable Safe Attachments and Safe Links
- Block auto-forwarding to external domains
- Audit mailbox delegation and permissions
Data
- Enable audit logging (Unified Audit Log)
- Configure DLP policies for PII/PHI
- Restrict external sharing in SharePoint/OneDrive
- Enable sensitivity labels
Device
- Enroll devices in Intune
- Require device compliance for Conditional Access
- Configure BitLocker encryption
What am I missing?
Add mailbox auditing for owner actions. Microsoft disabled it by default and then re-enabled it, but some older tenants still have gaps. Verify with Get-Mailbox -ResultSize Unlimited | FL Name,AuditEnabled.
Missing: disable IMAP/POP on all mailboxes. Legacy protocols bypass MFA. This is the #1 thing I find in M365 audits.
For DMARC, start with p=none and monitor for 30 days before going to p=reject. I've seen orgs lock out legitimate senders (marketing platforms, CRM systems) by going straight to reject.
For the external sharing restriction — be careful with SharePoint. Some business processes depend on external sharing. Whitelist specific partner domains instead of blocking entirely.
Great list. I'd add: configure Privileged Identity Management (PIM) if you have AAD P2. Just-in-time admin access is a game changer for reducing standing privilege risk.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access