Home / Blog / Five Microsoft 365 settings to turn on

Five Microsoft 365 settings every BC business should turn on

A fresh Microsoft 365 tenant ships convenient, not secure — and the five settings that close that gap don't cost a cent extra.

Microsoft 365 is the backbone of most BC offices, and out of the box it's tuned to get people working with the fewest obstacles. That's great for onboarding and terrible for security. The good news: the highest-impact hardening is included in the licences you already pay for. Here are five changes — plus a bonus — that we apply as standard, and why each one matters.

1. Enforce MFA and switch off legacy authentication

Stolen passwords are the front door to most account takeovers, and the single most effective lock is multi-factor authentication. Just as important: turn off legacy authentication — older protocols that can't do MFA and that attackers specifically hunt for because they bypass it entirely.

For a small tenant, Security Defaults turns both on with one switch. As you grow, Conditional Access (with the right Entra ID licensing) gives you finer control — for example, requiring MFA from unfamiliar locations while easing it on trusted, compliant devices. Prefer phishing-resistant methods (an authenticator app or passkeys) over SMS codes where you can.

2. Lock down external sharing in SharePoint and OneDrive

By default, users can often share files and folders with anyone via "anyone with the link." Convenient — and a steady source of accidental data exposure. In the SharePoint admin centre, set the organisation-wide external-sharing level to the minimum your business actually needs — frequently "new and existing guests" rather than "anyone." Disable or expire anonymous links, and review which sites are sharing externally. You're not banning collaboration; you're making sure a careless link doesn't quietly publish a client file to the open internet.

3. Turn on unified audit logging and mailbox auditing

If something does go wrong, the difference between a quick answer and an expensive guess is whether you kept the logs. Unified audit logging records sign-ins, file access, sharing and admin changes across the tenant; mailbox auditing tracks who read, moved or deleted mail. These are on by default in newer tenants, but it's worth confirming — and worth knowing your retention window, since the standard tier keeps logs for a limited period. When investigating a suspected compromise, this is the evidence that tells you what the intruder actually touched.

You can't investigate what you didn't log. Turning on auditing costs nothing today and saves a fortune on the worst day.

4. Strengthen anti-phishing, Safe Links and Safe Attachments

Email is still how most attacks arrive. Exchange Online Protection gives every tenant baseline anti-spam and anti-malware — but the defaults are lenient. Tighten the anti-spam and anti-impersonation settings so that messages spoofing your executives or your domain are caught. Where your plan includes Microsoft Defender for Office 365, switch on Safe Links (which rewrites and checks URLs at click time, after the email passed the initial scan) and Safe Attachments (which detonates attachments in a sandbox before delivery). Microsoft's preset security policies — Standard or Strict — are a sensible, supported way to apply all of this consistently.

5. Restrict app consent and third-party app registration

One of the quieter modern attacks isn't a stolen password at all — it's tricking a user into granting a malicious app permission to their mailbox and files. The app then keeps that access even after the password changes. In Entra ID, turn off the ability for ordinary users to consent to third-party apps on their own, and route consent requests through an admin approval workflow. While you're there, restrict who can register new applications. It closes a door most organisations don't even know is open.

Bonus: offboarding and licensing hygiene

Security isn't only settings — it's housekeeping. When someone leaves, their account is a live key that nobody is watching. A clean offboarding process should block sign-in, revoke active sessions, reset the password, and reclaim or reassign the licence the same day. Reclaiming unused licences also trims your monthly bill, so this is one of the rare jobs that's good for both security and the budget.

Bottom line: None of these five is exotic, and none costs extra — they're table stakes for any business running Microsoft 365 in 2026. The only real question is whether someone has actually turned them on in your tenant.

At FirstLayerIT we apply this baseline as standard on every Microsoft 365 tenant we manage, then keep it under review as Microsoft changes the defaults. If you'd like us to check what's actually switched on in your tenant, book a free assessment and we'll walk you through exactly where you stand.

Want to know what's switched on in your tenant?

Book a free assessment and we'll review your Microsoft 365 security settings against this baseline — and show you the gaps in plain English.

Book a free IT assessment