Microsoft 365 Security Checklist for Small Businesses (2026)

A technical, actionable checklist for Canadian small businesses running Microsoft 365 Business Standard or Business Premium — built by the managed IT team at CtrlShift IT Services.

Estimated reading time
15 minutes
Who this guide is for
Business owners, office managers, and IT decision-makers at small businesses with 5–50 employees on Microsoft 365 Business Standard or Business Premium.
Last reviewed: April 2026

Why Most Microsoft 365 Tenants Are Misconfigured

Microsoft 365 ships in a permissive default state. Legacy authentication protocols are often still active. Multi-factor authentication is available but not enforced. SharePoint external sharing may be open to anyone with a link. Admin accounts frequently share credentials with daily work accounts. These defaults simplify initial setup — but in a live business tenant they represent real, exploitable gaps.

Small businesses with 5–50 employees are a primary target precisely because they carry valuable data and are easier to exploit than enterprises. A misconfigured Microsoft 365 tenant is the most common entry point we see in SMB breach cases.

This checklist is the anchor guide in our Microsoft 365 Security hub. Use it as the baseline, then branch into the live phishing protection guide and the upcoming deep dives linked throughout the page.

How a typical SMB breach unfolds
Phishing email
Delivered to inbox
Credential stolen
Password captured
Tenant access
Email & SharePoint
Lateral movement
Spreads across tenant
Ransomware / BEC
Encryption or fraud
Every node in this chain has a control in this checklist that breaks it.

What Secure Score Should a Small Business Target?

Microsoft Secure Score is a built-in dashboard in the Microsoft 365 Defender portal that measures how well your tenant is configured. It gives you a number — and more usefully — a prioritized list of exactly what to fix next. Access it at security.microsoft.com → Secure Score.

Under 30%
High risk — critical controls missing
30–60%
Typical unmanaged tenant — significant gaps likely
60–80%
Strong baseline — target range for most SMBs
80%+
Well-secured — suitable for regulated industries

Review your Secure Score monthly. Use the Improvement Actions tab to see a prioritized list — each action shows the point value, implementation difficulty, and exact portal location.

Your Defense Stack — Four Protection Layers

Every control in this checklist belongs to one of four protection layers. No single layer stops everything — all four working together is what creates a defensible posture.

Identity Layer
MFA · Conditional Access · Legacy Auth Block · Admin Protection
Highest impact
Endpoint Layer
EDR · BitLocker · Intune · Patch Management · BYOD Policy
Stops lateral spread
Data & Recovery Layer
Third-party Backup · Audit Logging · Alert Policies · Incident Response
Recovery capability

Multi-Factor Authentication (MFA)

99.9%
of automated account takeover attacks are blocked by MFA, according to Microsoft telemetry

Enforcing MFA across every Microsoft 365 account is the single highest-impact control available to a small business. Passwords alone are routinely stolen through phishing, credential stuffing, and info-stealer malware. MFA blocks the overwhelming majority of automated account takeover attempts — and its absence is the most common reason cyber insurance claims are denied after a breach.

Enforce MFA on all user accounts

Why it matters A stolen password alone accesses email, SharePoint, Teams, and all connected apps without MFA.
Risk if skipped Account takeover, business email compromise, full mailbox access. Insurers frequently deny claims when MFA was not enforced.
Where to configure Entra admin centre → Identity → Authentication methods. Or enable Security Defaults (Entra → Properties → Manage Security Defaults).
License All plans. Conditional Access-enforced MFA requires Business Premium or Entra ID P1.

Prefer authenticator apps over SMS codes

Why it matters SMS-based MFA is vulnerable to SIM swapping. Authenticator app codes are generated locally and cannot be intercepted remotely.
Risk if skipped A SIM swap allows an attacker to receive the SMS code and bypass MFA entirely — a documented pattern in Canadian business email compromise cases.
Where to configure Entra admin centre → Authentication methods → Policies. Enable Microsoft Authenticator, disable SMS sign-in where possible.
License All plans. Microsoft Authenticator is free.

Audit service accounts and shared mailboxes for MFA gaps

Why it matters Service accounts and shared mailboxes frequently slip through MFA enforcement. Attackers scan specifically for these exclusions.
Where to configure Entra admin centre → Sign-in logs → Filter by Client App for Basic Auth, IMAP, POP entries. Review any account excluded from Conditional Access scope.

Disable Legacy Authentication

99%+
of password spray attacks against Microsoft 365 exploit legacy authentication protocols, per Microsoft's own telemetry

Legacy authentication protocols — IMAP, POP3, basic SMTP auth, and older Exchange ActiveSync — cannot enforce MFA. A stolen password alone grants mailbox access through these protocols regardless of what MFA policies are set elsewhere in the tenant.

Block legacy authentication tenant-wide

Why it matters Legacy protocols bypass MFA completely. This is the highest-impact, lowest-effort change you can make.
Risk if skipped Password-spray attacks succeed reliably. Your MFA policies offer zero protection through these endpoints.
Where to configure Entra admin centre → Security → Conditional Access → block "Other clients". Security Defaults (free) block legacy auth automatically.
License Security Defaults — all plans, free. Conditional Access — Business Premium or Entra ID P1.

Audit for active legacy connections before disabling

Why it matters Older printers, accounting software, or third-party integrations may use legacy auth. Disabling without auditing can break these.
Where to configure Entra admin centre → Sign-in logs → filter by Client App → look for Basic Authentication, IMAP, POP, SMTP entries. Modernize before blocking.

Conditional Access Policies

Conditional Access is the policy engine that controls how, from where, and from what devices your team can sign into Microsoft 365. A small set of well-configured policies delivers significant protection beyond Security Defaults alone.

License required: Microsoft 365 Business Premium or Entra ID P1. Business Standard users should consider Security Defaults as a free alternative.

Require MFA for all users

Why it matters Applies MFA consistently to every sign-in including new accounts and app connections — no per-user configuration.
Where to configure Entra admin centre → Protection → Conditional Access → New policy. All users, all cloud apps, grant requiring MFA. Exclude break-glass accounts.
License Business Premium or Entra ID P1.

Require compliant devices for admin actions

Why it matters Admin actions from unmanaged personal devices are high risk. Requiring an Intune-enrolled device adds a hardware-level gate.
Where to configure Conditional Access → New policy → Admin roles → Grant: Require "Compliant device" or "Hybrid Azure AD joined".
License Business Premium. Intune enrollment required.

Block sign-ins from countries you don't operate in

Why it matters Most automated attacks against SMB tenants originate overseas. Geo-blocking eliminates a large category of opportunistic attacks instantly.
Where to configure Conditional Access → Named Locations → Create allowed countries list → Block all other locations.
License Business Premium or Entra ID P1.

Admin Role Protection

Global administrators have unrestricted access to your entire Microsoft 365 environment — including the ability to reset any password, delete data, remove audit logs, and disable security policies. Compromise of a single global admin account is effectively a complete tenant takeover.

Create dedicated admin accounts for admin tasks only

Why it matters Using your daily work email for admin tasks means a successful phishing attack simultaneously captures global admin credentials.
Risk if skipped An attacker who compromises your email account immediately has global admin access with no additional steps.
Where to configure Entra admin centre → Users → New user. Admin accounts should have no mailbox and not be used for daily work.
License All plans.

Protect global admin accounts with hardware security keys

Why it matters Standard MFA (push, TOTP) can be bypassed by adversary-in-the-middle phishing kits. FIDO2 hardware keys are phishing-resistant — they cannot be intercepted remotely.
Risk if skipped AiTM phishing kits routinely bypass push-notification MFA for admin accounts. A hardware key stops this attack class entirely.
Where to configure Entra admin centre → Security → Authentication methods → FIDO2 security keys. Register at least two keys per admin account.
License All plans for FIDO2 enablement. Conditional Access enforcement requires Business Premium.

Replace Global Admin with scoped roles where possible

Why it matters Most IT staff don't need global admin for day-to-day tasks. Limiting roles limits the blast radius of any account compromise.
Where to configure Entra admin centre → Roles and admins. Replace Global Admin with Exchange Admin, SharePoint Admin, or Helpdesk Admin as appropriate.

Anti-Phishing Policies

License required: Enhanced anti-phishing is part of Defender for Office 365 Plan 1, included in Business Premium. Not available in Business Standard without an add-on.

Phishing is the leading cause of Microsoft 365 account compromise in small businesses. Defender anti-phishing capabilities go well beyond basic spam filtering — but require configuration to be effective. A default tenant has minimal protection. A configured tenant has impersonation detection, mailbox intelligence, and first-contact safety tips active.

Configure anti-phishing policies in Microsoft Defender

Why it matters Default policies are conservative. Custom policies enable impersonation protection for your executives and domain, plus spoof detection tuned to your sending patterns.
Risk if skipped CEO impersonation, vendor fraud, and Microsoft login spoofs bypass standard spam filters — they contain no malware, only a convincing sender address.
Where to configure security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Anti-phishing. Enable impersonation protection, set action to Quarantine, enable first-contact safety tips.
License Business Premium (Defender for Office 365 Plan 1).

DKIM and DMARC Configuration

SPF, DKIM, and DMARC are DNS-level email authentication standards. Together they prove email from your domain is genuine — and instruct receiving servers what to do with messages that fail the check. Without all three, anyone can send convincing spoofed email appearing to come from your domain.

Configure DKIM for your domain

Why it matters DKIM cryptographically signs every outbound message. Receiving servers verify the signature, confirming the email originated from your domain and was not altered in transit.
Risk if skipped Spoofed emails appearing to come from your domain pass authentication checks. Your domain becomes usable for phishing campaigns against your own clients.
Where to configure security.microsoft.com → Email & collaboration → Policies & rules → Threat policies → Email authentication → DKIM tab. Enable for each custom domain, then add the two CNAME records to your DNS registrar.
License All plans. DKIM signing is a standard Exchange Online feature.

Publish and enforce a DMARC policy

Why it matters DMARC tells receiving servers what to do when email fails SPF/DKIM: ignore it (p=none), quarantine it, or reject it. p=reject is the strongest protection.
Risk if skipped Spoofed emails pretending to be from your company are delivered to clients with no authentication warnings. Invoice fraud and BEC attacks exploit domains with no DMARC policy.
Where to configure Add a DMARC TXT record at your DNS registrar. Use the progression below: start monitoring, then enforce.
License No Microsoft license required — configured at your DNS registrar.
DMARC rollout progression
p=none
Monitor only — no action taken. Review reports for 2–4 weeks.
p=quarantine
Failing messages go to spam. Confirm no legitimate sources are failing.
p=reject
Spoofed emails are outright rejected. Full protection achieved.

Mailbox Auditing

Mailbox auditing records a log of every action in each user's mailbox — who accessed it, what was read, what was deleted, and whether forwarding rules were added. Without it, a post-breach investigation has nothing to work with.

Verify mailbox auditing is enabled tenant-wide

Why it matters Auditing is on by default for accounts created after January 2019 — but older accounts and service accounts may not have it active.
Risk if skipped After a compromise, there are no logs to determine what data was accessed, what was forwarded, or when the attacker first gained entry.
Where to configure Exchange admin centre → Mailboxes → verify AuditEnabled. PowerShell: Get-EXOMailbox -ResultSize Unlimited | Select-Object UserPrincipalName, AuditEnabled
License All plans. Exchange Online Audit is included.

Review all mailboxes for unauthorized forwarding rules

Why it matters After compromise, attackers add inbox rules that silently forward all incoming email to an external address. These persist even after the password is reset.
Risk if skipped Undetected forwarding rules can exfiltrate months of correspondence after the "resolved" breach. This is one of the most common persistence mechanisms we encounter.
Where to configure Microsoft 365 Defender portal → Explorer → search inbox rules with external forwarding. Review quarterly.
License All plans.

External Sharing and Guest Access Controls

By default, Microsoft 365 allows users to share any file with anyone via a link requiring no sign-in. Guest accounts added for contractors often persist long after the engagement ends. These two defaults represent a quiet but significant data exposure risk.

Restrict SharePoint and OneDrive external sharing

Why it matters "Anyone with the link" sharing = publicly accessible, no authentication, no audit trail, no expiry. A single careless share exposes confidential documents.
Where to configure Microsoft 365 admin centre → SharePoint admin centre → Policies → Sharing. Set to "New and existing guests" (requires sign-in) or "Only people in your organization".
License All plans.

Review and expire guest accounts quarterly

Why it matters Former contractors with active guest accounts have access to Teams channels and SharePoint libraries containing current client data.
Risk if skipped Departed guests are both a data leak risk and an entry point — especially if their personal email accounts are later compromised.
Where to configure Entra admin centre → External identities → All guests. Review and remove stale accounts quarterly.
License Manual review — all plans. Automated access reviews — Business Premium or Entra ID P2.

Audit Logging and Alert Policies

Unified audit logging captures activity across Exchange, SharePoint, Teams, and Entra ID. Alert policies trigger notifications on high-risk events. Together they are the foundation of any incident detection capability — and increasingly expected by cyber insurers as evidence of monitoring.

Enable unified audit logging

Why it matters Audit logs are the primary evidence source in any incident investigation. Without them, forensic response is blind.
Where to configure Microsoft Purview compliance portal → Audit → Verify "Recording user and admin activity" is On. Default retention is 90 days; Business Premium extends to 1 year.
License All plans. 1-year retention requires Business Premium or M365 E3.

Configure alert policies for high-risk events

Why it matters Breaches persist for weeks or months in tenants without active alerting. Attackers slowly exfiltrate data through channels that generate no default notifications.
Where to configure Microsoft 365 Defender portal → Alerts → Alert policies. Create custom policies for: mass file download, mailbox forwarding rule creation, admin role elevation, multiple failed sign-ins.
License Default policies — all plans. Custom alert policies — Business Premium or M365 E3.

Staff Phishing Awareness Training

Technical controls reduce the attack surface — but a convincing phishing email still reaches inboxes. Staff training is the last line of defence. The goal is not to eliminate all clicks; it is to make suspicious emails reportable, normalize asking for help, and ensure staff know what to do in the first 15 minutes after clicking something suspicious.

  • Run short monthly phishing simulations (Microsoft Attack Simulator, included in Business Premium) — frequency beats length
  • Install the Microsoft "Report Message" Outlook add-in — reporting should be one click
  • Make it explicitly safe to report a click without fear of blame — reported incidents are easier to contain than hidden ones
  • Train staff to recognize: invoice fraud, Microsoft 365 login spoofs, CEO impersonation
  • Document what to do immediately after clicking: who to call, whether to close the browser, whether to shut down the device

Endpoint Security for Business Devices

Endpoints — laptops, desktops, phones, tablets, including personal BYOD devices — are the second primary attack surface alongside email. Built-in Windows Defender provides a baseline but is not sufficient for businesses with remote workers, BYOD devices, or active cyber insurance obligations. Microsoft Defender for Business (included in Business Premium) provides EDR-level protection managed through Intune.

Deploy endpoint detection and response (EDR) on all devices

Why it matters EDR watches device behaviour and detects suspicious patterns. Traditional antivirus only matches known signatures — it misses novel and fileless malware.
Where to configure Microsoft Defender for Business is included in Business Premium and deploys through Intune. Also available as a standalone SMB product.
License Included in Business Premium. Standalone add-on for Business Standard tenants.

Enforce disk encryption and automatic OS updates via Intune

Why it matters An unencrypted laptop lost or stolen exposes all locally cached files and credentials. Unpatched OS is the primary exploitation target for opportunistic attacks.
Where to configure Intune (Endpoint Manager) → Devices → Configuration profiles. Enforce BitLocker, require Windows Update for Business, configure update deferral windows.
License Intune included in Business Premium.

Pair this guide with our managed security and firewall service for hands-on EDR deployment and tenant hardening.

Microsoft 365 Backup — Retention Is Not a Backup

Microsoft's responsibility
  • Platform uptime & availability
  • Infrastructure security
  • Application functionality
  • Global data replication
You are responsible for
Your responsibility
  • Emails, files, and Teams data
  • Recovering from ransomware
  • Recovering from admin deletion
  • Departed employee data

The Recycle Bin, OneDrive version history, and SharePoint retention policies are convenience recovery features — not backups. They have short windows, can be wiped by a compromised admin account, and do not protect against ransomware encryption.

Deploy a third-party Microsoft 365 backup solution

Why it matters A real backup is an independent, immutable copy of Exchange, SharePoint, OneDrive, and Teams data — stored outside the production tenant and restorable to any point in time.
Risk if skipped Ransomware encryption of a Microsoft 365 tenant leaves no recovery path beyond Microsoft's short-window retention — which is frequently not enough.
Where to configure Third-party solutions (Veeam, Acronis, Datto, Dropsuite) integrate via the Graph API and store encrypted backups in a separate cloud tenancy with configurable retention.
License Not included in any Microsoft 365 plan. Third-party backup is a separate service.

Test backup restores quarterly and document results

Why it matters An untested backup is not a backup. Backup software can fail silently, API permissions can expire, and retention policies may not capture what you believe they do.
How to test Restore a sample mailbox and a SharePoint library to a test location. Verify completeness and restore time. Document results for your cyber insurance renewal.

Ransomware Protection and Incident Response

Ransomware attacks almost always follow the same path: a phishing email compromises a credential, the attacker moves laterally, then deploys encryption. Every stage of that chain is breakable — MFA stops credential-only attacks, endpoint protection detects lateral movement, Safe Attachments blocks malicious payloads, and backup provides the recovery path.

  • Enforce least-privilege on both user and admin accounts — limit the blast radius of any compromised identity
  • Apply the 3-2-1 rule: three copies of data, two media types, one copy outside the production tenant
  • Test restores quarterly and document results — an untested backup is not a backup
  • Write down who makes decisions in the first 60 minutes of an incident, before you need it
  • Confirm your cyber insurance policy's position on ransom payment in advance

Common Microsoft 365 Security Gaps We Find in Small Business Tenants

These are the issues we encounter most frequently when auditing a new client's tenant. None require expensive tools to fix — they require configuration and attention.

Shared admin credentials
Multiple staff using one global admin account. No accountability, no individual audit trail, no clean MFA.
MFA gaps on service accounts
MFA enforced for regular users but service accounts and shared mailboxes were excluded. Attackers scan specifically for these exclusions.
Legacy auth still active
An old printer or accounting integration was never modernized. Legacy auth bypasses MFA entirely for those connections.
SharePoint sharing open to anyone
Default sharing settings mean files can be shared with no sign-in required. Confidential docs end up with publicly accessible URLs.
No mailbox audit review
Auditing was never verified on older accounts. After a compromise, there are no logs to reconstruct what happened.
DKIM and DMARC missing
SPF exists but DKIM and DMARC were never configured. The domain is used in invoice fraud attacks against the company's own clients.
No third-party backup
The business assumes Microsoft backs up their data. Version history is the assumed recovery tool — until ransomware makes that irrelevant.
Guest accounts never reviewed
Contractors from 12–18 months ago still have active guest access to Teams channels with current client data.

More From the Security Hub

HubBrowse Microsoft 365 SecuritySee the checklist, phishing guide, Conditional Access guide, and the next Microsoft 365 deep dives we are publishing.Live guidePhishing & Email Threat DefenseThe detailed Defender, Safe Links, Safe Attachments, and reporting workflow companion to this checklist.Coming nextEndpoint HardeningThe security hub roadmap also includes the Windows 11 and macOS hardening guide referenced from this checklist.

Frequently Asked Questions

What is Microsoft Secure Score and what should a small business target?
Microsoft Secure Score is a built-in dashboard in the Microsoft 365 Defender portal that measures how well your tenant is configured against Microsoft's security recommendations. For a small business running Microsoft 365 Business Standard or Business Premium, a score between 60% and 80% represents a strong, defensible baseline. Under 30% indicates high risk and missing critical controls. Access it at security.microsoft.com → Secure Score.
Do I need Microsoft 365 Business Premium for Conditional Access?
Yes. Conditional Access requires Microsoft 365 Business Premium or an Entra ID P1 licence. If you are on Business Standard, you can use Security Defaults (free, included in all plans) to enforce MFA and block legacy authentication — but you lose the granular control Conditional Access provides. For most 5–50 employee businesses, the Business Premium upgrade is worth the cost given the security controls it unlocks.
Is Microsoft 365 secure out of the box?
Microsoft 365 provides a secure platform but ships in a permissive default state. Multi-factor authentication is available but not enforced. Legacy authentication protocols remain active. SharePoint external sharing may allow anonymous access. Admin accounts have no separation from daily work accounts. These defaults simplify initial setup but represent real, exploitable gaps in a live business tenant.
What does DKIM protect against and how is it different from SPF?
SPF specifies which mail servers are authorized to send email on behalf of your domain. DKIM adds a cryptographic signature to each outbound message, allowing receiving servers to verify the email was not tampered with in transit and genuinely originated from your domain. DMARC builds on both — it tells receiving servers what to do when a message fails SPF or DKIM checks. All three are needed for complete email authentication.
What does cyber insurance require from a small business?
Canadian cyber insurers increasingly require enforced MFA on all users, endpoint detection and response (EDR), documented backups tested quarterly, a tested incident response plan, and evidence that legacy authentication is disabled. Insurers may also check for Conditional Access policies, DKIM/DMARC on sending domains, and audit logging. Missing controls can trigger coverage exclusions or denied claims after an incident.
Does Microsoft back up my emails and files in 365?
No — not in the sense a business recovery plan requires. Microsoft protects the platform and provides limited retention features (Recycle Bin, version history, litigation hold), but under the shared responsibility model, your data is your responsibility. These convenience features cannot restore your tenant after ransomware encryption, an admin deletion, a departed employee, or a misconfiguration that wipes data. A dedicated third-party backup is required for genuine recovery capability.
What is legacy authentication and why is it dangerous?
Legacy authentication refers to older Microsoft 365 sign-in protocols — IMAP, POP3, basic SMTP auth, and older ActiveSync connections — that cannot enforce MFA. Regardless of your MFA policies, a stolen password alone grants mailbox access through these protocols. Microsoft's telemetry links legacy authentication to over 99% of password spray incidents. Disabling legacy auth is one of the highest-impact, lowest-effort controls you can enable.
Do we really need MFA if we use strong passwords?
Yes. Strong passwords are routinely stolen through phishing, credential stuffing, and info-stealer malware that captures keystrokes or browser-saved credentials. MFA blocks the overwhelming majority of automated account takeover attempts even after a password is compromised. It is now considered a baseline control by Canadian cyber insurers and regulators, not a premium add-on.
What is the difference between antivirus and endpoint detection and response (EDR)?
Traditional antivirus matches files against a database of known malware signatures. Endpoint detection and response (EDR) monitors device behaviour continuously — identifying suspicious activity patterns, isolating compromised devices, and supporting human-led investigation after an incident. Most cyber insurance policies now expect EDR-level protection rather than basic antivirus, which misses novel and fileless malware variants.
How much should a small business spend on cybersecurity?
Most Canadian small businesses we work with spend between 3% and 8% of their IT budget on security controls — MFA, endpoint protection, email filtering, and third-party backup. The exact number depends on regulated data, cyber insurance requirements, and remote-work footprint. Microsoft 365 Business Premium consolidates many of these controls into a single licence, often reducing the per-control cost compared to purchasing them separately.
What should we do immediately if we suspect a Microsoft 365 breach?
Preserve evidence first — do not delete logs or reimage machines. Isolate affected accounts by revoking active sessions in Entra ID (Revoke sign-in sessions). Reset credentials for impacted users. Check for malicious inbox forwarding rules and newly created email filters. Notify leadership and contact your managed IT or incident response provider before making further changes to the environment. If you have cyber insurance, notify your insurer early — most policies have reporting windows.
How often should we run phishing awareness training for staff?
Short monthly phishing simulations plus quarterly micro-training consistently outperform a single annual session for small teams. Phishing tactics evolve quickly — monthly simulations keep recognition skills current without requiring long training blocks. Pair simulations with easy one-click reporting using the Microsoft "Report Message" Outlook add-in.

Want Us to Review Your Microsoft 365 Tenant Security?

We offer a structured Microsoft 365 tenant security review for small businesses. It is not a sales call — it is a technical audit of your tenant configuration against the controls in this checklist, delivered as a written report you can act on with or without our ongoing involvement.

MFA enforcement and authentication method audit
Legacy authentication and Conditional Access policy review
Admin role and least-privilege assessment
SPF, DKIM, DMARC check for all sending domains
Anti-phishing, Safe Links, Safe Attachments configuration review
SharePoint and OneDrive external sharing posture
Mailbox forwarding rule check and audit logging verification
Backup coverage check and Secure Score baseline
Written findings report with prioritized remediation steps and licensing notes
1
Day 1 — Read-only tenant access granted. Technical review begins.
2
Day 2–3 — Written findings report delivered. Gaps ranked by severity.
3
Day 4 — Optional 30-minute walkthrough of findings. No configuration changes without your authorization.
Request a Free Security Assessment No obligation · Typically completed in 1 business day

Next Steps

Start with the CRITICAL-tagged controls at the top of the checklist — MFA enforcement, legacy authentication blocking, admin account separation, and backup. These deliver the highest impact and are most frequently checked by cyber insurers. Then work through HIGH-rated email security and endpoint controls. Schedule a quarterly Secure Score review to catch drift.

Security is a posture, not a one-time project. The practical goal for a 5–50 person business is a documented, maintainable Microsoft 365 security baseline — not perfection.

In this guide

Related guides
Related services
Talk to a human
Have a question about your Microsoft 365 tenant or cyber insurance renewal? We answer plainly — no quota, no pressure.
Book a Consultation