Most Microsoft 365 security problems aren’t caused by one “big” mistake. They come from a handful of small defaults that never got revisited after you set up email and got everyone working.
If you only have an hour this week, you can still make meaningful improvements. The trick is to start with the settings that reduce the two most common business headaches: account takeovers and dangerous email getting through.
Start with identity, because every other setting depends on it
If someone gets into an account, they usually don’t need “hacking” skills. They need a password and a second factor that isn’t enforced, isn’t set up properly, or is easy to approve by accident.
Your first wins live in Microsoft Entra ID (the identity layer behind Microsoft 365).
- Turn on Security Defaults (if you don’t have Conditional Access). Security defaults are Microsoft’s baseline protections for sign-ins. They’re designed for organisations that aren’t ready to build custom Conditional Access policies yet. If you have Entra ID Premium and you are using Conditional Access, you typically leave security defaults off and enforce the equivalent controls with your own policies.
- Require MFA for admins, and don’t use your day-to-day account as an admin. Admin accounts are the keys to the kingdom. Keep admin access separate from normal email and Teams use, so you’re not constantly elevating risk every time someone checks their inbox.
- Use number matching for Authenticator push prompts. Simple “Approve” prompts can be abused with MFA fatigue (lots of repeated prompts until someone taps yes). Number matching forces the user to prove they’re looking at the same sign-in attempt.
Practical tip: before you flip anything on, confirm you have at least one working admin account with MFA registered, and a safe way back in if someone’s phone is lost.
Build two Conditional Access policies you can explain in one sentence
Conditional Access is where Microsoft 365 security stops being generic and starts matching how your business actually works. You’re basically saying: “Only allow sign-ins that meet these conditions.”
Two policies usually come first because they’re easy to justify to the business.
- Require MFA for all users (with a small set of exclusions). Most businesses start by requiring MFA for everyone, then excluding service accounts that truly can’t do MFA (and replacing those accounts over time). Do not exclude executives “because it’s annoying”. They’re often the most targeted.
- Block legacy authentication. Legacy sign-in methods don’t support modern controls like MFA. Blocking them removes a whole class of low-effort attacks and password spraying against older protocols.
Keep it simple at first. The more conditions you stack on day one, the more likely you’ll break a workflow you forgot existed.
Use preset policies in Defender for Office 365 before you customise anything
Email is still the main delivery mechanism for phishing. Microsoft gives you a lot of knobs to turn, but you don’t have to start by inventing your own policy set from scratch.
If you have Microsoft Defender for Office 365, preset security policies are a fast way to apply Microsoft-recommended settings across anti-phishing and other protections.
- Enable the Standard preset for most users. This gets you to a sensible baseline quickly.
- Use the Strict preset for high-risk roles. Finance, executives, and anyone who can move money should be in your highest protection bucket.
- Understand “Built-in protection”. Even if you haven’t set up custom Safe Links or Safe Attachments policies, Microsoft can apply built-in protections in certain cases. Presets help you control scope more intentionally.
This approach also makes ongoing operations easier. When you hire, you’re assigning someone to a protection level, not reinventing email security each time.
Make links and attachments safer, without asking users to become analysts
Your team should not have to inspect every URL like a detective. The point of Microsoft 365 security settings is to catch the obvious traps automatically.
Two Defender for Office 365 features are worth prioritising because they target what people actually do all day: click links and open files.
- Safe Links. This helps protect users from malicious links by scanning and rewriting URLs so they’re checked when clicked. It can also cover places beyond email, like Teams, depending on your licensing and configuration.
- Safe Attachments. This adds protection against malicious attachments by detonating or scanning content in a controlled way before it reaches the user.
Also spend five minutes on quarantine behaviour. The goal is that truly dangerous messages stay locked down, and your staff have a clear, safe process for reporting false positives.
Fix the “quiet” settings that cause real-world data leaks
Not every incident looks like ransomware. Sometimes it’s a terminated employee whose OneDrive still contains critical files, or a laptop that dies with the only copy of a spreadsheet living on the Desktop.
Two settings help reduce those everyday risks.
- Move Desktop and Documents into OneDrive (Known Folder Move). This reduces the chance that important work lives only on one device. It also makes device replacement and onboarding less painful.
- Review who can do what by default in Entra ID. Microsoft gives users a set of default permissions. Tightening these (carefully) can reduce accidental exposure and limit what a compromised account can do.
This is where security and operations overlap. You’re not “locking things down”. You’re making sure important work is stored in a place your business can actually manage.
A simple rollout plan that won’t wreck your week
Most Microsoft 365 security settings fail because they’re turned on without a plan for the human parts: communication, exceptions, and support.
Here’s a practical order that works for many growing businesses:
- Week 1: identity basics. Confirm admin accounts, enable security defaults or your first Conditional Access policies, and roll out MFA with number matching.
- Week 2: email protections. Turn on Defender presets (Standard, then Strict for key roles), confirm Safe Links and Safe Attachments coverage, and set quarantine rules.
- Week 3: data hygiene. Roll out Known Folder Move, confirm you can recover files, and review default permissions and admin roles.
If you would like help choosing the right “first” settings for your licensing, risk level, and workflows, the Flexnet Networks team can review your Microsoft 365 tenant and implement them with you.
Sources
- Security defaults in Microsoft Entra ID, Microsoft Learn
- Block legacy authentication with Conditional Access, Microsoft Learn
- Preset security policies, Microsoft Learn
- Safe Links in Microsoft Defender for Office 365, Microsoft Learn
- Redirect and move Windows known folders to OneDrive, Microsoft Learn



