Microsoft 365 for Small Business: The 9 Settings to Turn On First

Almost every small business we meet is already paying for Microsoft 365, and almost none of them have it set up the way it should be. That's not a criticism — it's how the product ships. You buy it, the email works, the files sync, and there's no flashing light telling you that half of the security and productivity features you're paying for are switched off or set to their most permissive defaults. "It works" and "it's configured" are two very different things.

The good news is that closing the gap mostly costs time, not money. The settings below are included in plans you already own, and turning them on is the highest-return afternoon of IT work most owners can do. Here are the nine I'd enable first, in order, with what each one actually does.

1. Turn on MFA for every single user

If you do nothing else on this list, do this. Multi-factor authentication (MFA) means a stolen password isn't enough to get into an account — the attacker also needs the second factor on the user's phone. The large majority of Microsoft 365 break-ins start with a password that was phished, reused, or guessed, and MFA is the one setting that reliably stops that.

Newer tenants enable a baseline called security defaults that switches MFA on for everyone, which is great. But plenty of older tenants still have it off, and some have it half-on for a few users. Confirm it's on for everyone, including you. Prefer the Microsoft Authenticator app over text-message codes, and know that attackers now try to trick people into approving prompts — the MFA fatigue tactic we wrote about. As you grow, Conditional Access (on Business Premium) lets you do this more precisely, but plain MFA-for-all is the non-negotiable starting point.

2. Protect and separate your admin accounts

The Global Administrator account is the master key to your entire tenant — every mailbox, every file, every setting. If it's compromised, everything is. Two rules: first, don't use a Global Admin account for daily email and work; create a separate admin account used only for administration, and do your normal work from a standard account. Second, make sure admin accounts have the strongest MFA. Limiting how many people hold the keys, and keeping those keys off the account that reads email all day, dramatically shrinks your risk. This is identity hardening applied right at the top.

3. Turn on (and keep) audit logging

If you're ever breached, the first question is "what did they touch?" — and you can only answer it if logging was on before the incident. Microsoft 365's audit log records sign-ins, file access, mailbox changes, and admin actions. On many tenants it's available but worth confirming it's enabled and that retention is as long as your plan allows. You hope to never need it, but the day you do, having months of history instead of nothing is the difference between a clear answer and a guess. It's a quiet setting that pays off only once — and that once really matters.

4. Tune anti-spam and anti-phishing

Microsoft 365 includes solid email protection, but the default policies are deliberately gentle so they don't block legitimate mail out of the box. It's worth tightening them: enable the anti-phishing policy (including impersonation and spoof protection), turn on Safe Links and Safe Attachments if your plan includes Defender for Office 365, and review the anti-spam thresholds. Email is the number-one way attacks arrive — from fake invoices to the help-desk impersonation scams we covered — so hardening the inbox is high-leverage.

5. Enable DKIM (and check SPF and DMARC)

These three email-authentication records prove that mail claiming to come from your domain actually did. SPF lists who can send for you, DKIM cryptographically signs your outbound mail, and DMARC tells the world what to do with messages that fail. Microsoft 365 makes DKIM a quick toggle once your domain is verified. Turning these on makes it much harder for criminals to send convincing fake email as you — a favorite trick for invoice fraud and CEO-impersonation aimed at your staff, customers, and vendors. It also helps your legitimate email land in inboxes instead of spam folders.

6. Lock down external sharing in SharePoint and OneDrive

By default, Microsoft 365 is fairly generous about letting files be shared outside your organization, sometimes via "anyone with the link" URLs that need no sign-in. That's convenient and risky — those links get forwarded, pasted, and indexed. Set a sensible external sharing policy: prefer sharing that requires sign-in, set links to expire, and default to "specific people" rather than "anyone." You're not banning collaboration — you're making sure a quick share doesn't quietly expose client data to the open internet. (For the bigger picture on where files should live, see OneDrive vs SharePoint vs Teams.)

7. Set retention — and add a real backup

Here's a costly misunderstanding: Microsoft keeps your data available, but that is not the same as backing it up for you. The built-in recycle bins and version history give you limited recovery windows, and those windows may not cover a compromised account that deletes mail, a departing employee who wipes files, or ransomware that encrypts synced documents. Two moves: configure retention policies appropriate to your business and any compliance rules, and for real protection add a third-party Microsoft 365 backup with longer retention, stored separately from your tenant. Our backup and disaster recovery guide explains why "it's in the cloud" isn't a backup strategy.

8. Turn on self-service password reset

Not every setting is about security alone — some just make the business run smoother. Self-service password reset (SSPR) lets employees securely reset their own forgotten passwords using their verified MFA methods, instead of waiting on whoever does IT. It cuts the single most common help-desk request to near zero, reduces downtime, and, because resets are tied to MFA, it's done securely. It's a small toggle that pays for itself in saved interruptions almost immediately.

9. Restrict app installs and third-party consent

By default, users can often grant third-party apps access to their Microsoft 365 data with a single "Accept" click — which attackers abuse with fake apps that request sweeping permissions (a technique called consent phishing). Tighten this so that admin approval is required before a third-party app can access company data, and review which apps already have access. The same goes for who can install add-ins. It's a setting most businesses never look at, and it quietly closes a door that attackers increasingly knock on.

How to approach this

Don't try to do all nine in one sitting blindly. Work in two passes. Today, confirm the safe, high-impact basics: MFA for everyone (1), protected admin accounts (2), audit logging (3), DKIM (5), and self-service password reset (8). This week, tune the policy-based ones that need a little judgment: anti-phishing (4), external sharing (6), retention and backup (7), and app-consent restrictions (9).

The one to handle carefully is anything that can lock people out — Conditional Access rules and aggressive sharing or sign-in restrictions can block legitimate work if they're set wrong. If you're not fully confident, turn on the safe basics yourself and get a second set of eyes on the rest. This is exactly the kind of setup-and-verify work our managed IT and cloud services handle: configure each setting correctly once, document it, and make sure nothing important was missed.

Underneath all nine is one idea: you've already paid for a capable, secure platform — you just have to turn it on. Most small-business Microsoft 365 incidents we see trace back to a setting that was available the whole time and simply never enabled. An afternoon now is a lot cheaper than the cleanup later.

Frequently asked questions

Does Microsoft 365 come secure by default?

Partly. Newer tenants enable "security defaults," which enforces MFA — a real improvement. But many high-value protections (audit depth, anti-phishing tuning, DKIM, retention, external-sharing controls) are off or permissive until configured. Out of the box you get a usable email and file system, not a hardened one, which is what this guide closes.

What is the single most important Microsoft 365 setting to enable?

MFA for every user, via security defaults or, better, Conditional Access. Most account takeovers start with a stolen or guessed password, and MFA most reliably stops a working password from becoming a full breach. If you enable nothing else, enable MFA for everyone including admins, and prefer an authenticator app over text-message codes.

Do I need the more expensive Business Premium plan to be secure?

Not for the basics. MFA via security defaults, audit logging, DKIM, anti-spam and basic anti-phishing, retention, and external-sharing controls are on common small-business plans. Business Premium adds stronger tools (Conditional Access, Defender for Office 365 advanced anti-phishing, Intune, richer reporting) worth it as you grow. Configure what your current plan includes first, then upgrade specific users where the extra protection matters.

Does Microsoft 365 back up my email and files automatically?

Not the way most owners assume. Microsoft keeps data highly available and offers limited recovery windows, but that's retention, not backup. A compromised account, malicious insider, or ransomware on synced files can exceed those windows. Most businesses with real compliance or continuity needs add a dedicated third-party Microsoft 365 backup with longer retention, separate from the tenant.

Can I turn these settings on myself, or do I need help?

A confident admin can enable the basics from the admin center: security defaults for MFA, audit logging, DKIM, anti-spam and anti-phishing, retention, and external-sharing limits. The ones needing care are Conditional Access and anything that can lock users out. Many businesses turn on the safe basics themselves and bring in a managed IT provider to configure Conditional Access, verify nothing was missed, and document it.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.