Microsoft 365 Hardening: 12 Settings Every St. Louis SMB Should Change Today

The good news about Microsoft 365 is that the controls you need to be reasonably secure are already in your tenant. The bad news is the defaults aren't them.

Here are the twelve settings we change on every new client tenant — none of them require an extra license beyond Business Premium.

1. Disable legacy authentication. Block Basic auth across the board. This single change kills the majority of password-spray attacks.
2. Enforce MFA via Conditional Access, not per-user MFA. Per-user is a maintenance nightmare and breaks app passwords in weird ways.
3. Block sign-in from countries you don't operate in. Unless someone genuinely travels, geo-block.
4. Require compliant or Hybrid-joined devices for access to email and SharePoint.
5. Disable self-service Teams, group, and app creation unless governance is in place.
6. Turn on Safe Links and Safe Attachments with the strict preset.
7. Configure DKIM for every accepted domain (it ships off by default).
8. Set DMARC to p=quarantine, then move to p=reject after monitoring.
9. Enable Unified Audit Log and retain it for at least a year.
10. Disable mailbox auto-forwarding to external addresses at the transport rule level.
11. Restrict OAuth app consent to admin-approved apps.
12. Turn on Microsoft Defender for Office 365 Plan 1 alerts and route them somewhere a human reads.

Each one takes minutes. Together they close most of the cloud attack surface that small businesses get hit on. If you'd rather we just do it for you, reach out — it's a half-day engagement for most tenants.