Microsoft 365 is the productivity platform most Miami small businesses are already paying for. But out of the box, it’s not configured for security — it’s configured to be easy to set up quickly. Most of the settings that actually protect your business, your email, and your data are buried in admin panels that most users never open.
Here are six settings that are almost always misconfigured or missing entirely — and how to fix them.
1. Enable MFA for all users
This one comes first because it’s the most impactful and the most frequently skipped. Multi-factor authentication means that even if a hacker has a user’s password, they can’t access the account without also having their phone.
In Microsoft 365, MFA is configured through the Entra ID (formerly Azure AD) admin center under Security > Authentication methods. Enable it organization-wide and require the Microsoft Authenticator app, not just SMS codes. SMS codes are better than nothing, but they’re susceptible to SIM-swapping attacks. The Authenticator app is significantly more secure.
2. Configure email archiving policy
By default, email in Microsoft 365 is retained only as long as it’s in a mailbox. When someone deletes an email — intentionally or accidentally — it’s gone after 30 days. For most businesses, that’s a compliance problem and a liability.
Microsoft Purview includes an archiving feature that automatically copies email to a separate archive mailbox and holds it according to a retention policy you define. For law firms, six years is the Florida Bar minimum. For medical offices, HIPAA requires six years from the date of creation or last use. Set this up before you need it — you can’t retroactively archive email that’s already been deleted.
3. Block legacy authentication protocols
Legacy authentication protocols — things like Basic Auth, IMAP, and POP3 — don’t support MFA. That means even if you’ve enabled MFA for your organization, an attacker can bypass it entirely by using a legacy authentication method to connect to your mailbox.
Microsoft has been phasing out legacy auth for years, but it’s still enabled on many older tenants. Block it using a Conditional Access policy in Entra ID: create a policy that blocks all legacy authentication protocols for all users. If you have older email clients that don’t support modern authentication, this is the time to upgrade them.
4. Enable Safe Links and Safe Attachments (Defender for Office 365)
Standard Microsoft 365 business plans include basic spam filtering, but they don’t include Safe Links or Safe Attachments — those require a Defender for Office 365 Plan 1 add-on (about $2/user/month, or included in Microsoft 365 Business Premium).
Safe Attachments scans every email attachment in a sandboxed environment before delivering it to the user. Safe Links rewrites URLs in emails and checks them in real time when clicked — if a link goes to a known malicious site, it’s blocked. For businesses in targeted industries like law and healthcare, these features are essential.
5. Set up OneDrive version history and recycle bin retention
OneDrive keeps version history by default, but the retention period and number of versions are often set to defaults that are too short to be useful in a ransomware scenario. If ransomware encrypts files synced to OneDrive, you need to be able to roll back to a clean version — and that requires enough version history to get past the encryption event.
In the SharePoint admin center, configure site collection storage to retain versions for at least 180 days and set the recycle bin to the maximum retention period. Also ensure the second-stage recycle bin is enabled so that deleted files have a second recovery window.
6. Enable and retain the unified audit log
The Microsoft 365 unified audit log records sign-ins, file access, email activity, admin changes, and much more. It’s invaluable for investigating a security incident, complying with a regulatory inquiry, or understanding what happened to a file that’s gone missing.
Audit logging is enabled by default in most tenants now, but the retention period depends on your license. Microsoft 365 Business plans retain audit logs for 180 days. If you need longer (and regulated industries usually do), you’ll need a Microsoft 365 E3 or E5 license, or you can export logs to an external SIEM. At minimum, verify that auditing is active and know how long your logs are retained.
How long does this take vs. the cost of not doing it?
For an experienced IT administrator, configuring all six of these settings takes two to four hours. The cost of a single email account compromise — lost data, business disruption, legal exposure, notification costs — routinely runs into tens of thousands of dollars for small businesses. The math isn’t complicated.
Want us to audit your Microsoft 365 tenant? We offer a free M365 health check for Miami businesses — we’ll review your security settings and send you a written report showing exactly what’s configured, what’s missing, and what to fix first. Get in touch with SKALS IT to schedule yours.