Microsoft 365 Security Basics For Small Businesses
Microsoft 365 security does not need to start with a complex project. Small businesses should first make core account, admin, device, sharing, and leaver controls visible.
Quick answer
Microsoft 365 security basics for small businesses include MFA, careful admin access, secure email and anti-phishing settings, controlled sharing, device and update visibility, leaver access removal, and regular review of users, groups, and privileged accounts.
Key takeaways
- MFA is important, but it does not replace access review or leaver processes.
- Admin accounts should be named, limited, and reviewed.
- Sharing, mailboxes, groups, and third-party app access need periodic checks.
Start with accounts and MFA
Microsoft highlights MFA as a key protection for business accounts because it can help prevent account takeover when a password is known. For SMEs, the practical question is not only whether MFA is on, but whether users can complete setup and whether admins have stronger handling.
Make sure the business knows who owns Microsoft 365 administration, how admin accounts are protected, and what happens if an admin is unavailable.
Baseline checklist
- Require MFA for users, with extra attention to admins and sensitive roles.
- Keep a small, named list of admin accounts and review it regularly.
- Review shared mailboxes, groups, forwarding rules, and external sharing.
- Check phishing, spam, and malware protections are understood and monitored.
- Review third-party apps connected to Microsoft 365 accounts.
- Keep devices and core applications updated.
- Use a documented joiner and leaver process.
- Keep recovery and emergency access arrangements documented.
What MFA does not solve
Old access
MFA does not decide whether an ex-employee, contractor, or old shared mailbox should still have access.
Excessive privileges
An account can have MFA and still have more admin access than it needs.
Data sharing
MFA helps protect sign-in, but it does not automatically clean up external file sharing or mailbox delegation.
Monthly review
| Area | What to check | Why it matters |
|---|---|---|
| Users | Active accounts, leavers, guests, contractors | Reduces stale access |
| Admins | Privileged roles and emergency access | Keeps powerful accounts controlled |
| Mail and files | Forwarding, shared mailboxes, external sharing | Keeps business data ownership visible |
| Devices | Update and management status where available | Supports security hygiene and troubleshooting |
Sources and further reading
Related resources
Checklist
New Starter IT Setup Checklist
A practical checklist for setting up devices, accounts, MFA, software access, and first-week support for new starters.
Checklist
Employee Offboarding Checklist
A calm checklist for removing access, recovering devices, transferring ownership, and keeping a completion record when someone leaves.
Guide
Cyber Essentials For SMEs
A practical SME guide to Cyber Essentials, the five technical control areas, preparation evidence, and where managed IT can help without promising certification outcomes.