MSP
SR/EN
Book an audit
Part of INTO d.o.o. · www.into.rsintomsp.com
// Microsoft 365

Microsoft 365: 5 settings most companies skip

24 June 2026 · 6 min read

Microsoft 365 starts working the moment you buy the licenses, so most companies never open the admin center. The problem is that the default settings aren't built to be the safest for you — they're built to work for everyone. The five settings below are the ones most often skipped, and they're exactly what separates a company that's secure from one that only looks secure.

1. MFA on all accounts, not just admins

The biggest gap between "we have M365" and "we're secure" is right here. A username and password alone are no longer enough — a stolen password is a matter of time, not luck. Turn on multi-factor login for all accounts and, if you can, move to phishing-resistant methods. Admin accounts are priority number one, but an attack is just as happy to come in through an ordinary user.

2. Conditional Access instead of "everyone, from anywhere"

By default, a user logs in from any device, any location, at any time. That's convenient and risky. Basic policies worth setting:

  • Require MFA when logging in from unknown devices or networks.
  • Block or add extra verification for logins from countries where you don't operate.
  • Restrict access to sensitive data to known, managed devices.

It doesn't have to be complicated — even a few basic rules dramatically shrink the attack surface.

3. Email protection above the default

The built-in filters catch obvious junk, but targeted phishing gets through. It's worth strengthening protection against fake links and attachments, sender verification, and warnings for external mail. Add correctly configured SPF, DKIM and DMARC records for your domain — without them, your name is easy to abuse for fraud sent in your name.

4. Backup for Microsoft 365 (Microsoft doesn't do it for you)

A common and expensive misconception: "the data is in the cloud, so it's safe." Microsoft guarantees the availability of its service, but it doesn't protect your data from yourself — a deleted email, encrypted SharePoint, or a departed employee can take data permanently once a short retention window passes. An independent backup for M365 (email, OneDrive, SharePoint, Teams) is the company's responsibility, not the provider's.

5. Audit trail and sharing control

Two quiet settings that get discovered too late:

  • Enable and retain the audit log so that, if something happens, you have anything at all to look at.
  • Review the default sharing rules in OneDrive and SharePoint — "anyone with the link" is often on, which means a sensitive document can leak through a single forwarded link.

This isn't glamorous, but it's the difference between "we know what happened" and "we have no idea."

Where to start

You don't have to do everything at once. The order that gives the most protection: MFA everywhere first, then M365 backup, then basic access policies, then email protection, and finally auditing and sharing. Most of this is included in the licenses you're probably already paying for — it just isn't on by default.

Microsoft 365 is a powerful tool that runs without you. But "runs" and "protects you" aren't the same thing. These five settings cost mostly time, and they give back exactly what made you move to the cloud in the first place — data and access that are secure, not just available.

← All resources