Microsoft 365 is often the center of a small business: email, files, calendars, Teams, identity, and access to other apps. That makes it one of the first places to harden.
Start with identity
Require MFA for every user, then apply extra scrutiny to administrators. Admin accounts should be named, limited, and used only when needed. Avoid shared administrator accounts whenever possible.
Review mailbox rules and forwarding
Attackers often create forwarding rules after mailbox compromise. Review external forwarding, suspicious inbox rules, delegated mailbox access, and sign-in activity for unusual patterns.
Control file sharing
Check whether anyone can create anonymous links, whether sensitive folders are overshared, and whether former employees still have access to SharePoint or OneDrive content.
Protect devices
Decide which devices can access company mail and files. At minimum, require screen locks, supported operating systems, encryption where practical, and a process for lost or replaced devices.
Do not confuse sync with backup
OneDrive and SharePoint sync are not the same as an independent backup. Decide how long deleted or encrypted files can be recovered and how a restore would work during a ransomware event.
Document ownership
Microsoft 365 security is not a one-time setup. Assign ownership for new users, terminated users, license changes, admin reviews, mailbox investigations, and backup checks.
Baseline checklist
- MFA enabled for all users and enforced for admins.
- Admin roles reviewed and limited.
- External forwarding and suspicious mailbox rules reviewed.
- Guest and external sharing settings documented.
- Device access expectations defined.
- Independent backup and restore expectations confirmed.