Most North Carolina businesses using Microsoft 365 have critical security settings left at default, leaving them vulnerable to account takeover, data theft, and business email compromise. According to Verizon's 2025 DBIR, 82% of breaches involve identity compromise, yet nearly 60% of enterprises lack basic identity hygiene like enforcing MFA.
Key takeaway: Microsoft 365 is a powerful productivity platform, but its default configuration prioritizes ease-of-use over security. According to CoreView's M365 security research, 51% of organizations have more than 250 applications with dangerous read-write permissions in their Microsoft Entra tenant - representing thousands of unmonitored access points.
Need help securing your Microsoft 365 tenant? Preferred Data Corporation configures and manages Microsoft 365 security for North Carolina businesses. BBB A+ rated since 1987. Call (336) 886-3282 or schedule a security review.
Why Default M365 Settings Are Not Enough
Microsoft 365 is the most targeted cloud platform for business attacks because of its ubiquity. When attackers compromise a single M365 account, they gain access to email, files (OneDrive/SharePoint), Teams conversations, and potentially your entire organization's data.
Default settings allow:
- Sign-in from any location or device without additional verification
- Unlimited external sharing of files and folders
- No visibility into admin activities or login anomalies
- Legacy authentication protocols that bypass MFA
- Unchecked third-party app permissions
The following 10 settings address the most exploited weaknesses in business M365 tenants.
Setting 1: Enforce Multi-Factor Authentication (MFA)
Risk level if not enabled: Critical
MFA is the single most impactful security control. According to Microsoft's own research, MFA prevents 99.9% of automated account compromise attacks.
How to implement:
- Navigate to Microsoft Entra admin center (entra.microsoft.com)
- Go to Protection, then Authentication methods
- Enable Security defaults (basic) or Conditional Access policies (advanced)
- Require MFA for all users, especially administrators
- Block legacy authentication protocols (they bypass MFA)
Priority actions:
- Enable for all admin accounts immediately
- Roll out to all users within 30 days
- Use Microsoft Authenticator app (more secure than SMS)
- Block legacy authentication (IMAP, POP3, SMTP) in Conditional Access
Key takeaway: According to CISA's Microsoft 365 security advisory, disabling legacy authentication and enforcing MFA are the two most critical actions organizations can take to secure their M365 environment.
Setting 2: Configure Conditional Access Policies
Risk level if not enabled: High
Conditional Access provides context-aware security decisions. Rather than simply requiring MFA everywhere, it evaluates risk signals (location, device health, user behavior) to make intelligent access decisions.
Essential policies for NC businesses:
- Block legacy authentication: Prevents bypass of MFA via outdated protocols
- Require MFA for admin roles: All global, Exchange, and SharePoint admins
- Block sign-ins from high-risk locations: Countries where you have no business
- Require compliant devices: Only allow managed, updated devices for sensitive access
- Block risky sign-ins: Leverage Microsoft's threat intelligence to block anomalous logins
Implementation tip: Start in "Report Only" mode for 2 weeks to assess impact before enforcing policies. This prevents accidentally locking out users.
Setting 3: Enable Unified Audit Logging
Risk level if not enabled: High
Without audit logging, you cannot detect or investigate security incidents. Many NC businesses discover breaches months later because no logs existed to trigger alerts.
How to enable:
- Go to Microsoft Purview compliance portal
- Navigate to Audit
- Enable audit logging (may already be on for newer tenants)
- Set log retention to maximum (90 days default, 365 with E5)
What to monitor:
- Admin role changes
- Mailbox forwarding rules (common BEC indicator)
- External file sharing
- Failed login attempts
- eDiscovery searches
- Permission changes on SharePoint/OneDrive
Setting 4: Configure Anti-Phishing Policies
Risk level if not enabled: High
Default Exchange Online Protection (EOP) blocks known spam and malware, but sophisticated phishing requires advanced configuration. According to Microsoft Learn's security recommendations, organizations should configure strict anti-phishing policies.
Key configurations:
- Impersonation protection: Flag emails impersonating executives and partners
- Mailbox intelligence: Learn communication patterns to detect anomalies
- Spoof intelligence: Block domains attempting to impersonate your organization
- First contact safety tips: Warn users when they receive email from a new sender
- Quarantine policies: Route suspected phishing to quarantine, not junk folder
For NC manufacturers and construction companies: Configure impersonation protection for your C-suite, finance team, and key vendors. Business Email Compromise (BEC) attacks often impersonate executives requesting wire transfers.
Setting 5: Control External Sharing
Risk level if not enabled: Medium-High
Default SharePoint and OneDrive settings allow users to share files with anyone using anonymous links. This creates data exposure risks and compliance violations.
Recommended settings:
- SharePoint external sharing: Set to "Existing guests" or "New and existing guests" (not "Anyone")
- Disable anonymous links: Require recipients to authenticate
- Set link expiration: External sharing links expire after 7-30 days
- Restrict sharing by domain: Allow sharing only with approved partner domains
- Require re-authentication: External users must verify identity periodically
For CMMC-bound defense contractors in North Carolina: External sharing of CUI-containing documents must be restricted to approved channels. Consider disabling external sharing entirely for sensitive document libraries.
Setting 6: Enable Data Loss Prevention (DLP)
Risk level if not enabled: Medium-High
DLP policies prevent sensitive data from leaving your organization via email, Teams, or file sharing. This is critical for NC businesses handling financial data, employee records, or controlled information.
Key DLP policies to create:
- Financial data: Block external sharing of credit card numbers, bank accounts
- Personal information: Alert on SSNs, driver's license numbers leaving the org
- Health information: Prevent HIPAA-protected data from being shared externally
- Confidential markings: Block documents marked "Confidential" from external sharing
Implementation approach:
- Start with policies in "Test" mode (detection only, no blocking)
- Review alerts for false positives over 2-4 weeks
- Tune policies to reduce noise
- Switch to "Enforce" mode with user notifications
Setting 7: Configure Safe Attachments and Safe Links
Risk level if not enabled: Medium-High
Safe Attachments opens email attachments in a virtual sandbox to detect malicious payloads. Safe Links rewrites URLs to check them at time-of-click (not just when the email arrives).
Configuration recommendations per Microsoft's security guidelines:
- Safe Attachments: Enable for Exchange, SharePoint, OneDrive, and Teams
- Dynamic delivery: Deliver emails immediately while scanning attachments
- Safe Links: Enable for all users
- Track user clicks: Monitor who clicks on flagged URLs
- Do not allow click-through: Block access to confirmed malicious URLs
Note: These features require Microsoft 365 Business Premium or Microsoft Defender for Office 365. For NC businesses on Business Basic or Standard, consider upgrading key users (finance, executives) to Premium licenses.
Setting 8: Manage Third-Party App Permissions
Risk level if not enabled: Medium
Users can grant third-party applications access to your M365 data through OAuth consent. According to CoreView's research, the average enterprise has hundreds of apps with excessive permissions.
Recommended controls:
- Restrict user consent: Require admin approval for new app permissions
- Review existing consents: Audit which apps have access and revoke unnecessary ones
- Block risky permissions: Prevent apps requesting mail read/write or full directory access
- Create an allowed list: Pre-approve common business apps (Zoom, Adobe, etc.)
How to configure:
- Go to Microsoft Entra, then Enterprise Applications
- Under Consent and permissions, set "Users can consent to apps" to "No"
- Configure the admin consent workflow for user requests
- Review existing granted permissions and revoke unused apps
Setting 9: Implement Mobile Device Management (MDM)
Risk level if not enabled: Medium
Employees accessing M365 from personal phones and tablets create data leakage risks. Basic MDM is included with Microsoft 365 Business plans.
Minimum MDM policies:
- Require device PIN/biometric: Prevent unauthorized access to lost devices
- Block access from jailbroken devices: Compromised devices cannot access data
- Remote wipe capability: Erase corporate data from lost/stolen devices
- App protection policies: Prevent copy/paste from M365 apps to personal apps
- Encryption requirement: Ensure devices encrypt stored data
For NC manufacturing and construction companies with field workers and shared devices: Consider Microsoft Intune for more granular control, including kiosk mode for shared tablets and conditional access based on device compliance.
Setting 10: Enable Privileged Identity Management (PIM)
Risk level if not enabled: Medium
Permanent admin access is a high-value target. According to Blumira's 2026 M365 security guide, organizations that deploy PIM experience 64% fewer security incidents.
How PIM works:
- Admin roles are assigned as "eligible" rather than permanent
- Users must "activate" their admin role when needed
- Activation requires MFA and justification
- Access expires after a set period (1-8 hours)
- All activations are logged and auditable
Priority roles for PIM:
- Global Administrator
- Exchange Administrator
- SharePoint Administrator
- Security Administrator
- User Administrator
Note: PIM requires Microsoft Entra ID P2 or Microsoft 365 E5 licensing. For smaller NC businesses, at minimum ensure admin accounts are separate from daily-use accounts and protected with strong MFA.
Microsoft Baseline Security Mode (New in 2026)
Microsoft announced the general availability of Baseline Security Mode in December 2025, rolling out to commercial tenants through January 2026.
Baseline Security Mode is a collection of Microsoft-recommended security configurations that can be managed from the Microsoft 365 admin center. It provides a starting point for organizations that have not yet configured individual security settings.
What it includes:
- Recommended authentication policies
- Standard email protection settings
- Default sharing configurations
- Basic compliance settings
Limitation: BSM provides a foundation but does not replace the need for customized security policies based on your specific industry, size, and risk profile.
Learn about Preferred Data's cloud security services
Implementation Priority for NC Small Businesses
If you are tackling these 10 settings from scratch, here is the recommended order:
Week 1 (Critical):
- Enable MFA for all admin accounts
- Block legacy authentication
- Enable audit logging
Week 2 (High Priority): 4. Configure anti-phishing policies 5. Set up Conditional Access basics 6. Control external sharing settings
Week 3 (Important): 7. Enable Safe Attachments and Safe Links 8. Restrict third-party app consent 9. Deploy basic MDM policies
Week 4 (Maturation): 10. Implement DLP policies 11. Configure PIM (if licensed) 12. Set up monitoring alerts
Key takeaway: According to Microsoft's M365 security documentation, the top three actions - enforcing MFA, blocking legacy auth, and training users - prevent the vast majority of identity-based attacks. Start there and build outward.
Licensing Considerations
Not all security features are available on all M365 plans:
| Feature | Business Basic | Business Standard | Business Premium | E3/E5 |
|---|---|---|---|---|
| MFA | Yes | Yes | Yes | Yes |
| Conditional Access | Limited | Limited | Yes | Yes |
| Safe Attachments/Links | No | No | Yes | Yes (E5) |
| DLP | No | No | Yes | Yes |
| PIM | No | No | No | E5/P2 |
| Intune MDM | Basic | Basic | Full | Full |
For most NC small businesses, Microsoft 365 Business Premium offers the best security value. At approximately $22/user/month, it includes Defender for Office 365, Intune, Conditional Access, and DLP.
Get Professional Help
Configuring Microsoft 365 security properly requires understanding your business context, compliance requirements, and user workflows. A misconfigured Conditional Access policy can lock out your entire workforce. An overly aggressive DLP policy can block legitimate business communications.
Preferred Data Corporation has configured and managed Microsoft 365 environments for North Carolina businesses since Microsoft's cloud platform launched. Our team understands the unique needs of manufacturing, construction, and professional services companies across the Piedmont Triad, Charlotte, Greensboro, and Raleigh areas.
Start with a free M365 security review:
- Call (336) 886-3282
- Visit pdcsoftware.com/contact
- Email [email protected]
Frequently Asked Questions
Is Microsoft 365 secure by default?
No. Microsoft 365's default configuration prioritizes ease of use over security. Critical settings like MFA enforcement, legacy authentication blocking, external sharing controls, and advanced threat protection must be manually configured. Most breaches involving M365 exploit default settings.
Which Microsoft 365 plan do I need for good security?
Microsoft 365 Business Premium ($22/user/month) provides the best security-to-cost ratio for small businesses. It includes Defender for Office 365, Conditional Access, Intune device management, and DLP - features not available in Basic or Standard plans.
How long does it take to properly secure Microsoft 365?
A thorough M365 security configuration takes 2-4 weeks when done properly, with a phased rollout to avoid disrupting users. This includes assessment, policy design, testing in report-only mode, and gradual enforcement. Ongoing monitoring and tuning continues indefinitely.
Can I configure M365 security myself, or do I need help?
While individual settings can be enabled by any admin, properly designing and implementing security policies requires understanding of identity management, email flow, compliance requirements, and user impact. Misconfigured policies can lock out users or create security gaps. Professional configuration is recommended.
Does M365 security meet CMMC requirements?
Microsoft 365 can support CMMC compliance, but not on commercial plans. Defense contractors handling CUI need Microsoft 365 GCC High, which meets FedRAMP High authorization requirements. Standard commercial M365, even with all security settings enabled, does not meet CMMC Level 2 requirements for CUI storage.