Microsoft 365 ships with strong defaults, but your tenant is only as safe as identity hygiene, admin discipline, and monitoring you actually turn on. This baseline targets SMEs moving off consumer tools and weak passwords.
Priority 1 — Identity
| Control | Why |
|---|---|
| MFA for everyone | Stops most password-spray and phishing reuse |
| No daily admin work in Global Administrator accounts | Limits blast radius |
| Block legacy authentication | Closes POP/IMAP/basic auth holes |
| Named locations & risk policies | Optional step-up for unusual sign-ins |
Priority 2 — Email and collaboration
- Enable anti-phishing policies (Defender for Office 365 on eligible plans).
- Train users to report phish buttons, not forward suspicious mail.
- Restrict mailbox forwarding to external addresses unless required.
- Review Teams guest and SharePoint external sharing defaults.
Priority 3 — Devices and data
- Register laptops and phones in Intune when you have Premium/Enterprise.
- Use BitLocker or FileVault via policy on managed PCs.
- Apply sensitivity labels when you handle personal data or contracts.
Priority 4 — Monitoring
- Forward unified audit log to a SIEM or partner monitoring if required by customers.
- Alert on impossible travel and mass download patterns.
- Review admin role assignments quarterly.
What Defender adds
Higher plans add Microsoft Defender for Office 365, Defender for Endpoint, and advanced hunting. A 30-person firm might start with MFA and anti-phish; a regulated supplier may need E5-class tooling.
Partner baseline packs
CSP partners often deploy starter conditional access and branding. For a checklist tied to your SKU, see M365 Deals or contact.
