Most small businesses turn on Microsoft 365, set a password policy, maybe add MFA for a few admins, and then move on. Work gets done, email flows, Teams meetings happen, files land in SharePoint. It feels “secured.”
The trouble is that Microsoft 365 rewards follow-through. The biggest risks for SMBs are rarely exotic zero-days. They are the quiet gaps between defaults and a real security baseline: a legacy protocol left on for “one old scanner,” an admin account using push-based MFA, anonymous sharing links that never expire, a Teams Room account that can access files.
What a “security baseline” means for an SMB
A baseline is the minimum set of controls you can count on being present everywhere: identities, endpoints, email, and data. It is not a one-time project. It is the standard you return to after growth, staff changes, acquisitions, or a busy quarter that pushes IT hygiene to the bottom of the list.
Microsoft gives you multiple ways to anchor that baseline, including Secure Score, security defaults, Conditional Access, and (where available) baseline-driven settings across Microsoft 365 workloads. The point is consistency: fewer exceptions, fewer surprises, fewer paths attackers can use.
After you read the list below, you may recognize a pattern: the settings most SMBs miss are the ones that require one extra decision.
You can sanity-check your tenant with a few quick signals:
- Password spray alerts that mention IMAP or SMTP
- “Anyone with the link” sharing that’s older than 30 days
- Room or resource accounts that look like regular users
- Admin roles assigned “just in case”
- Users completing MFA registration only when prompted during an incident
The 15 Microsoft 365 baseline settings that get overlooked
The table is intentionally practical. It focuses on what to set, where it usually lives, and why it slips through.
| # | Setting | What it does | Where you typically configure it | Why SMBs miss it |
|---|---|---|---|---|
| 1 | Phishing-resistant MFA for admins | Requires FIDO2 or certificate-based MFA for privileged roles | Entra ID Conditional Access and Authentication Methods | “MFA is on” feels like the finish line |
| 2 | Block legacy authentication | Stops POP/IMAP/EWS/SMTP basic auth sign-ins that bypass MFA | Entra ID Conditional Access, Exchange auth settings | Old clients and devices “still work,” so it stays |
| 3 | Ancient Office formats in Protected View (no editing) | Forces high-risk legacy file types into read-only mode | Microsoft 365 security baseline settings / Office policy | Few teams audit file-type attack paths |
| 4 | Old Office formats in Protected View (prompt before editing) | Adds friction before editing older formats | Office policy / baseline settings | Hidden in policy tooling, not day-to-day admin |
| 5 | Block ActiveX in Office | Prevents a long-lived document exploit route | Office policy / baseline settings | Feels irrelevant until it is not |
| 6 | Prevent Teams resource accounts from file access | Stops room accounts from accessing SharePoint/OneDrive | Baseline settings / account configuration | Resource accounts get treated like people |
| 7 | Require compliant devices for Teams Rooms sign-in | Ensures room devices are managed and meet standards | Intune compliance + Conditional Access | Specialty devices get skipped in MDM rollouts |
| 8 | Block Teams resource accounts from Microsoft 365 client sign-in | Prevents room creds from being used in Outlook/Teams desktop | Conditional Access / sign-in restrictions | “It’s just a room account” logic |
| 9 | Enforce MFA for all users | Removes password-only access as a normal state | Security defaults or Conditional Access | Concern about user friction |
| 10 | Go beyond defaults with Conditional Access | Adds device, location, and risk-based controls | Entra ID Conditional Access | Perceived complexity, fear of lockouts |
| 11 | Least privilege and separate admin accounts | Reduces blast radius of any one compromise | Entra roles + PIM (if licensed) | Convenience wins, roles accumulate |
| 12 | Disable “Anyone” links (or force expiration) | Reduces anonymous sharing exposure | SharePoint admin center + OneDrive settings | “Anyone links” are fast and sticky |
| 13 | Turn on DLP policies | Detects and blocks risky sharing of regulated data | Microsoft Purview compliance portal | Licensing uncertainty and tuning effort |
| 14 | Configure Purview Message Encryption | Applies encryption rules for sensitive outbound email | Purview + Exchange mail flow rules | TLS is mistaken for end-to-end protection |
| 15 | Enable Safe Links and Safe Attachments | Rewrites URLs and detonates attachments in a sandbox | Microsoft Defender for Office 365 | Licensed but not configured, or left at defaults |
Identity comes first because it sets the ceiling on everything else
If you only fix one area this quarter, fix identity. Microsoft 365 is identity-driven. Once an attacker owns an account, they can use “normal” features to do abnormal things: OAuth consent tricks, inbox rules, SharePoint downloads, Teams chat lures, internal phishing, and admin privilege escalation.
A baseline identity posture for most SMBs centers on these themes:
- Admin sign-ins: Use phishing-resistant MFA for privileged roles, keep separate admin accounts, and protect break-glass accounts with strong controls and monitoring.
- User sign-ins: Enforce MFA for every user, then add Conditional Access that requires compliant devices for access to sensitive workloads.
- Legacy auth: Remove it aggressively. It is a repeat offender in password spray campaigns because it often avoids MFA and modern controls.
A useful mindset is “make the safe path the easy path.” If the baseline is clear, exceptions become obvious, time-boxed, and measurable.
Office client hardening is still worth your attention
It is easy to assume that cloud-first work eliminates document-based risk. Yet attackers still rely on users opening content. The baseline settings around Protected View and ActiveX exist because old formats remain a reliable delivery mechanism.
Teams that handle long-lived archives tend to get hit here: legal templates from a decade ago, finance spreadsheets passed down across controllers, engineering files stored for reference. The baseline does not require you to delete your history. It asks you to open it safely.
Teams Rooms and “resource accounts” are a quiet security boundary
Conference rooms feel physical, so the accounts behind them get treated as harmless. In Microsoft 365 they are identities with access paths.
If a room account can sign into a desktop client, access files, or authenticate from unmanaged hardware, you have created a shadow user that is rarely monitored and often excluded from normal controls.
After you secure user identities, securing room identities is one of the highest return moves you can make because the fix is usually straightforward: restrict sign-in context, remove file access, and require device compliance.
Email and collaboration controls stop the most common business-impact events
For many SMBs, the painful incidents look like one of these: business email compromise, invoice fraud, ransomware delivered through email, accidental sharing of sensitive files, or a former vendor retaining access to a shared folder.
The baseline settings map neatly to those outcomes:
- Safe Links and Safe Attachments reduce the odds that a single click turns into a security event.
- Sharing controls reduce the odds that sensitive documents become “public by link.”
- DLP and Message Encryption reduce the odds that regulated data leaves your tenant in clear text or without policy enforcement.
If you operate under HIPAA, FTC Safeguards, NIST guidance, or client-driven security requirements, these controls also support audit readiness because they convert good intentions into enforceable technical policy.
Licensing reality: know what you own before you design the baseline
Microsoft 365 security features are not evenly distributed across plans, and SMBs feel that quickly. Many organizations can cover a strong baseline with the right mix of Business Premium, Defender capabilities, and Conditional Access. Others need extra layers for advanced DLP or email protections.
Treat licensing like architecture, not purchasing. When you map controls to licenses, you reduce rework and avoid partial implementations that leave you exposed while still consuming staff time.
A rollout plan that avoids lockouts and user revolt
A baseline succeeds when it ships in phases, with impact checks and a clear exception process. The fastest way to lose momentum is to push everything at once, break a line-of-business workflow, and roll back key controls under pressure.
A practical rollout sequence looks like this:
- Start with Secure Score and sign-in logs: Identify high-risk gaps, then confirm what is actually being used (legacy auth, external sharing, guest access).
- Lock down admins first: Separate admin accounts, apply phishing-resistant MFA, and reduce standing privileges.
- Enforce MFA for all users: Use security defaults if you need speed, Conditional Access if you need precision.
- Block legacy auth and risky clients: Remove basic authentication paths, then verify you did not strand a device or app.
- Tighten sharing and data controls: Disable anonymous links or force expiration, then add DLP and encryption rules where your data requires it.
- Turn on advanced email protections: Enable Safe Links/Safe Attachments and tune anti-phish policies to match your business patterns.
That sequence keeps the business running while you raise the floor.
What strong baselining looks like in day-to-day operations
Once the settings are in place, the operational win is that “security” stops being a constant debate. The baseline becomes a standard.
A few practices help keep it stable:
- Policy owners: Assign someone to each control area (identity, email, endpoints, data). Ownership beats good intentions.
- Exception expirations: Every exception should have a reason, an owner, and a date when it gets removed or reviewed.
- Quarterly access review: Admin roles and guest access deserve routine review, even in a 25-person firm.
If you want a simple way to structure the work, think in three baseline layers:
- Identity baseline: MFA everywhere, strong admin protections, no legacy auth.
- Device baseline: Managed endpoints, compliance gating, EDR coverage.
- Data baseline: Sharing rules, encryption, DLP where it matches your risk.
Where a managed IT and security partner fits
Many SMBs can design a solid baseline internally, yet struggle to maintain it while handling tickets, onboarding, vendor requests, and day-to-day operations. That is where a partner model can be useful: ongoing monitoring, policy upkeep, incident response readiness, and steady improvements without spinning up a full internal security team.
SRS Networks works with organizations in the SMB range that depend on Microsoft 365, secure remote access, and predictable IT outcomes, with managed IT services and cybersecurity support designed to keep baseline controls consistent as the business changes.
If you want the fastest internal win, pick three settings from the table you know you have not touched, validate impact in a pilot group, then schedule the enforcement date. That rhythm, repeated, is how a baseline turns into a real security posture.
