If your business uses Microsoft 365, you already have one of the world’s most secure cloud platforms, but here’s the catch: many of its best defences are quietly turned off until you switch them on. Learn how to use five underrated Microsoft 365 security settings.
Most small and medium-sized businesses assume Microsoft 365 is “secure by default,” in reality, the default configuration is designed for convenience, not complete protection. That means the security tools you’re already paying for might not be working to their full potential.
At Commercial Networks, we help clients unlock those hidden layers of protection, tightening settings, closing gaps, and turning “good enough” into true Office 365 protection.
Here are five underrated Microsoft 365 security settings that every SMB should review today.
Microsoft 365 Security Settings Every SMB Should Check
Even without premium licences, Microsoft 365 includes dozens of built-in safeguards, the trick is knowing where to find them and how to configure them properly.
Below are five simple but powerful features that make a real difference to your SMB cyber defence.
1. Conditional Access – Lock Out the Unexpected
Conditional Access lets you control how and where users sign in, for example, you can block logins from outside the UK, enforce MFA on untrusted devices, or require compliant hardware for sensitive data.
It’s like a smart bouncer for your Microsoft 365 account, verifying context before allowing entry.
Many SMBs don’t realise this feature is included with Microsoft 365 Business Premium or Enterprise licences. Configured properly, it stops most unauthorised access attempts before they start.
2. Safe Links and Safe Attachments – Stop Phishing in Its Tracks
Phishing is still the number one entry point for ransomware. Microsoft Defender for Office 365 includes Safe Links and Safe Attachments, two quietly brilliant features that filter malicious content automatically.
- Safe Links rewrites URLs in emails and documents, scanning them in real time when clicked.
- Safe Attachments detonates attachments in a virtual sandbox before delivery, blocking suspicious files.
Together, they protect employees from the most common attacks, even when someone clicks the wrong link.
If you’re unsure whether these protections are active, it’s worth checking. They can be enabled through Security & Compliance settings or managed centrally by your MSP.
3. Admin MFA Enforcement – Protect the Gatekeepers
It’s one thing to enforce Multi-Factor Authentication (MFA) for employees, it’s another to make sure administrators are included.
Admin accounts hold the keys to your entire Microsoft 365 tenant: email, SharePoint, Teams, and more. Yet we still see companies where admin MFA is disabled “temporarily” for convenience and never turned back on.
Microsoft reports that enabling MFA blocks 99% of credential-based attacks, if nothing else, make sure your global admin accounts have it enforced. At Commercial Networks, we make MFA mandatory across all privileged accounts as part of our baseline security setup.
4. OneDrive Ransomware Detection – Your Silent Safety Net
OneDrive isn’t just for storage, it’s a hidden hero for ransomware recovery.
If files in OneDrive or SharePoint are encrypted or deleted in bulk (a tell-tale ransomware sign), Microsoft automatically detects it and alerts the user. You can then restore files to an earlier version with just a few clicks.
It’s not a replacement for offline backups, but it’s a fast, built-in recovery tool that saves hours of downtime. Many SMBs don’t even realise it’s active or haven’t configured retention policies that make it truly effective.
5. Unusual Sign-in Alerts – Spot Intruders Early
Microsoft 365 can alert you when a login happens from an unfamiliar location, device, or IP address. These unusual sign-in alerts are simple but powerful, they provide an early warning if an account’s credentials have been stolen.
In small organisations without a full SOC (Security Operations Centre), these alerts are often the first sign that something’s wrong.
You can enable them in the Azure Active Directory Sign-in Risk Policy, or have your MSP monitor them automatically as part of ongoing Office 365 protection.
Office 365 Protection – Beyond the Basics
Switching these features on is only the start. Real protection comes from monitoring and maintenance.
At Commercial Networks, we build layered defences for SMBs:
- Policy configuration – ensuring MFA, Conditional Access, and alerting are properly set up.
- User training – turning phishing awareness into second nature.
- Ongoing monitoring – catching anomalies before they become breaches.
It’s a proactive approach that transforms Microsoft 365 from “a productivity suite” into a secure business platform.
Why These Settings Matter
Cybercriminals love targeting small businesses because they assume the basics are enough. But as Microsoft’s Security Intelligence Report notes, 71% of SMB incidents come from misconfigured cloud services — not sophisticated hacking.
That’s why your SMB cyber defence needs regular review. A few clicks in your admin centre could prevent a data breach, save you thousands, and keep your team working securely.
Use What You’ve Already Paid For
The best part? Every feature above is already included in most Microsoft 365 Business Premium plans. You don’t need a huge security budget, just the right configuration.
We help clients unlock the full potential of their Microsoft 365 security, from Managed IT Services to Microsoft 365 optimisation, we ensure your investment works as hard, and as securely, as you do.
Book a call to check your configuration and activate the defences that might already be waiting for you.
Further Reading
- Microsoft 365 Security Overview
- NCSC: Securing Office 365 Guidance
- Microsoft Defender for Office 365
- Gartner: Best Practices for Cloud Security 2025
