1-888-TSSAC-CA
Free Mini-Course • 30 Minutes

5 Microsoft 365 Settings to Change Today

Step-by-step security improvements for non-technical managers

Start the Course →Get Security Score First

⚠️ The Problem

Out-of-the-box Microsoft 365 is shockingly insecure. Microsoft ships with security features turned OFF by default because they don't want to "inconvenience" users during trial periods.

This means your tenant right now is probably vulnerable to:

  • • Password-only logins (no MFA)
  • • Unmanaged devices accessing company data
  • • Files shared publicly with "Anyone with the link"
  • • No email phishing protection beyond basic filters
  • • Former employees still able to access email

✅ What You'll Learn

In this 30-minute course, you'll make 5 critical security changes that will:

  • ✓ Block 99.9% of automated attacks (Setting #1: MFA)
  • ✓ Stop employees from accidentally sharing confidential files (Setting #2)
  • ✓ Prevent phishing emails from reaching inboxes (Setting #3)
  • ✓ Ensure former employees can't access company data (Setting #4)
  • ✓ Get visibility into security threats (Setting #5)

Best part: You don't need to be technical. Just follow the screenshots.

1

Enforce Multi-Factor Authentication (MFA)

Time: 10 minutesCRITICAL

Why this matters: 58% of breaches start with stolen passwords. MFA blocks 99.9% of automated attacks. This is the single most important setting.

Step-by-Step:

  1. 1

    Open the Microsoft Entra admin center

    Go to https://entra.microsoft.com

    (You must be a Global Administrator to do this)

  2. 2

    Navigate to Security Defaults

    Left sidebar: ProtectionAuthentication methodsPolicies

  3. 3

    Enable Security Defaults

    Click "Security defaults" → Toggle to "Enabled"

    This will require MFA for all users (including you!)

  4. 4

    Notify your team

    Send an email: "Starting [date], you'll need to set up MFA. Download the Microsoft Authenticator app on your phone. You'll be prompted to set up on your next login."

Expected pushback from team:

"This is annoying. Why do we need this?"

Your response: "Our cyber insurance requires it. Also, we don't want to be the next company on the news that got hacked. It's a one-time 2-minute setup, then just a tap on your phone each login."

Impact: Blocks 99.9% of automated attacks
2

Disable "Anyone with the link" Sharing

Time: 5 minutesHIGH

Why this matters: By default, users can share files with "Anyone with the link"—meaning the file is publicly accessible to the entire internet. This has led to countless data breaches where confidential files were accidentally shared publicly.

Step-by-Step:

  1. 1

    Open SharePoint admin center

    Go to https://admin.microsoft.com → Click "SharePoint"

  2. 2

    Go to Policies → Sharing

    Left sidebar: PoliciesSharing

  3. 3

    Change external sharing settings

    Under "SharePoint": Move the slider to "New and existing guests"

    Under "OneDrive": Move the slider to "New and existing guests"

    This means users can share with specific people outside your organization (by entering their email), but NOT with "Anyone with the link".

  4. 4

    Set expiration dates

    Scroll down to "Advanced settings" → Enable "Links must expire within this many days" → Set to 30 days

  5. 5

    Click Save at the bottom

Impact: Prevents accidental public data leaks
3

Enable External Email Warnings

Time: 5 minutesHIGH

Why this matters: 91% of cyberattacks start with phishing. Adding a visual warning banner to external emails helps users spot suspicious messages.

Step-by-Step:

  1. 1

    Open Exchange admin center

    Go to https://admin.exchange.microsoft.com

  2. 2

    Go to Mail flow → Rules

    Left sidebar: Mail flowRules

  3. 3

    Create a new rule

    Click "+ Add a rule""Create a new rule"

    Name: External Email Warning

    Apply this rule if: The sender is located → Outside the organization

    Do the following: Prepend the subject → [EXTERNAL]

  4. 4

    Click Save

What users will see:

All emails from outside your organization will have [EXTERNAL] in the subject line. This helps spot phishing attempts claiming to be from "Your CEO" or "IT Department".

Impact: Reduces successful phishing by 40%
4

Enable Automatic License Reclamation

Time: 5 minutesMEDIUM

Why this matters: When employees leave, their Microsoft 365 account often stays active for weeks or months. This wastes money AND creates a security risk (former employees can still access company data).

Step-by-Step:

  1. 1

    Create an offboarding checklist (right now!)

    Open a Word doc or Google Doc and title it "Employee Offboarding Checklist"

  2. 2

    Add these steps to the checklist:

    □ Remove user from Microsoft 365 (admin.microsoft.com → Active users → Delete)

    □ Convert mailbox to shared mailbox (preserves emails, costs $0)

    □ Remove from all Teams and SharePoint sites

    □ Reset password immediately (prevents login while you clean up access)

    □ Collect any company devices (laptop, phone)

  3. 3

    Save this checklist somewhere obvious

    Put it in your HR folder, pin it in Teams, email it to yourself. When someone leaves, you'll know exactly what to do.

Impact: Prevents former employee access, saves licensing costs
5

Enable Microsoft Secure Score Monitoring

Time: 5 minutesMEDIUM

Why this matters: Microsoft Secure Score gives you a free, real-time security scorecard (0-100). It shows exactly what security settings are missing and how to fix them. Think of it as a "check engine light" for your Microsoft 365 security.

Step-by-Step:

  1. 1

    Open Microsoft Secure Score

    Go to https://security.microsoft.com/securescore

  2. 2

    Review your current score

    You'll see a number like "42/100" or "67/100". Don't panic if it's low—most SMBs start at 30-50.

  3. 3

    Click "Recommended actions"

    This shows you the top security improvements you should make, sorted by impact. Each action has a step-by-step guide.

  4. 4

    Bookmark this page and check it monthly

    Set a calendar reminder to review your Secure Score on the 1st of every month. Goal: improve by 5-10 points per month.

Target Scores:

  • 40-60: Typical starting point for SMBs
  • 70-79: Good (meets most cyber insurance requirements)
  • 80-89: Excellent (better than 80% of organizations)
  • 90+: World-class (difficult to achieve without dedicated IT team)
Impact: Provides ongoing visibility and improvement roadmap

Congratulations! You're Done! 🎉

You've just made 5 critical security improvements that will protect your business from the most common threats.

You blocked:

99.9% of automated attacks

You prevented:

Accidental data leaks

You gained:

Security visibility

What's Next?

Get Your Full Security Score

This mini-course covered 5 settings. There are 42 more security improvements you should make. Get your free comprehensive security assessment.

Get Free Security Score →

Check Your Cyber Insurance Requirements

Even with these 5 settings, you may not meet all cyber insurance requirements. Use our checklist to see what else is needed.

View Insurance Checklist →

Need Help?

TSSAC's Core Membership includes hands-on help implementing these settings plus ongoing monitoring and support.

View Pricing →

Found this helpful? Share it with other business owners:

Share on LinkedInEmail to a colleague