Microsoft 365 is convenient, but it still needs the right security settings
Microsoft 365 is a great fit for small businesses. It keeps your email, files, calendar, Teams chats and business apps in one place, which makes daily work easier.
But because so much of your business sits inside Microsoft 365, it is also a common target for criminals. If someone gets into one account, they may be able to read emails, send fake invoices, access files or reset passwords for other services.
The good news is that a few sensible settings can make a big difference. This checklist is written for business owners who want practical protection without getting buried in technical detail.
1. Turn on multi-factor authentication for everyone
Multi-factor authentication, often called MFA, means staff need more than just a password to sign in. Usually, they also approve a sign-in on their phone or enter a one-time code.
This is one of the most important Microsoft 365 security steps you can take. Passwords can be guessed, stolen or reused from other websites. MFA adds another barrier.
What to do
- Turn on MFA for all staff, not just managers.
- Use an authenticator app where possible, rather than text messages.
- Make sure owners and admin accounts have MFA turned on first.
2. Use separate admin accounts
An admin account is like a master key for your Microsoft 365 environment. It can add users, change settings and access sensitive areas.
Business owners often use the same account for everyday email and admin tasks. That is risky. If that account is compromised, the attacker may get full control.
What to do
- Use a normal account for daily email and work.
- Create a separate admin account for admin tasks only.
- Limit admin access to the smallest number of trusted people.
- Review admin accounts regularly and remove access when it is no longer needed.
3. Check your password rules
Complicated password rules can frustrate staff and often lead to bad habits, like writing passwords down or changing one character each time.
A better approach is to use strong passphrases, such as a few random words, and combine them with MFA. Password managers can also help staff keep unique passwords for each service.
What to do
- Encourage long passphrases instead of short, complex passwords.
- Do not allow staff to share passwords.
- Use a password manager for business accounts.
- Change passwords immediately if an account may have been exposed.
4. Protect email from scams and fake invoices
Email is still one of the most common ways criminals target small businesses. They may pretend to be a supplier, a staff member, Microsoft, a bank or even the business owner.
The aim is usually to steal passwords, trick someone into paying a fake invoice or get staff to open a harmful attachment.
What to do
- Make sure Microsoft 365 spam and phishing protection is enabled.
- Set up checks that help stop people pretending to send email from your business domain.
- Warn staff to confirm bank account changes by phone using a known number.
- Use clear internal rules for payments and invoice approvals.
5. Keep an eye on sign-in activity
Microsoft 365 records sign-in activity, including failed login attempts and sign-ins from unusual locations. These records can help spot suspicious behaviour early.
For example, if a staff member in Brisbane appears to sign in from another country at 2 am, that should be checked.
What to do
- Review sign-in activity for owners, managers and finance staff.
- Look for sign-ins from unusual places or devices.
- Set up alerts for risky or suspicious sign-ins if your licence supports it.
- Investigate repeated failed login attempts.
6. Control file sharing in OneDrive and SharePoint
OneDrive and SharePoint make it easy to share files with staff, clients and suppliers. That convenience can become a problem if files are shared too widely.
Common issues include public links, old sharing links that were never removed, and sensitive folders available to people who no longer need them.
What to do
- Limit public sharing links where possible.
- Use expiry dates on external sharing links.
- Review who has access to important folders.
- Remove access for past staff, contractors and suppliers.
- Keep sensitive files in controlled locations, not scattered across personal accounts.
7. Back up Microsoft 365 data
Many business owners assume Microsoft automatically backs up everything in a way that is easy to restore. Microsoft keeps the service running, but that does not always protect you from accidental deletion, staff mistakes, ransomware or a compromised account.
A separate Microsoft 365 backup gives you another way to recover emails, files and important business information.
What to do
- Use a dedicated backup service for Microsoft 365.
- Back up email, OneDrive, SharePoint and Teams data.
- Test restores so you know the backup works.
- Keep backups protected from normal user accounts.
8. Remove old users and unused accounts
Old accounts are easy to forget, especially when staff leave or contractors finish a job. Unfortunately, criminals like forgotten accounts because they may have weak passwords or no one watching them.
Every account should have a clear owner and purpose. If it is no longer needed, it should be disabled or removed properly.
What to do
- Disable accounts as soon as someone leaves the business.
- Transfer important email and files before deleting accounts.
- Remove unused shared mailboxes and test accounts.
- Review your user list at least every few months.
9. Secure phones, laptops and tablets
Microsoft 365 is often accessed from mobiles, home computers and laptops used on the road. If a device is lost or stolen, business data may be exposed.
You do not need to make work difficult for staff, but you do need basic rules for devices that access company email and files.
What to do
- Require a screen lock on all devices.
- Keep devices updated.
- Use antivirus protection on computers.
- Have a process to remove company data from lost or stolen devices.
- Avoid letting staff access business files from unmanaged shared computers.
10. Train staff on what to watch for
Security settings are important, but people still play a major role. A well-trained staff member can stop a scam before it causes damage.
Training does not need to be complicated. Short, regular reminders are often better than one long session that everyone forgets.
What to do
- Teach staff how to spot fake Microsoft login pages.
- Explain the risks of unexpected attachments and links.
- Use a simple reporting process for suspicious emails.
- Make it safe for staff to ask questions without feeling embarrassed.
11. Review your Microsoft 365 licences
Different Microsoft 365 plans include different security features. Some businesses are paying for tools they do not use, while others are missing important protections because they are on the wrong plan.
A licence review can help you understand what you already have and what may be worth changing.
What to do
- Check which Microsoft 365 plan each user has.
- Remove licences for old users.
- Confirm whether your plan includes the security features your business needs.
- Get advice before upgrading, so you do not pay for features you will not use.
A simple checklist is better than no plan
You do not need to fix everything in one day. Start with the biggest risks: turn on MFA, secure admin accounts, remove old users and back up your Microsoft 365 data.
From there, work through email protection, file sharing, device security and staff training. Small improvements made consistently can greatly reduce your risk of a costly incident.
Need help checking your Microsoft 365 security?
If you are not sure whether your Microsoft 365 setup is secure, JCPIT Support can help. We work with small Australian businesses and explain the risks in plain English, without the scare tactics.
Book a free security check with JCPIT Support and we will review the key areas of your Microsoft 365 environment, highlight practical improvements and help you understand what to do next.
