Increase threat protection for Microsoft 365 for business
Check out all of our small business content on Small business help & learning.
Applies to
- Microsoft 365 Business Basic
- Microsoft 365 Business Standard
- Microsoft 365 Business Premium
Check out Microsoft 365 small business help on YouTube.
This article is for small businesses that have a Microsoft 365 subscription and suggests top tasks to increase protection against phishing, malware, and other threats. These recommendations are also appropriate for organizations with an increased need for security, like law offices and health care clinics.
Before you begin, note your current Microsoft Secure Score. The goal isn't to achieve the maximum score, but to be aware of opportunities to protect your small organization that don't negatively affect productivity for your users. Microsoft Secure Score analyzes your organization's security based on your regular activities and security settings, and assigns a score. To increase your score, complete the actions recommended in this article.
For more information, see Microsoft Secure Score.
For additional details about securing data and managed devices in Microsoft 365 Business Premium, see Microsoft 365 for business security best practices.
Top tasks to make sure your subscription is secure
| Step | Task | Description |
|---|---|---|
| 1 | Use multifactor authentication | Multifactor authentication (MFA), also known as two-step verification, requires members of your organization to use a code or authentication app on their phone to sign into Microsoft 365. It's a critical first step to protecting your business data. Using MFA can prevent hackers who learn your password from taking over. See Turn on multifactor authentication. |
| 2 | Protect your administrator accounts | Administrator accounts (used by people called "admins") have elevated privileges, making these accounts more susceptible to cyberattacks. You'll need to set up and manage the appropriate number of admin and user accounts for your business. We also recommend adhering to the information security principle of least privilege, which means that users and applications should be granted access only to the data and operations they require to perform their jobs. See Protect your administrator accounts. |
| 3 | Use preset security policies | Your subscription includes preset security policies that use recommended settings for anti-spam, anti-malware, and anti-phishing protection. Set your policies in the Microsoft Defender portal to at least Standard protection. See Protect against malware and other cyberthreats. |
| 4 | Protect all devices | Every device is a possible attack avenue into your network and must be configured properly, even devices that are owned personally but also used for work. See these articles: - Help users set up MFA - Protect unmanaged Windows and Mac devices - Secure managed devices (requires Microsoft 365 Business Premium or Microsoft Defender for Business) |
| 5 | Adjust sharing settings for SharePoint and OneDrive files and folders | Default sharing settings for SharePoint and OneDrive are set to the most permissive level, which might be a more permissive level than you should use. We recommend reviewing, and if necessary changing, the settings to better protect your business. Grant members of your organization only the access they need to do their jobs. See Adjust sharing settings for SharePoint and OneDrive files and folders. |