In January 2024, Microsoft itself disclosed that the Russian state group Midnight Blizzard had been reading executive mailboxes for weeks. The entry point wasn't a zero-day. It was a forgotten non-production tenant where a test account had no MFA, paired with a legacy OAuth application that had been granted far more access than it needed. Two settings. The same two settings most small businesses also miss.
You don't run a nation-state target, but you run the same software they do. Microsoft blocks roughly 7,000 password attacks per second, and more than 99% of identity attacks the company sees are still password-based (Microsoft Digital Defense Report 2024). Phishing-resistant MFA stops over 99% of those attacks even when the attacker already has the correct password. The fix is not complex, it is an easy configuration change.
If one or more of these controls had been in place, Midnight Blizzard would have failed at the front door. The same is true of almost every small-business tenant compromise we see.
Below are twelve settings to change in your Microsoft 365 tenant this week. Each one has a path, a recommended state, and a sentence or two of why it matters. Together they cover roughly the same ground as the CISA SCuBA M365 baselines and the CIS Microsoft 365 Foundations Benchmark.
Identity and access
Identity is the perimeter. If a stolen password from a 2019 LinkedIn breach can sign into your tenant tonight, nothing else on this list matters very much. The first four settings shut that door.
1. Block legacy authentication
In Entra, go to Protection, then Conditional Access, and either enable Security Defaults or create a policy that explicitly blocks legacy authentication clients. Many older tenants still have SMTP AUTH enabled per-tenant. Legacy protocols (POP, IMAP, SMTP AUTH, basic Exchange ActiveSync) cannot enforce MFA at all, so a leaked password is a valid login. Midnight Blizzard's first foothold was a password spray against exactly this kind of legacy account.
2. Enforce MFA on every user
For Business Standard, the simplest path is Entra, then Identity, then Properties, then Manage Security Defaults, and confirm it's on. For Business Premium, replace Security Defaults with a Conditional Access policy that requires MFA for all users. Tenants created after late 2019 usually have Security Defaults on, but tenants migrated from older licenses often have it off. As of February 2026, Microsoft enforces mandatory MFA on admin center sign-ins for every tenant. The rest of your users should be there years ahead of any future deadline. Full details for the configuration are available here.
3. Require phishing-resistant MFA for admins
Warning: make sure you read the full details before enabling this to prevent account lockouts.
In Entra, open Entra ID, then Authentication methods, then Policies, and enable FIDO2 / passkey methods. Then create a Conditional Access policy with authentication strength set to "Phishing-resistant MFA," scoped to all directory roles. By default, any MFA method is accepted, including SMS and app push. Adversary-in-the-middle phishing kits routinely steal app push tokens through a reverse proxy. A hardware security key or platform passkey cannot be replayed, because the credential is bound to the legitimate domain. More details at Microsoft.
4. Restrict user consent to apps
In Entra, go to Entra ID, then Enterprise apps, then Consent and permissions. Microsoft has been tightening defaults toward "verified publishers and low-impact permissions only," but older tenants are often still wide open — don't assume yours has been migrated. Set it explicitly. A single phishing email asking a user to "allow this app to read your mail" can grant the attacker permanent OAuth access to mailbox, files, and Teams, without ever needing the password. That's how Midnight Blizzard turned its initial foothold into months of mail access.
Email is still the entry point for nearly every business compromise we respond to. The next four settings cover the high-leverage email controls that small businesses most often leave at default.
5. Block automatic external email forwarding
In the Microsoft Defender (Security) portal, go to Email and Collaboration, Policies & Rules, Threat policies, then Anti-spam, then the Outbound spam policy, and set "Automatic forwarding rules" to Off. The default is "Automatic - System-controlled," which does not enforce the "off" setting. Setting it to off, enforces this configuration. The standard business email compromise playbook is to take over a mailbox, create a hidden inbox rule that forwards anything containing "invoice" or "wire" to an outside address, and wait quietly for a vendor payment (Microsoft Learn). This single change closes the exfil path.
6. Set DMARC to quarantine or reject
This one lives in DNS, not in the admin center. Add a TXT record on _dmarc.yourdomain.com. Most small business tenants have no record at all, or p=none, which only monitors. Move to p=quarantine after a short monitoring period, then to p=reject. SPF and DKIM are prerequisites; DMARC is what tells receiving servers to actually enforce them. Without it, anyone on the internet can spoof your domain to your customers, your suppliers, and your own employees. More information on DMARC here.
7. Turn on the Defender Standard preset
In the Defender (Security) portal, go to Email and Collaboration, Policies & Rules, Threat policies, then Preset security policies, and enable Standard protection for all users. By default, only "Built-in protection" is on, which is a passive scan. The Standard preset bundles Safe Links, Safe Attachments, and impersonation protection together. It detonates attachments in a sandbox before delivery and rewrites every URL so that links weaponized after the email lands are still checked at the moment the user clicks. That click-time check is the part that matters. Full details on Preset Security policies.
8. Configure anti-phishing impersonation protection for execs
In the Defender portal, go to Email and Collaboration, Policies & Rules, Threat policies, then Anti-phishing, and edit the Default policy. Spoof intelligence is on by default, just verify it's on. Per-user impersonation protection is off, so click on the Tenant Allow/Block List Spoofing Page link, and add the CEO, the CFO, and anyone in finance or accounts payable as protected users. Confirm mailbox intelligence and spoof intelligence are both enabled. This is the control that catches the "Hi, this is the CEO, can you grab some gift cards before the board meeting?" message before it reaches the inbox at all. Full details on the configuration options at Microsoft.
Data and visibility
The first eight settings keep attackers out. The last four limit the blast radius if one slips through, and make sure you can see what happened.
9. Restrict SharePoint and OneDrive external sharing
In the SharePoint admin center, go to Policies, then Sharing. The default for SharePoint is "Anyone," which produces unauthenticated links that anyone with the URL can open. Move it to "New and existing guests" or stricter, set the default link type to "Specific people," and set the default permission to "View." "Anyone" links are public URLs. They get indexed, screenshotted, and forwarded, and once a copy of the link is in the wild you cannot revoke it. See this Microsoft document on setting the sharing settings.
10. Verify mailbox audit logging is on
In PowerShell, run Get-OrganizationConfig and confirm AuditDisabled is False. Next, go to Purview, navigate to Solutions, than Audit. You should land on the Audit search page — if the audit search loads normally, then Unified audit logging is enabled. If you see a banner or message asking you to turn on auditing, it is not enabled. If you have the ability to do so, upgrade to Microsoft 365 E5, which will come with Audit (Premium). That will increase your log retention out to 365 days from the standard 90 days. If you don't have logs, you can't answer the only question that matters after an incident: what did the attacker read or download? Your cyber-insurance carrier will ask, and "we don't know" is an expensive answer. More information on audit logging here.
11. Restrict the number of Global Admins
This one is a quick and easy win. In Entra, go to Roles and audit the Global Administrator role; aim for one to two named accounts and move everyone else to lower-privilege roles. Don't use your daily-driven account for global administrator, instead create a new account and name it similar to yourname-admin, or something else that you can easily identify. Every Global Admin is another phishing target who holds the keys to the kingdom, so having dedicated (and named) Global Admin accounts that don't read email is a great way to reduce your exposure to attacks and easily audit Global Admin usage.
12. Build a Conditional Access baseline
In Entra, open Identity Protection, then Conditional Access. Most small business tenants run on Microsoft-managed templates and nothing else. On Business Premium, build at minimum three policies: block legacy authentication, require MFA for sign-ins from outside trusted locations, and require a compliant or hybrid Entra-joined device for access to SharePoint and Exchange. Conditional Access is the policy engine that turns "I have the password" into "and I'm on a known device, in a known place, at a sane hour." It is what stops a correct password, used from a brand-new device in a brand-new country at 3 a.m., from being a successful login. More information on these settings at Microsoft.
What we'd actually do this week
If you only have a few hours before next Monday, do these four things, in this order:
- Turn on Security Defaults if you don't already have a Conditional Access policy in place. If you do have CA policies, audit them and confirm legacy auth is blocked and MFA is required for everyone.
- Reduce the number of admin accounts and move to dedicated named Global Admin accounts.
- Move every admin onto a hardware security key or passkey within seven days. Order YubiKeys this afternoon. Hand them out tomorrow. Admin accounts are the highest-leverage target in your tenant; SMS and app-push MFA are no longer enough.
- Block automatic external forwarding in the outbound spam policy. Five minutes in the Defender portal. It eliminates the single most common business email compromise exfil path.
The other eight settings matter, and most of them take less than ten minutes each. But if a ransomware crew or a BEC operator picks your tenant tomorrow morning, those four are what we want already in place.
If you'd rather have someone else run through all twelve on your tenant and hand you a concise report with screenshots and a remediation plan, we can help you with that. No obligation, no long sales cycle. Drop us a line and we'll set up a short call. Happy to talk it through.