215-256-7901Support Center

Microsoft 365 – Securing your firm checklist

We were at our industry conference the other week and story after about small businesses getting hacked from Business Email Compromise (BEC) were the lunchtime chatter. Most of the conversations revolved around Small Business Owners still thinking ‘We’re too small for hackers.’

If you’re running on Outlook, Teams, and OneDrive, you’re a target — and the good news is, you already have powerful security tools built in. Christo IT has standardized our clients on Microsoft Business Premium because of the fantastic packaging of security benefits.

I’ve been saying for years “We can be safer online…together”. With that in mind here is a checklist to use to get your firm a little more secure….today.  IF YOU DON’T FEEL COMPFORTABLE WITH THESE STEPS, PLEASE CONTACT AN IT PROFESSIONAL.  (📞 Call Christo IT at (215) 256-7901)

1. Multi-Factor Authentication (MFA)

Why it matters: MFA stops 99% of account hacks by requiring a second verification step beyond a password. Without it, a stolen password is all an attacker needs.
Action Steps:
  • Go to Microsoft 365 Admin Center → Settings → Org Settings → Security & Privacy.
  • Enable MFA for all users, not just admins.
  • Use the Microsoft Authenticator app for the easiest experience.
  • Communicate the change to staff before rollout to avoid confusion.
2. Conditional Access Policies
Why it matters: Conditional Access blocks risky sign-ins from unknown devices or locations. It’s like a bouncer for your Microsoft 365 environment.
Action Steps:
  • In Azure AD → Security → Conditional Access, create a policy that:
    • Requires MFA for sign-ins from outside your country.
    • Blocks access from devices that aren’t compliant or registered.
  • Apply policies to all users, especially admins.
3. Microsoft Defender for Office 365 (Safe Links & Safe Attachments)
Why it matters: Phishing emails and malicious attachments are the #1 way attackers get in. Defender scans links and files before they reach your inbox.
Action Steps:
  • Go to Microsoft 365 Security & Compliance Center → Threat Management → Policy → Safe Links.
  • Turn on Safe Links for email and Teams messages.
  • Enable Safe Attachments to detonate suspicious files in a sandbox before delivery.
4. Disable Legacy Authentication
Why it matters: Old protocols like POP and IMAP don’t support MFA, making them an easy backdoor for attackers.
Action Steps:
  • In Azure AD → Security → Authentication Methods, block legacy protocols.
  • Confirm that all apps your team uses support modern authentication before disabling.
5. Secure Sharing Defaults in OneDrive & SharePoint
Why it matters: Default sharing settings often allow “Anyone with the link” access — a recipe for accidental data leaks.
Action Steps:
  • Go to Microsoft 365 Admin Center → Settings → Org Settings → SharePoint.
  • Change default sharing to Specific People or People in your organization.
  • Train staff to avoid public links unless absolutely necessary.
  • BONUS – Christo IT likes to create a specific area in SharePoint for External Sharing.  – makes it very “deliberate”
6. Admin Account Cleanup
Why it matters: Forgotten admin accounts with high privileges are a hacker’s dream. If they’re not in use, they’re a risk.
Action Steps:
  • In Azure AD → Users, filter by “Global Administrator.”
  • Remove old accounts or convert them to standard users.
  • Require MFA for all remaining admins.
7. Enable Audit Logging
Why it matters: If something goes wrong, audit logs help you trace what happened — and respond fast.
Action Steps:
  • Go to Microsoft 365 Compliance Center → Audit → Audit Log Search.
  • Turn on Unified Audit Logging for your organization.
  • Review logs regularly or set alerts for suspicious activity.
Closing Thoughts
Your business already pays for these protections — but they only work if you turn them on. This checklist is your starting point. No scare tactics, just practical steps you can hand to an IT partner (Like Christo IT) or work through yourself.   There is also a handy overview from Microsoft itself here – Microsoft 365 for business security best practices – Microsoft 365 admin | Microsoft Learn

📞 Call Christo IT at (215) 256-7901 to schedule a free Microsoft 365 Security Review today.