Increase threat protection for Microsoft 365 for business

Check out all of our small business content on Small business help & learning.

Applies to

  • Microsoft 365 Business Basic
  • Microsoft 365 Business Standard
  • Microsoft 365 Business Premium

Check out Microsoft 365 small business help on YouTube.

This article suggests top tasks for small businesses to increase protection available against phishing, malware, and other threats with a Microsoft 365 subscription. These recommendations are also appropriate for organizations with an increased need for security, like law offices and health care clinics.

Before you begin, note your current Microsoft Secure Score. The goal isn't to achieve the maximum score, but to be aware of opportunities to protect your small organization that don't negatively affect productivity for your users. Microsoft Secure Score analyzes your organization's security based on your regular activities and security settings, and assigns a score. To increase your score, complete the actions recommended in this article.

For more information, see Microsoft Secure Score.

For additional details about securing data and managed devices in Microsoft 365 Business Premium, see How to secure your business data with Microsoft 365 for business.

Top tasks to make sure your subscription is secure

Step Task Description
1 Use multi-factor authentication. Multi-factor authentication (MFA), also known as two-step verification, requires members of your organization to use a code or authentication app on their phone to sign into Microsoft 365. It's a critical first step to protecting your business data. Using MFA can prevent hackers who learn your password from taking over.

See Security defaults and MFA.
2 Protect your administrator accounts. Administrator accounts (also called admins) have elevated privileges, making these accounts more susceptible to cyberattacks. You'll need to set up and manage the right number of admin and user accounts for your business. We also recommend adhering to the information security principle of least privilege, which means that users and applications should be granted access only to the data and operations they require to perform their jobs.

See Protect your administrator accounts.
3 Use preset security policies Your subscription includes preset security policies that use recommended settings for anti-spam, anti-malware, and anti-phishing protection. Set your policies in the Microsoft Defender portal to at least Standard protection.

See Protect against malware and other cyberthreats.
4 Protect all devices. Every device is a possible attack avenue into your network and must be configured properly, even devices that are owned personally but also used for work.

See these articles:
- Help users set up MFA on their devices
- Protect unmanaged Windows and Mac computers
- Set up managed devices (requires Microsoft 365 Business Premium or Microsoft Defender for Business)
5 Adjust sharing settings for SharePoint and OneDrive files and folders. Default sharing settings for SharePoint and OneDrive are set to the most permissive level, which might be a more permissive level than you should use. We recommend reviewing, and if necessary changing, the settings to better protect your business. Grant member of your organization only the access they need to do their jobs.

See Set sharing settings for SharePoint and OneDrive files and folders.

How to secure your business data with Microsoft 365 for business