Secure Microsoft 365 for SMBs: Baseline Setup

·

A Microsoft 365 tenant is not secure just because MFA is switched on for a few people. The minimum baseline combines protected identities, separate admin accounts, Security Defaults or Conditional Access, blocked legacy authentication, managed devices, mail protection, sharing permissions, auditing, recovery and backups aligned with the business.

Initial inventory

Review inactive accounts and existing privileges before adding new controls.

MFA and conditional access

Microsoft recommends keeping Security Defaults enabled unless it is replaced by Conditional Access policies. Both should never be switched off at the same time.

Priority order:

  1. MFA for everyone.
  2. Phishing-resistant methods for admins and high-risk profiles.
  3. Block legacy authentication.
  4. Policies based on risk, location and device.
  5. Controlled emergency accounts.

Break-glass accounts are monitored and tested, not used day to day.

Admins

An admin account is never shared with a provider.

Onboarding, changes and offboarding

The cycle must involve HR:

Offboarding does not end with just blocking sign-in.

Email

Main threats: phishing, BEC, malware and malicious mailbox rules.

Controls:

IBAN changes are always verified through an independent channel.

OAuth applications

Review application consent, its permissions and the publisher. Broad user consent can be blocked, or an approval workflow can be put in place.

Service principals, secrets, certificates and their use need to be inventoried, and applications without an owner should be revoked.

SharePoint, OneDrive and Teams

Ease of sharing does not justify indefinite access.

Devices

With Intune or another management tool:

BYOD requires separating corporate data from personal data.

Data protection and retention

What must be kept or deleted needs to be defined. Retention policies serve compliance and information lifecycle needs; they should not be confused with a full recovery strategy.

Labels, eDiscovery and auditing are applied according to need and the available license.

Backup and recovery

Microsoft 365 Backup provides protection for SharePoint, OneDrive and Exchange, and third-party partner solutions also exist. The organization must define:

The recycle bin or versioning does not necessarily replace a backup built for ransomware scenarios and accidental deletion.

Secure Score

Secure Score helps measure security posture and prioritize recommendations. It is not a certification and does not guarantee security. Each action is assessed against the business, and accepted risk is documented.

Treat it as a trend to track, not a target of hitting 100%.

Auditing and alerts

Worth monitoring:

Alerts must have an owner and an associated procedure.

Providers

If an MSP administers the tenant:

The provider must not operate with shared client credentials.

30-day plan

Week 1

Inventory, admins, MFA and legacy authentication.

Week 2

Email, OAuth, guests and sharing.

Week 3

Devices, retention, backups and alerts.

Week 4

Testing, incidents, documentation and training.

Common mistakes

  1. Turning off Security Defaults without implementing Conditional Access.
  2. Administering with the daily-use account.
  3. SMS-only MFA for admins.
  4. External auto-forwarding left enabled.
  5. OAuth applications left unreviewed.
  6. Anonymous links with no expiration.
  7. Permanent guest accounts.
  8. Confusing retention with backup.
  9. Never testing restores.
  10. MSP using a shared account.

Checklist

FAQ

Security Defaults or Conditional Access?

Security Defaults is a simple baseline; Conditional Access enables advanced policies. One should not be switched off without implementing the other.

Does Secure Score prove compliance?

No. It helps prioritize security posture, but additional analysis and evidence are still required.

Does Microsoft handle backups?

Microsoft 365 Backup exists, along with other partner solutions. The organization must configure coverage and test recovery.

Summum Sistemas can audit and apply a baseline proportionate to each organization's licenses and risk.