Back to blog

The M365 Security Baseline Most SMEs Skip

7 min read

The M365 Security Baseline Most SMEs Skip

If your business runs on Microsoft 365 — and in the UK, that covers the vast majority of SMEs, law firms, and healthcare practices — there is a reasonable chance your tenant is less secure than you think.

Not because Microsoft has failed. Not because your IT provider has been negligent. But because the default configuration of an M365 tenant is designed to get you up and running, not to protect a regulated business handling sensitive client data.

Most organisations I work with assume that because Microsoft provides the platform, Microsoft secures it. That assumption is wrong, and it is the single most common gap I find when reviewing an SME's security posture.

The Shared Responsibility Model, Explained Simply

Microsoft operates what is called a shared responsibility model. Microsoft secures the platform: the physical data centres, the hypervisor, the network infrastructure, the availability of the service. That part is genuinely well handled.

What Microsoft does not do is secure your tenant. Your tenant is your configuration: who can log in, from where, with what level of verification. What happens to data when it leaves your mailbox. Who has access to your SharePoint sites. Whether a former contractor's guest account is still active three years after they left.

These are your decisions. Microsoft gives you the controls. It is up to you to turn them on and configure them correctly.

The problem is that most SMEs never have this conversation. The tenant was set up when the business migrated to M365, the defaults were accepted, and no one with security expertise has reviewed the configuration since.

The Seven Controls Most SMEs Skip

When I conduct a baseline M365 security review, the same gaps appear with striking consistency. Here are the seven controls that are most commonly missing or misconfigured.

1. MFA enforcement for all users. Multi-factor authentication is the single most effective control against credential-based attacks. It is also the one most likely to be partially deployed. I regularly find tenants where MFA is "enabled" but not "enforced" — a distinction that means users can still bypass it. Every account should have MFA enforced, without exception.

2. Conditional access policies. MFA alone is not enough if it can be triggered from any device, on any network. Conditional access lets you require compliant devices, block legacy authentication, restrict access by location, and require step-up authentication for sensitive applications. Most SMEs I review have no conditional access policies configured at all.

3. Mailbox auditing. M365 includes mailbox auditing as a standard feature, but it is not always enabled by default on older tenants. Without it, you have no record of who accessed a mailbox, what they did, and when. If a compromised account is used to exfiltrate email, you will not know. For law firms and healthcare organisations, this is a basic compliance requirement.

4. DLP labels and policies. Data loss prevention lets you define sensitivity labels and apply policies that prevent data from leaving the organisation — for example, detecting when someone emails a document containing a National Insurance number or bank account detail to an external address. Most SMEs have no DLP policies. Those that do often run them in "test mode" that generates alerts but takes no action.

5. Guest access controls. By default, M365 allows users to invite external guests to SharePoint sites, Teams channels, and shared folders. Without controls, a member of staff can share a folder containing sensitive client documents with an external address, and that access persists until someone manually revokes it. Guest access should be restricted by domain and subject to regular review.

6. Retention policies. Without retention policies, everything stays in the tenant indefinitely — including data the business no longer needs, data it is not legally permitted to retain, and data that would be damaging in a breach or subject access request. Retention policies should reflect the organisation's actual data retention schedule.

7. Admin role hygiene. Global administrator grants full access to every service and every piece of data in the tenant. Most SMEs I review have between four and eight global administrators. The correct number is two or three, used exclusively for administration. Every additional global admin is an additional high-value target. Role-based access control should be used for everything else.

Why This Matters: The Blast Radius of One Compromised Account

The business risk here is not theoretical. A single compromised M365 account — obtained through phishing, credential stuffing, or a brute-force attack against an account without MFA — gives an attacker access to that user's email, their OneDrive files, the SharePoint sites they can reach, the Teams channels they belong to, and every third-party application connected to the tenant.

For a law firm, that could mean access to client matter files, privileged correspondence, and case strategy documents. For a healthcare practice, it could mean patient records and clinical communications. For any business, it could mean the ability to send convincing phishing emails from a trusted internal address to every contact in the organisation.

The attacker does not need to breach your firewall. They do not need to exploit a vulnerability in your infrastructure. They need one set of credentials, and the default M365 configuration hands them the keys to everything.

The Baseline Checklist

If you want to assess where your organisation stands, here is a practical checklist. You can work through this with your IT team or your IT provider. Every item should be a yes or a concrete plan — not a "we think so" or "it should be on".

  • [ ] MFA is enforced for every user account, without exceptions
  • [ ] Legacy authentication protocols are blocked via conditional access
  • [ ] Conditional access policies restrict access by device compliance and location
  • [ ] Mailbox auditing is enabled and logs are retained for at least 90 days
  • [ ] DLP policies are configured for sensitive data types and set to enforce, not just test
  • [ ] Guest access is restricted by domain and subject to regular access reviews
  • [ ] Retention policies are configured and aligned with the organisation's data retention schedule
  • [ ] Global administrator roles are limited to two or three accounts, used only for administration
  • [ ] Role-based access control is used for all other administrative functions
  • [ ] A regular access review process is in place for both internal and external users

If you can tick every box, your baseline is in good shape. If you cannot, you have a clear picture of where to start.

Where to Start

You do not need to fix everything at once. The highest-impact changes — MFA enforcement, blocking legacy authentication, and reducing global administrator count — can be implemented in a single afternoon and will meaningfully reduce your exposure.

The rest can be prioritised based on your risk profile. A law firm handling privileged client data will prioritise DLP and mailbox auditing differently than a professional services firm with a smaller client base. The point is to make deliberate decisions about your configuration, not to accept the defaults and hope they are enough.


If your organisation runs on M365 and you are not confident that your tenant is configured to a standard that would withstand scrutiny — from a regulator, a client, or an attacker — a structured security baseline review is the right first step. The Security & Compliance Strategy service covers M365 tenant configuration as part of the broader risk framework. Or get in touch for a 30-minute conversation about where your organisation stands.