5 Microsoft 365 Settings Every SMB Should Change Today

Here's an uncomfortable truth: most small businesses running Microsoft 365 have never changed a single admin setting beyond adding users and assigning licenses.

That means you're running a platform that handles your email, files, communications, and (increasingly) your business processes — on factory defaults. It's like buying a new car and never adjusting the mirrors.

The good news: fixing the five biggest gaps takes less than 30 minutes total. You don't need a consultant for any of them. You just need an admin account and this article.

1. Enforce Multi-Factor Authentication (MFA) — Yes, for Everyone

This is the single most impactful security change you can make. Full stop.

The default: MFA is available but not enforced. Individual users can opt in, but most don't. Your admin accounts — the keys to your entire organization — might be running on password-only authentication right now.

Why it matters: Microsoft reports that MFA blocks 99.9% of account compromise attacks. That's not marketing fluff — it's data from billions of authentications per day. Without MFA, a single phished password gives an attacker full access to your email, files, Teams conversations, and every system connected to that identity.

What to do:

1. Go to Microsoft Entra admin center → Protection → Conditional Access
2. Create a policy that requires MFA for all users, for all cloud apps
3. Exclude a single break-glass admin account (documented and secured separately)
4. Enable the policy in Report-only mode for one week to check for issues, then switch to On

Time to implement: 10 minutes. Time to save your company from a breach: priceless.

Note: As of February 2026, Microsoft has begun enforcing MFA for all admin accounts automatically. If you haven't set this up yourself, you may have already been enrolled. Check your Conditional Access policies to make sure coverage extends to all users, not just admins.

2. Restrict External Sharing in SharePoint and OneDrive

The default: SharePoint and OneDrive allow users to share files and folders with anyone — including people outside your organization — via anonymous "Anyone" links. No sign-in required.

Why it matters: One employee shares a folder with a client. The link gets forwarded. Now someone you've never met has access to your internal documents. There's no audit trail for anonymous links. You won't know it happened until it's too late.

What to do:

1. Go to SharePoint admin center → Policies → Sharing
2. Set the external sharing level to "New and existing guests" (not "Anyone")
3. This still allows external sharing — but recipients must sign in. You get an audit trail, and you can revoke access.
4. Set link expiration to 30 days for external links
5. Set the default link type to "People in your organization"

Time to implement: 5 minutes. Your legal team will thank you.

3. Turn On Unified Audit Logging

The default: Audit logging is enabled in most tenants now, but many organizations have never verified it or reviewed the logs.

Why it matters: If something goes wrong — a data breach, an accidental deletion, an insider threat — audit logs are the only way to understand what happened, when, and by whom. Without them, you're flying blind. And in regulated industries (healthcare, finance, government), you may be violating compliance requirements right now.

What to do:

1. Go to Microsoft Purview compliance portal → Audit
2. Verify that auditing is turned On
3. Run a sample search to confirm data is flowing (search your own activity from the past 24 hours)
4. Bookmark this page. Check it monthly. Set a reminder.

Time to implement: 3 minutes. And if you ever need these logs, you'll be incredibly glad you verified this.

4. Set Up a Shared Company Calendar (Not the One You're Thinking Of)

The default: Every user has a personal calendar. There's no centralized company calendar for PTO, deadlines, company events, or project milestones. People email around asking "who's out next week?"

Why it matters: This isn't a security setting — it's a productivity one. But it's the single most requested "I didn't know M365 could do that" feature we show clients. A shared calendar in a Teams channel or a SharePoint site gives the entire organization visibility into what's happening, without cluttering anyone's personal calendar.

What to do:

1. Create a Microsoft 365 Group called "Company Calendar" (or add a calendar tab to your main Teams channel)
2. Add recurring events: all-hands meetings, holidays, quarterly deadlines
3. Encourage departments to add PTO and major project milestones
4. Pin the calendar in your most active Teams channel so it's always visible

Time to implement: 10 minutes to set up. Save hours of "who's out?" emails every week.

5. Review Your Microsoft Secure Score

The default: You have a Secure Score. You've probably never looked at it.

Why it matters: Microsoft Secure Score is a free, built-in security assessment that grades your M365 environment and tells you exactly what to fix, in priority order. It's like a credit score for your security posture. The average SMB scores around 30-40%. That means 60-70% of available security controls are sitting there, ready to be turned on, and nobody has.

What to do:

1. Go to Microsoft Defender portal → Secure Score
2. Look at your current score. Don't panic.
3. Click Recommended actions and sort by impact
4. Pick the top 3 recommendations and implement them this week
5. Set a monthly reminder to review and improve your score

Time to implement: 2 minutes to check your score. Then tackle 2-3 improvements per month. Your score will climb steadily, and each point represents real security improvement.

The Bigger Picture

These five changes won't turn you into an enterprise security operation overnight. But they close the most dangerous gaps that we see in virtually every SMB M365 environment we assess.

Here's the pattern: most small businesses buy Microsoft 365, set up email, and stop. They never open the admin center again. They never review sharing settings, never check audit logs, never look at their Secure Score. The platform is capable of so much more — but nobody configured it.

That's what we do at Fireside Cloud Solutions. We help businesses unlock the full value of the Microsoft 365 licenses they're already paying for — security, automation, apps, dashboards, and everything in between.

If you've made all five changes and want to know what's next, let's talk. We offer a quick M365 environment assessment that goes deeper than Secure Score and gives you a roadmap tailored to your business.

No pitch. Just a clear picture of where you stand and what's possible.