8 Microsoft 365 Security Settings San Antonio Businesses Need

By Jordan Polasek · July 14, 2026

Microsoft 365 is powerful, but it ships with a lot of security features turned off or set to their weakest option. That's a problem, because attackers know exactly which defaults to exploit. The good news: most of the settings that stop the common attacks take minutes to enable and cost nothing extra. Here's a punchy, no-nonsense list of what to turn on.

The 8 settings to lock down now

  1. Turn on multi-factor authentication (MFA) for everyone. A stolen password is useless if the attacker can't pass the second check. Enforce MFA for every account — including the ones you think are low-risk. Use an authenticator app, not text messages, which can be intercepted.
  2. Enable Security Defaults or set up Conditional Access. If you're on a basic plan, flip on Security Defaults in the Entra admin center. If you have Business Premium, build Conditional Access rules so logins from unexpected countries or unmanaged devices get blocked or challenged.
  3. Block legacy authentication. Old protocols like POP, IMAP, and SMTP basic auth bypass MFA entirely. Attackers love them. Turn legacy auth off unless you have a specific device that truly needs it — and then lock that exception down tight.
  4. Set up anti-phishing and safe links in Defender. Microsoft Defender for Office 365 scans links and attachments after the message arrives, catching threats that slip past the initial filter. Enable impersonation protection so emails pretending to be your CEO or vendors get flagged.
  5. Restrict external forwarding. One of the first things a hacker does after breaking into a mailbox is set up an auto-forward rule to quietly copy your email. Block automatic forwarding to external addresses across the organization.
  6. Turn on audit logging and alerts. You can't investigate what you didn't record. Make sure unified audit logging is on, and create alerts for suspicious activity — mass file downloads, new forwarding rules, or logins from strange locations.
  7. Limit who has admin rights. Global Admin should be a small, deliberate list. Give people the least access they need to do their jobs, and use separate accounts for admin tasks so a compromised everyday login can't change your whole tenant.
  8. Configure OneDrive and SharePoint sharing controls. By default, users can share files with anyone via public links. Set sharing to "existing external users" or require sign-in, and add expiration dates on shared links so access doesn't live forever.

Why the defaults aren't enough

Microsoft designs 365 to work for millions of organizations, from solo consultants to global enterprises. That means the defaults lean toward convenience and compatibility, not maximum protection. It's your job — or your IT partner's — to tighten the screws for how your business actually operates. Skipping this step is like buying a great front door and never locking it.

Don't forget the human side

Settings stop a lot of attacks, but people are still the target. Pair your technical controls with short, regular training so staff can spot a phishing email or a fake invoice. Combine that with a habit of reviewing your security settings quarterly, since Microsoft adds and changes features often. Good cybersecurity is a routine, not a one-time project.

Quick checklist to run this week

Most of these changes take an afternoon to implement and pay for themselves the first time they stop an attack. If you'd rather have it done right — and monitored so it stays that way — that's exactly what managed IT services are for. BVTech helps small businesses across San Antonio configure Microsoft 365 the secure way and keep an eye on it around the clock. Reach out to our team for a straightforward review of your current setup, no jargon required.