The 5-Minute Microsoft 365 Security Checklist Every Small Business Should Do Today

We're a managed IT services Milwaukee company, and at this point we've onboarded enough small businesses across Southeast Wisconsin to know the pattern. Same problems, different office. The Microsoft 365 tenant has been running for a couple years. Somebody set it up, probably in a rush, and nobody's gone back to check the defaults since.

What follows is the short version of what we'd tell you over coffee. Five things. All of them free to fix. Most of them take a few clicks.

1. Turn on MFA, on every account, no exceptions

You've probably heard this one before. You may have even started rolling it out and then paused because someone complained it was annoying. We get it. But Microsoft's own numbers say MFA stops over 99% of automated account compromises, and we've never seen a stat in this industry that clear-cut.

• Enable it for all users. Not just admins. All of them.
• Use an authenticator app (Microsoft Authenticator, Google Authenticator) instead of SMS codes. SIM-swap attacks are real, they're cheap, and they make text message codes the weakest MFA option out there.
• Under 50 users and nothing complicated? Security Defaults in the Entra admin center is free and gets MFA on everyone fast.
• Got remote workers, personal devices, or compliance boxes to check? Conditional Access policies give you more control, but you'll need Business Premium licensing.

One thing we want to be honest about: Security Defaults vs. Conditional Access confuses people. Security Defaults is the light switch. Conditional Access is the dimmer, the timer, and the motion sensor. If you're not sure which one you need, Security Defaults is the right starting point. You can graduate later.

2. Clean up your admin accounts

Here's a scenario we walk into all the time during small business cybersecurity assessments. The owner's daily email account — the one they use for newsletters, Teams chats, random vendor emails — is also a Global Admin. That means the account most exposed to phishing is the same one that can reset every password in the company, wipe devices, and modify security policies.

If that account gets popped, it's not one mailbox. It's the whole tenant.

• Make separate admin accounts. No mailbox on them, no Teams, no Outlook. They exist to do admin work and nothing else.
• Two Global Admins, maybe three. One of those should be a break-glass account that lives in a safe (figuratively or literally) and only comes out in emergencies.
• Everyone else gets a scoped role. The person who handles onboarding? User Administrator. The person who manages Exchange? Exchange Administrator. Microsoft built dozens of these roles so you don't have to hand out the master key.
• And close your admin sessions when you're done. Don't leave the admin center open in a tab all day next to your Gmail and YouTube.

We call this least privilege. The idea is simple: if an account gets compromised, the attacker can only do what that account was allowed to do. A User Administrator can't touch security policies. An Exchange Admin can't wipe devices. The blast radius shrinks.

Most IT companies in Milwaukee, ours included, run it the same way for clients. MFA on every admin account, admin roles never on daily-driver accounts, Global Admin credentials stored separately. It's boring. It works.

3. Audit shared mailbox permissions

This one doesn't get enough attention, and it probably should.

Shared mailboxes (info@, sales@, accounting@, whatever you've got) accumulate permissions like a junk drawer accumulates batteries. Somebody leaves the company, HR disables their personal mailbox, and everyone forgets they still have Full Access to three shared mailboxes. A contractor gets added for a project in March and still has access in December. We've seen former employees with active shared mailbox access at companies that fired them two years prior.

Three permission types to know:

• Full Access — they can open the mailbox, read everything, delete stuff, basically live in it
• Send As — they can send email that looks like it came from the shared address. The recipient has no idea.
• Send on Behalf — similar, but the recipient sees “John Smith on behalf of info@yourcompany.com”

Full Access is the dangerous one. If that former employee's password ends up in a breach (and passwords end up in breaches constantly), someone can log into your shared mailbox and read your company's email. No alerts. No notifications. Just quiet access.

Open Exchange admin center, go to Recipients > Shared, and look at every name on every permissions list. If someone doesn't need access, pull it. Do this twice a year at minimum. PowerShell makes it faster if you want to script it.

4. Disable legacy authentication

This is the one that catches people. POP3, IMAP, SMTP AUTH, older ActiveSync — these protocols predate MFA. They don't support it at all. So if your tenant still allows legacy auth, an attacker with a stolen password can connect through IMAP and get into a mailbox without MFA ever being asked for. It just... doesn't fire.

We've talked to business owners who enabled MFA and assumed they were done. They weren't. Legacy auth was still wide open, and it's basically a side door that skips the lock you just installed on the front.

• Already using Security Defaults? Legacy auth is blocked. You're fine.
• Using Conditional Access? You need a separate policy that blocks legacy auth clients. It's not included by default, which is annoying.
• Before you block anything, figure out if something in your office still uses these old protocols. The most common offender we see? Copiers. The ones that scan-to-email through SMTP AUTH. Also old Thunderbird or Outlook 2010 installations that never got updated.
• Move those devices to modern auth or set up an SMTP relay, then block legacy auth across the board.

5. Bonus quick wins

A few more things any IT support Milwaukee team would tell you to check. None of these take long.

Entra ID sign-in logs. Pull them up in the Entra admin center. Filter for failed sign-ins or logins from countries where you don't have employees. If you see a wall of failed attempts from overseas IPs, someone's running stolen credentials against your accounts. MFA should catch it. But you want to know it's happening, because it tells you your email addresses are out there.

The Unified Audit Log. It's in Microsoft Purview. Some tenants have it off by default, which means you have zero record of who did what and when. Turn it on. When something eventually goes sideways (and something always does), the audit log is the first place anyone will look. If it's empty, you're starting from nothing.

Mail forwarding rules. After an attacker gets into a mailbox, one of the first things they do is set up a rule that silently forwards all incoming email to an external address. The person using the mailbox has no idea because their inbox looks totally normal. Check the Exchange admin center for forwarding rules on all mailboxes. Or run a quick PowerShell command to surface any rules that redirect mail externally. If you find one that nobody remembers creating, that mailbox has been compromised.

What this adds up to

None of this costs money. None of it requires special tools or an IT company Milwaukee businesses need to hire for (though having one helps). An M365 security checklist like this, revisited every quarter, puts you ahead of most companies your size. The people going after small businesses in Southeast Wisconsin and everywhere else aren't deploying fancy exploits. They're trying stolen passwords against default configurations. They're counting on the fact that nobody went back and tightened anything after the initial setup.

Put a reminder on your calendar. Ninety days from now, run through this list again. That's really all it takes.