// Pillar Guide · 2026 Update · ~25 min read

THE COMPLETE MICROSOFT 365 SECURITY GUIDE FOR SMALL BUSINESS.

What Microsoft 365 actually ships with at each SKU, how to harden a tenant from the defaults small businesses live with, the security features that distinguish Business Premium from Standard, and the practical configuration checklist we deploy at every Simply IT client. Written by a veteran-owned managed IT provider headquartered in Ocala, FL.

By Steve Condit, USMC Veteran · 30+ yrs ITPublished 2026-05-13Updated 2026-05-13
Get a Free M365 Assessment →Jump to Guide ↓
// What's In This Guide

TWELVE SECTIONS. ABOUT 4,000 WORDS.

  1. // 01Why Microsoft 365 Security Matters for Small Business
  2. // 02Microsoft 365 SKU Map: Basic vs Standard vs Premium vs E3/E5
  3. // 03Identity Hardening: MFA, Conditional Access & Break-Glass Accounts
  4. // 04Defender for Business: EDR That Comes With Premium
  5. // 05Exchange Online + Defender for Office 365: Email Security Layered
  6. // 06Intune Device Management for SMBs Without an IT Team
  7. // 07Information Protection: Labels, DLP & PHI/PII Handling
  8. // 08Backup Is Your Responsibility — Microsoft Won't Restore Your Data
  9. // 09Audit Logging, Alerts & the Secure Score
  10. // 10Compliance Overlay: HIPAA BAA, FTC Safeguards, FINRA, GCC vs Commercial
  11. // 11The Practical M365 Security Configuration Checklist
  12. // 12Frequently Asked Questions
// 01

WHY MICROSOFT 365 SECURITY MATTERS FOR SMALL BUSINESS.

Microsoft 365 has quietly become the operating system of the small-business economy. Email, calendars, Teams chat, document storage in OneDrive and SharePoint, the Office applications, and increasingly the identity layer (Entra ID) that signs users into every other SaaS product the business uses — all of it runs through a single Microsoft 365 tenant. The credentials to that tenant are, for most small businesses, the most valuable keys in the building.

The threat actors know this. Microsoft's own Digital Defense Report consistently shows that small and mid-sized businesses are the primary target for business email compromise (BEC), credential phishing, and ransomware deployed via stolen Microsoft 365 credentials. The economics are simple: a single phished M365 admin password gives an attacker the ability to read every email, exfiltrate every document, impersonate the owner in wire-fraud schemes, and deploy ransomware to every endpoint joined to the tenant. The attack works the same way at a 200-person manufacturer and a 5-person dental office, and attackers run it at industrial scale against both.

The default Microsoft 365 configuration is not secure. It is functional — designed to let a small business get email working on day one without an IT department — but it leaves legacy authentication protocols enabled, MFA not enforced, audit log retention short, Defender for Business un-onboarded, and Conditional Access undeployed even on the SKUs that include it. Hardening the tenant from the defaults is the highest-leverage security work a small business can do in 2026. The rest of this guide is how.

// 02

MICROSOFT 365 SKU MAP: BASIC VS STANDARD VS PREMIUM VS E3/E5.

Microsoft sells Microsoft 365 to small businesses under three SKUs (Basic, Standard, Premium) and to larger organizations under the Enterprise SKUs (E3, E5). The pricing is straightforward, but the security feature differences between tiers are not — and most small businesses end up on the wrong tier for what they actually need.

Business Basic — $7.50/user/mo commercial, FREE nonprofit

Web and mobile versions of the Office apps, Exchange Online (50 GB mailbox), OneDrive (1 TB), SharePoint, Teams. No desktop Office install. From a security perspective: MFA support, basic Exchange Online Protection (the anti-spam layer), and the unified audit log. No EDR, no Conditional Access, no Intune, no Information Protection labels. Appropriate for very small businesses that don't handle regulated data and live entirely in the browser.

Business Standard — $15/user/mo commercial, FREE nonprofit

Everything in Basic plus desktop Office installs (Word, Excel, PowerPoint, Outlook) on up to five PCs/Macs per user, plus Microsoft Bookings, Loop, and Clipchamp. Security-wise: same as Basic. No EDR, no Conditional Access, no Intune. Standard is the “productivity” SKU, not the “security” SKU. For any business handling PHI, PII, financial records, or carrying cyber insurance, Standard is below the operational floor.

Business Premium — $27/user/mo commercial, $6/user/mo nonprofit

Everything in Standard, plus the four security capabilities that distinguish a hardened SMB tenant from a soft one: Defender for Business (EDR for endpoints), Conditional Access (policy-based access control beyond MFA), Intune (device management and mobile app protection), and Azure Information Protection (sensitivity labels and basic DLP). Also includes Defender for Office 365 Plan 1 (Safe Attachments, Safe Links, anti-phishing). For any small business that takes security seriously, Premium is the floor.

Enterprise E3 / E5

The Enterprise SKUs are licensed without the 300-seat cap of the Business tier and add additional features: advanced compliance (eDiscovery, advanced audit), Microsoft Defender for Identity (on-premises AD threat detection), Defender for Office 365 Plan 2 (attack simulator, threat investigation), and Power BI Pro in E5. Most small businesses do not need E3/E5 — Business Premium covers the security bases for sub-300-seat organizations. Mid-market organizations and those with on-premises Active Directory benefit from the Enterprise tier.

// 03

IDENTITY HARDENING: MFA, CONDITIONAL ACCESS, AND BREAK-GLASS ACCOUNTS.

Identity is the new perimeter. The single highest-leverage security control on a Microsoft 365 tenant is Multi-Factor Authentication enforced on every account, every time, with no exceptions for convenience. Microsoft's own published data shows MFA blocks 99.9% of automated credential attacks. Tenants without 100% MFA enforcement get compromised at a rate that's an order of magnitude higher than tenants with it.

MFA alone is necessary but not sufficient. Three follow-on controls close the practical gaps. First, block legacy authentication tenant-wide — protocols like POP, IMAP, basic SMTP, and Exchange ActiveSync (legacy) bypass MFA entirely. They're used by old desktop email clients and rarely needed in 2026. Block them via Conditional Access or the “security defaults” toggle. Second, deploy Conditional Access policies (Business Premium and above) to require a compliant or hybrid-joined device for sensitive resources, restrict sign-in to expected geographies (most SMBs can geo-restrict to the U.S. with rare exceptions), and require admin reauthentication after short session timeouts. Third, address the session token theft threat with Conditional Access sign-in frequency policies and, for higher-value tenants, FIDO2 hardware security keys for admin accounts.

One last identity control most small businesses miss: break-glass emergency accounts. Create two global administrator accounts, both excluded from Conditional Access policies, both with long randomized passwords stored offline (a sealed envelope in the practice safe, or a paper printout in a locked drawer). These accounts exist only to recover from a Conditional Access misconfiguration that locks out every other admin. Monitor sign-ins to break-glass accounts via the audit log — any login to one is an incident. Without break-glass accounts, an overly aggressive Conditional Access policy can lock the organization out of its own tenant, and recovery requires a Microsoft support escalation that may take days.

// 04

DEFENDER FOR BUSINESS: EDR THAT COMES WITH PREMIUM.

Microsoft Defender for Business is the SMB version of Microsoft Defender for Endpoint — the same EDR engine that protects Microsoft's enterprise customers, packaged with a simplified management UI and licensed for organizations up to 300 seats. It's included with Microsoft 365 Business Premium at no additional cost, and it replaces legacy antivirus (Norton, McAfee, Webroot, even Microsoft's own free Defender Antivirus) with a behaviorally-driven EDR posture that's appropriate for modern threats.

What Defender for Business actually does: behavior-based threat detection (it watches what processes do, not just what files match a signature), automated investigation and response (it triages alerts and remediates known-bad activity without waiting for an analyst), attack surface reduction rules (blocking common ransomware techniques like macro execution and credential dumping), endpoint detection across Windows, macOS, iOS, and Android, and centralized visibility through the Microsoft 365 Defender portal. It onboards endpoints either through Intune (the clean path) or via local Group Policy / scripted enrollment.

The thing to understand: Defender for Business does not protect endpoints until it is onboarded to them. The license is included with Business Premium, but the onboarding step (deploying the Defender configuration package to every workstation) is a separate action. Tenants we audit routinely have Defender for Business licensed but with zero or near-zero endpoints actually onboarded — meaning the EDR is fully paid for and providing zero protection. Onboarding takes about 30 minutes for a typical small business via Intune and should be a Day-One configuration step on every new Premium tenant.

// 05

EXCHANGE ONLINE + DEFENDER FOR OFFICE 365: EMAIL SECURITY LAYERED.

Email is still the #1 attack vector against small businesses. Microsoft 365 ships with Exchange Online Protection (EOP) on every SKU — the anti-spam and anti-malware layer that handles known-bad content. EOP is competent at the basics but is not sufficient on its own against modern phishing, business email compromise, or credential harvesting attacks. The premium layer is Microsoft Defender for Office 365, which is included with Business Premium and adds the controls that actually matter against targeted attacks.

The four Defender for Office 365 controls to configure on every tenant: Safe Attachments (every attachment is detonated in a Microsoft sandbox before delivery; suspicious files are quarantined), Safe Links (every URL in email is rewritten through a Microsoft proxy and re-evaluated at click time, catching links that were clean at delivery but weaponized later), Anti-Phishing impersonation protection (display-name spoofing alerts and protected-user lists for the CEO/CFO/owner accounts that get impersonated in wire fraud), and the Phishing Reporter add-in that lets users one-click report suspicious email to admins for analysis.

Outside Microsoft's product set, deploy DMARC, DKIM, and SPF records on the business domain. SPF declares which servers can send mail as your domain. DKIM cryptographically signs outbound mail. DMARC tells the world what to do with mail that fails SPF or DKIM checks. Together they prevent attackers from spoofing your domain to your customers (a common vector for wire-fraud attacks against your clients). DMARC should be deployed at “p=quarantine” minimum, ideally “p=reject,” once SPF and DKIM alignment is verified. The configuration is free; the protection is significant.

// 06

INTUNE DEVICE MANAGEMENT FOR SMBS WITHOUT AN IT TEAM.

Microsoft Intune is the device management product included with Microsoft 365 Business Premium. It handles the things a corporate IT team would handle in a larger organization: ensuring company laptops are encrypted, enforcing screen lock and password requirements, deploying software, separating personal data from company data on BYOD phones, and tying device compliance to access via Conditional Access. For a small business without dedicated IT staff, Intune is often the difference between “we have laptops” and “we have a managed fleet.”

The core Intune configurations every SMB Premium tenant should deploy: device enrollment (auto-enroll every Windows and Mac workstation when a user signs in with their work account), compliance policies (BitLocker enforced on every laptop, screen lock at 15 minutes, Defender for Business antimalware running and up to date, OS version current), app protection policies for BYOD (containerize Outlook/Teams/OneDrive on personal phones — company data can be remotely wiped without touching the user's photos), and Conditional Access tied to compliance (a non-compliant device cannot access company resources).

What Intune is not: a perfect replacement for a dedicated RMM (remote monitoring and management) tool. Intune handles policy and compliance well; it's less mature for patch reporting at scale, remote support sessions, and detailed inventory than purpose-built RMM products. At Simply IT, we run Intune for policy and a dedicated RMM (Datto, NinjaOne) for operations — the two complement each other rather than overlap. For a sub-25-person business without an MSP, Intune alone is workable; for managed clients, the layered approach is the cleaner architecture.

// 07

INFORMATION PROTECTION: LABELS, DLP, AND PHI/PII HANDLING.

Microsoft Purview Information Protection (formerly Azure Information Protection) is the data-classification layer in Microsoft 365 Business Premium. It lets the organization define sensitivity labels — Public, Internal, Confidential, Highly Confidential, and custom labels like “PHI” or “Financial-NPI” — that users apply to documents and emails. Labels can be configured to automatically apply encryption, header/footer markings, watermarks, and access restrictions to labeled content, so a “Confidential” spreadsheet remains encrypted and access-controlled even after it leaves the tenant.

Paired with labels is Data Loss Prevention (DLP): policies that scan outbound email, SharePoint sites, and OneDrive for patterns matching sensitive data (Social Security numbers, credit card numbers, ICD-10 codes for healthcare, defined regex patterns for industry-specific identifiers). DLP can warn the sender, require justification, encrypt the message automatically, or block the send entirely. For a healthcare practice, a basic DLP policy that catches U.S. SSNs and tax ID numbers in outbound email closes a meaningful class of accidental-disclosure incidents at almost no operational cost.

Behind labels and DLP is the underlying encryption posture: Microsoft 365 encrypts data at rest on Microsoft's servers (BitLocker on the storage tier, plus per-customer keys for Customer Key tenants) and in transit via TLS for every connection. Email between Microsoft 365 tenants is TLS-encrypted automatically; email to external recipients uses opportunistic TLS and can be force-encrypted via Office Message Encryption when the content warrants it. None of this is automatic from the user's perspective — the labels and DLP rules are what surface the encryption to the workflow.

// 08

BACKUP IS YOUR RESPONSIBILITY — MICROSOFT WON'T RESTORE YOUR DATA.

This is the single most misunderstood point about Microsoft 365. Microsoft operates under a shared responsibility model: Microsoft is responsible for keeping the service running — uptime, infrastructure, redundancy, physical security of data centers, the platform itself. The customer is responsible for the data in the service: who has access to it, how it's classified, and — critically — backing it up.

Microsoft 365's built-in retention is not backup. Deleted mailbox items are recoverable for 30 days (extendable to 14 with a litigation hold, but with a real operational cost). SharePoint and OneDrive provide 93 days of version history and 93 days in the recycle bin. After that, deleted data is gone — whether it was deleted by user error, a departing employee, a compromised account that exfiltrated and wiped mailboxes, or a ransomware actor that encrypted SharePoint document libraries through a compromised user session. Microsoft will not restore it. There is no support ticket that recovers data past retention.

The fix is a third-party Microsoft 365 SaaS backup: Datto SaaS Protection, Dropsuite, Veeam Backup for Microsoft 365, Acronis, or similar. These products connect to your tenant via the Microsoft Graph API, take daily incremental backups of mailboxes, OneDrive, SharePoint, and Teams to a separate cloud (typically AWS or Azure under the vendor's account), and allow point-in-time restore at the item, mailbox, or full-tenant level. Pricing is typically $3-$8 per user per month, included in Simply IT's Simply Secure and Simply Compliant tiers.

Apply the 3-2-1 strategy to the SaaS backup: 3 copies of the data (production in M365, primary backup in the third-party SaaS cloud, secondary copy ideally in a different cloud or geographic region), 2 different storage media types where possible, 1 off-site. For SaaS data the “off-site” is implicit, but the “different vendor” part — getting the backup out of Microsoft's control — is the entire point. A ransomware actor with global admin doesn't have access to your Datto backup. That separation is what makes recovery possible.

// 09

AUDIT LOGGING, ALERTS, AND THE SECURE SCORE.

The Microsoft 365 unified audit log records every administrative and user activity across Exchange, SharePoint, OneDrive, Teams, Entra ID, and the security stack — sign-ins, file accesses, mailbox rule changes, permission grants, admin actions. It is the forensic record that determines whether you can answer the question “what did the attacker actually do?” after an incident. In tenants we audit, the log is often turned off entirely (it used to be off by default; Microsoft changed that recently for new tenants but legacy tenants still need to be verified) or retained for only 90 days when an investigation needs 12 months of history.

Configure the audit log for at least one year of retention on Premium/E3, longer if license tier allows. Set up alert policies for the high-signal events: unusual volume of file deletions or downloads, mailbox forwarding rule creation (a classic BEC indicator — attackers create a rule that forwards every email to an external address), admin role assignments, sign-in from an unfamiliar geography, password spray patterns. Microsoft 365 Defender ships with a useful default alert set; tune it to the organization's actual operations rather than letting alerts fire and be ignored.

The Microsoft Secure Score is the running self-assessment Microsoft maintains on the tenant — a numeric score (out of a per-tenant maximum) summarizing how many of Microsoft's recommended security configurations are enabled. A new untouched tenant typically scores 15-25 out of 100+. A hardened SMB tenant on Business Premium with the configuration in Section 11 of this guide should land in the 70-85 range. We don't treat Secure Score as a target in itself — it's easy to game by enabling low-impact controls — but we review it monthly with clients as a directional indicator of drift. Score declines mean something changed; investigate why.

// 10

COMPLIANCE OVERLAY: HIPAA BAA, FTC SAFEGUARDS, FINRA, GCC VS COMMERCIAL.

Microsoft 365 Commercial — the standard public-cloud version — is appropriate for the vast majority of regulated small businesses, including healthcare practices, law firms, CPAs, and financial advisors. It is not appropriate for U.S. government, DoD contractors handling Controlled Unclassified Information under DFARS, or ITAR-regulated organizations. Those scenarios require GCC (Government Community Cloud) or GCC High respectively — separate environments with stricter data-residency and personnel-screening requirements, and significantly higher pricing.

For healthcare practices: Microsoft 365 Business Premium Commercial is HIPAA-eligible, but only when the Business Associate Agreement (BAA) is explicitly activated in the admin center. Microsoft includes the BAA in its standard Online Services Terms, but activating it is a documented administrative step that practices buying M365 from a reseller often skip. The BAA-activated tenant supports the technical safeguards 45 CFR 164.312 requires; the un-activated tenant is technically a covered entity using a non-BAA service for PHI — a documentation gap that becomes a settlement headline. (Our HIPAA guide covers this in detail.)

For financial services and CPAs: Microsoft 365 Business Premium aligns cleanly with the FTC Safeguards Rule (16 CFR 314) requirements for financial institutions, including the access control, encryption, multi-factor authentication, and incident response posture the Rule enumerates. FINRA member firms use Microsoft 365 Commercial routinely, with the addition of FINRA-aware archival (Smarsh, Global Relay, or equivalent) layered on top for the books-and-records requirements that exceed Microsoft's default retention.

The decision tree most small businesses face is simpler than the marketing makes it sound: commercial tenant, BAA activated where applicable, Business Premium SKU, hardened configuration covers HIPAA, FTC Safeguards, FINRA, PCI scoping for non-storing merchants, and most state-level data protection laws. GCC and GCC High are reserved for the specific contractual triggers that name them.

// 11

THE PRACTICAL M365 SECURITY CONFIGURATION CHECKLIST.

The ordered list below is the actual configuration sequence Simply IT runs on every new Microsoft 365 tenant during onboarding. It assumes a Business Premium SKU; items that require Premium are marked. Run them in order — identity first, then endpoints, then data, then monitoring.

  1. Enforce MFA on 100% of users. No exceptions, no “we'll get to it.” Microsoft Authenticator or hardware key preferred over SMS.
  2. Block legacy authentication tenant-wide. Via Conditional Access (Premium) or Security Defaults.
  3. Create two break-glass global admin accounts. Long random passwords, stored offline, excluded from Conditional Access, sign-in alerted.
  4. Deploy Conditional Access policies (Premium). Require compliant device for admin, geo-restrict to expected countries, session timeouts for sensitive apps.
  5. Activate the Business Associate Agreement if you handle PHI. Admin center → Org Settings.
  6. Onboard every endpoint to Defender for Business (Premium). Via Intune. Verify endpoints show “onboarded” in the Defender portal.
  7. Enroll every workstation to Intune (Premium). Auto-enrollment when users sign in with their work account.
  8. Deploy Intune compliance policies (Premium). BitLocker enforced, screen lock at 15 minutes, Defender required, OS version current.
  9. Configure Safe Attachments and Safe Links policies (Premium). All recipients, all attachments, all URLs.
  10. Configure Anti-Phishing impersonation protection. Add the CEO/owner/CFO to the protected-user list.
  11. Deploy DMARC, DKIM, SPF on the domain. SPF and DKIM first, DMARC at p=quarantine after alignment verified.
  12. Deploy the user phishing reporter add-in. One-click suspicious-email reporting from Outlook.
  13. Define sensitivity labels (Premium). At minimum: Public, Internal, Confidential. Add industry-specific labels (PHI, Financial-NPI) as applicable.
  14. Configure DLP policies. Catch SSN, credit card, and industry-specific patterns in outbound email and SharePoint.
  15. Enable the unified audit log with 1+ year retention. Verify it's actually capturing events.
  16. Configure alert policies. Mailbox forwarding rule creation, unusual file deletion volume, admin role changes, geographic anomaly sign-ins.
  17. Deploy a third-party SaaS backup. Datto, Dropsuite, Veeam Backup for M365. Daily incrementals, monthly restore drill.
  18. Review Secure Score and document baseline. Target 70+ on Business Premium after configuration.
  19. Deploy security awareness training. KnowBe4 or equivalent. Annual training plus monthly phishing simulations.
  20. Document the configuration. A 1-2 page tenant configuration record kept with the practice administrator — for insurance applications, auditor requests, and the next IT provider.

Twenty items. A focused day or two of admin work for a small business with an experienced operator, or a week of fits-and-starts for a business doing it themselves the first time. Either way, the resulting posture is the operational floor we'd defend at any insurance renewal or compliance audit.

// 12

FREQUENTLY ASKED QUESTIONS.

Is Microsoft 365 secure by default?+
No. Microsoft 365 ships with a usable-out-of-the-box default that prioritizes accessibility over hardening. Legacy authentication is often still enabled, MFA is not enforced on every user, Conditional Access policies are not deployed, audit log retention is set low, Defender for Business is not onboarded to endpoints, and Safe Attachments and Safe Links policies are not configured. Microsoft has improved ‘security defaults’ in recent years — turning them on is a meaningful step — but a defaults-only tenant is still a long way from the posture cyber insurance underwriters expect in 2026.
Do I need Business Premium or is Standard enough?+
For any business that handles regulated data (PHI, PII, financial records), accepts payment cards, or carries cyber insurance, Business Premium is the practical floor. Standard ($15/user/mo commercial) gives you the productivity apps and Exchange Online but excludes Defender for Business EDR, Conditional Access, Intune device management, and Information Protection labels — the four features that distinguish a hardened tenant from a soft one. Premium ($27/user/mo commercial; $6/user/mo nonprofit) is the SKU that earns the ‘Premium’ name from a security perspective, not a feature-count perspective.
Can Microsoft 365 Business Premium replace third-party AV?+
Yes, for most small businesses. Defender for Business (included with Business Premium) is a full EDR product that behaviorally detects and contains ransomware, supports automated investigation and response, and is centrally managed through the Microsoft 365 Defender portal. It replaces legacy AV (Norton, McAfee, Webroot) cleanly. Whether it replaces a premium third-party EDR (CrowdStrike, SentinelOne) depends on the threat model — for a typical 10-50 person SMB, Defender for Business is the right answer; for a high-target organization (defense contractor, mid-market law firm, large healthcare), the SOC-managed third-party EDR may still be the better fit.
Does Microsoft back up my data?+
No. This is the single most misunderstood point about Microsoft 365. Microsoft commits to keeping the service running — uptime, infrastructure resilience, redundancy across data centers. Microsoft explicitly does not commit to recovering customer data after deletion, ransomware encryption, or malicious insider activity. Mailbox retention defaults to 30 days for deleted items. SharePoint and OneDrive offer 93-day version history. None of that is backup. A separate, third-party backup product (Datto SaaS Protection, Dropsuite, Veeam Backup for Microsoft 365) is the practical requirement, and underwriters increasingly ask for it specifically on cyber insurance applications.
What is the difference between Microsoft 365 commercial and GCC?+
Microsoft 365 Commercial runs on the public multi-tenant cloud and is appropriate for the vast majority of small businesses, including healthcare, legal, and accounting practices. Microsoft 365 GCC (Government Community Cloud) is a separate environment for U.S. state, local, tribal, and federal government — and for contractors handling certain regulated data. GCC High goes further: it's the environment required for DoD contractors handling Controlled Unclassified Information (CUI) under DFARS 252.204-7012 and CMMC, and for ITAR-regulated data. GCC and GCC High are significantly more expensive and have a smaller feature set; commercial is correct unless you have a specific contractual or regulatory requirement that names GCC explicitly.
How much does Microsoft 365 Business Premium cost?+
Microsoft 365 Business Premium is $27 per user per month on annual commitment for commercial customers, or $6 per user per month for qualified 501(c)(3) nonprofits. Business Basic is $7.50/user/mo commercial (free for nonprofits), Business Standard is $15/user/mo commercial (free for nonprofits). Pricing is per user, not per device — a single user can install Office on up to five PCs/Macs, five tablets, and five phones under one license.
Can a small business get Microsoft 365 for free as a nonprofit?+
Yes, if the organization is a qualified 501(c)(3) and registers via Microsoft's Nonprofit Hub. Business Basic and Business Standard are free for up to a set number of seats (currently 300) for eligible nonprofits, and Business Premium is heavily discounted at $6 per user per month. Churches, charities, food banks, and similar organizations frequently qualify. The same security features ship with the nonprofit licenses — nonprofit Premium gets Defender for Business, Conditional Access, and Intune at the same feature parity as commercial.
Is MFA enough or do I also need Conditional Access?+
MFA is the single highest-leverage control — Microsoft's own data shows it blocks 99.9% of automated credential attacks. But MFA alone leaves gaps: legacy authentication protocols (POP, IMAP, basic SMTP) often bypass MFA, attackers can phish session tokens to defeat MFA, and a user who approves an MFA prompt by mistake is compromised. Conditional Access (Business Premium and above) closes these gaps by blocking legacy auth tenant-wide, requiring compliant or hybrid-joined devices for sensitive resources, restricting sign-in by geography, and enforcing session timeouts. MFA without Conditional Access is good. MFA plus Conditional Access is the 2026 baseline.
What is the Microsoft 365 Secure Score?+
Secure Score is a Microsoft-published score (0 to a per-tenant maximum) summarizing how many of Microsoft's recommended security configurations are enabled in your tenant. It covers identity, devices, apps, and data. A new tenant typically scores in the teens or twenties out of 100+. A hardened SMB tenant on Business Premium should be in the 70-85 range after the configuration in Section 11 of this guide. We treat the Secure Score as a useful directional indicator — not a substitute for actual security — and review it with clients monthly.
Is Defender for Business as good as CrowdStrike?+
For a typical SMB threat model, yes. Defender for Business uses the same Microsoft Defender for Endpoint engine that protects enterprise customers, includes EDR with automated investigation and response, and is included with Business Premium at no additional cost. CrowdStrike Falcon and SentinelOne Singularity are stronger in specific scenarios: 24/7 managed threat hunting (Falcon Complete), high-target verticals (defense, finance), and environments with significant non-Windows footprint (Linux servers, mixed Mac fleets). For a 10-50 person small business on a Microsoft-centric stack, Defender for Business is the right answer. For mid-market or high-target organizations, a third-party EDR with managed SOC may still be worth the premium.
Do we need both Defender for Office 365 and a third-party email gateway?+
Usually one or the other, not both. Defender for Office 365 (included with Business Premium, or as add-on Plan 1/Plan 2 on other SKUs) provides Safe Attachments sandboxing, Safe Links URL rewriting, impersonation protection, and anti-phishing intelligence at a tier that's competitive with standalone email security gateways. A third-party gateway (Proofpoint, Mimecast, Avanan, IRONSCALES) layers in front of Microsoft and adds AI-based anomaly detection or a different intelligence feed — useful for high-target verticals or organizations with specific compliance needs. For most SMBs in 2026, properly configured Defender for Office 365 is sufficient.
How does Simply IT configure a new Microsoft 365 tenant for security?+
Standard onboarding includes: enforcing MFA on 100% of users, blocking legacy authentication tenant-wide, deploying Conditional Access policies (require compliant device for admin, geo-restrict to U.S., session timeouts), activating the Business Associate Agreement where applicable, onboarding every endpoint to Defender for Business, configuring Safe Attachments and Safe Links policies, deploying DMARC/DKIM/SPF on the customer's domain, enrolling devices to Intune with BitLocker enforcement, turning on unified audit log with extended retention, setting up sensitivity labels for confidential documents, and deploying a third-party SaaS backup (Datto or Dropsuite). The full configuration is included in the Simply Secure ($125/user/mo) and Simply Compliant ($150/user/mo) tiers, with no long-term contracts.
// Related Resources

CONTINUE READING.

Solution
Microsoft 365 Setup →
Pillar Guide
HIPAA Cybersecurity Guide →
Checklist
Cyber Insurance 10 Controls →
Solution
Cybersecurity Services →
Reference
IT Glossary →
FAQ Hub
Frequently Asked Questions →
Get Started
Free M365 Assessment →
READY TO HARDEN YOUR MICROSOFT 365 TENANT?

Get a free Microsoft 365 security assessment from a veteran-owned managed IT provider headquartered in Ocala, FL. We'll review your tenant configuration, MFA and Conditional Access posture, Defender for Business onboarding, backup coverage, and the 20-item hardening checklist — and give you an honest written gap-and-fix report with no obligation.

By submitting you consent to be contacted by Simply IT via phone, email, or SMS. Reply STOP to opt out of SMS at any time. Privacy Policy

Or call us directly: 352-723-5003