iKON

Microsoft 365 Setup Gaps for Small Business

Microsoft 365M365MFAmailbox auditingTeamsconditional accessmanaged IT

Getting Microsoft 365 running takes about an hour. Getting it configured to a reasonable security baseline takes considerably longer — and most setup walkthroughs don't cover the security decisions at all. The defaults Microsoft ships are designed to get you started fast. They're not designed to be left alone.

Four areas consistently show up when we work through a tenant for the first time.

MFA enforcement

Microsoft 365 doesn't require multi-factor authentication by default. For new tenants created after October 2019, Security Defaults are enabled — but they can be turned off during initial setup, and frequently are. Accounts on older tenants or tenants where Security Defaults were disabled often have MFA set to "Disabled" for every regular user.

The practical check: go to the Entra admin center, select Users, then Per-user MFA. If most users show "Disabled," MFA isn't enforced regardless of what else is configured.

Security Defaults is Microsoft's simplified approach — it requires MFA for all users and blocks legacy authentication, but it doesn't give you control over conditions, exceptions, or trusted locations. Conditional Access is the more complete tool. It's available in Microsoft 365 Business Premium or with an Entra ID P1 add-on. If you're on Business Basic or Standard, Security Defaults is what you have — it's better than nothing, but you can't write custom policies.

The first policy worth writing: require MFA for all users on all logins. After that: block legacy authentication protocols (IMAP, POP3, ActiveSync) that don't support MFA and are actively exploited as a bypass route.

Mailbox auditing

Exchange Online has audit logging built in, but what it captures depends on your license tier.

The baseline: unified audit logging is on by default for new Microsoft 365 tenants, and it covers standard mailbox actions (email sent, folders accessed, permissions changed). That's functional as far as it goes.

The gap: the most useful audit event for incident response is MailItemsAccessed — which tells you exactly which emails were opened during a period of unauthorized access. That event requires an E3 or E5 license (or the corresponding add-on). Business Basic and Business Standard don't include it.

Retention is the other variable. The default audit log retention is 90 days for Business plans, 180 days for E3, and one year for E5. Most breaches aren't discovered on day one. If you find out 60 days later that an account was compromised, you want more than 30 days of log remaining.

The practical check: pull audit events for a recent period on a key mailbox using PowerShell (Search-UnifiedAuditLog) and compare what shows up against what your license tier covers. If you're running Business Basic and you haven't confirmed what's actually logged, assume the gaps exist.

Teams external access

Teams has two distinct settings that control outside contact: External Access (federation with other Teams tenants) and Guest Access (users you explicitly invite into your tenant).

External Access is the one that gets skipped. It's enabled by default for all external Teams and Skype for Business domains, meaning any user at any other organization can initiate a chat with your staff without any prior relationship. Your users see a banner noting the message is from outside the organization, but there's no block unless you configure one.

This is a social engineering surface. An attacker doesn't need to spoof your email domain — they can message your people directly through Microsoft's own messaging platform from a nominally legitimate account at a shell organization. The message arrives in Teams with no spam filtering applied.

The configuration options:

  • Restrict External Access to specific trusted domains only — keeps federation with partner organizations while blocking the open firehose.
  • Turn it off entirely if your team doesn't do cross-org Teams collaboration.
  • Allow all external domains but invest heavily in staff awareness about unsolicited messages.

Guest Access is a separate toggle and is generally appropriate to leave enabled — guests require an explicit invitation to enter your tenant and can't initiate unsolicited contact.

Check your setting at: Teams admin center → External access.

Conditional Access policies

Conditional Access is where you define what must be true before someone gets access — what network they're on, what device they're using, what risk level Microsoft's sign-in evaluation has assigned. By default, none of that exists. A valid username and password gets in from anywhere.

The highest-value policies to put in first:

  1. Require MFA for all users — covers the majority of credential-based attacks.
  2. Block legacy authentication — closes the bypass route that MFA doesn't protect when older protocols are enabled.
  3. Require MFA for all admins on all logins — admin accounts are the highest-value targets; they need tighter controls than user accounts.

Optional but valuable once the basics are in place: require compliant devices (Intune-managed) before accessing email, block sign-ins from high-risk countries your business has no reason to access from, or use Microsoft's sign-in risk evaluation to step up authentication requirements for anomalous logins.

Conditional Access requires Business Premium or an Entra ID P1 add-on. If you're on a lower tier and can't access Conditional Access policies, make sure Security Defaults are enabled and haven't been disabled.

What "configured" actually means

The four gaps above aren't bugs and they aren't oversights. Microsoft makes deliberate choices about defaults for a product with an enormous range of customers — from a two-person startup to a 50,000-person enterprise. The defaults get you running. The configuration decisions belong to whoever is administering the tenant.

When no one is actively administering the tenant — which is common in small businesses that don't have dedicated IT — those decisions don't get made. The out-of-the-box settings persist for years.

None of this requires an enterprise security program or a compliance team. It requires going through a checklist once and making four decisions.


We configure Microsoft 365 for the organizations we manage — authentication policies, audit settings, Teams access controls, and the Conditional Access layer that most initial setups skip. If you want a straight read on where your tenant stands, book a call →

Ready to talk about your IT setup?

Book a free 30-minute call. No pitch — just a look at where you are and what would actually help.