Microsoft 365 Security for Small Business: Why Default Settings Are Not Enough
- Shay
- Apr 8
- 7 min read
Updated: Apr 17
It Started With One Compromised Email
A defense contractor reached out to me after one of his email accounts got compromised.
At first, it sounded simple. Reset the password. Secure the account. Move on.
It was not simple.
Five hours later, after multiple calls with his email provider's support line, the issue was resolved. The bill for that single incident came out to over one thousand dollars.
And the scariest part? That was not even the real problem.
The Real Problem Was What Was Missing
Once we started looking under the hood, it became clear fast. This business was running Microsoft 365 through a third-party reseller. On the surface that sounds fine. Microsoft product. Cloud-based. Should be handled, right?
It was not.
Because the reseller manages a stripped-down version of the Microsoft 365 admin portal, we could not:
Enforce advanced security policies
Access detailed audit logs
Investigate the incident properly
Configure the controls needed for compliance
This is not unique to one reseller. It is what happens when Microsoft 365 is sold and managed through a third party. You lose access to the tools that actually let you manage and prove security.
That gap between what you think you have and what is actually in place is exactly where risk lives.
Why This Hits Different for Government Contractors
This particular client needs to meet CMMC Level 2 requirements. That is not a checkbox situation. A third-party assessor is going to come in and want to see documentation, policies, audit logs, and proof that controls are actually being enforced.
With a reseller-managed Microsoft 365 tenant, I cannot produce any of that.
I cannot show a conditional access policy enforcing MFA. I cannot pull a clean audit log. I cannot document security configurations at the level a CMMC assessment requires.
A standard per-user MFA setup through a reseller can also be bypassed. That alone is a gap an assessor will flag.
For a business that handles Controlled Unclassified Information and is on the path to CMMC Level 2 certification, this needs to be fixed before the assessment. Not during it.
This Is Not Just a Government Contractor Problem
You do not need to be chasing a government contract for this to matter to you.
I see the same setup all the time across small businesses in Columbia, MD, Northern Virginia, Maryland, Pennsylvania, and the broader DMV area. Businesses that bought Microsoft 365 through a reseller, through whoever set up their website years ago, or through a bundle deal that nobody fully explained. Nobody ever told them what was actually missing.
The result is the same pattern every time:
No Microsoft Defender configured
No DKIM or DMARC on the domain
MFA turned on but not policy-enforced
No audit logs available
No visibility into what is actually happening inside the tenant
And the business has no idea. Because on the surface, email works. Logins work. Everything feels fine.
Until it isn't.
Microsoft 365 Is Not Secure by Default
This is the part that catches most business owners off guard. Microsoft gives you the tools. But nobody turns them on for you.
Whether you are on a direct Microsoft tenancy or a reseller plan, the security features inside Microsoft 365 have to be configured manually. The expectation is that your IT provider will do that work.
If your Microsoft 365 was set up by a generalist, a web designer, or a reseller who just got you access and walked away, there is a real chance these protections are sitting there unused.
Here is what actually needs to be configured for Microsoft 365 security for small business environments to be effective:
Microsoft Defender for Office 365 Activates phishing protection, safe link scanning, malware detection, and impersonation alerts. Not enabled by default.
DKIM and DMARC Email authentication records that verify your outgoing mail and prevent spoofing. Most small businesses do not have these properly configured.
Conditional Access Policies Policy-enforced MFA that cannot be bypassed. Per-user MFA alone is not enough for compliance or real protection.
Audit Logging Without this, you have no record of what happened, who logged in, or what was accessed. Critical for incident response and compliance.
Login Restrictions Limiting account access by country blocks a huge percentage of unauthorized login attempts before they even start.
Impersonation Protection Policies that protect your key mailboxes and use AI to detect when someone is pretending to be a person inside your organization.
None of these are turned on when you first get Microsoft 365. Every single one requires manual configuration.
The Assessment vs. Implementation Gap
Here is where a lot of small businesses get stuck, especially those pursuing compliance.
They work with a compliance consultant who performs a full assessment. They receive a detailed report. They understand what needs to be fixed.
But then what?
They do not have someone to actually go in and implement the changes inside Microsoft 365 and the broader IT environment.
That gap between knowing what needs to be done and actually getting it done is where the risk continues to sit.
This is exactly the work I do. I take the findings from a compliance assessment and implement the required technical changes, whether that is configuring Microsoft Defender, migrating a tenant off a reseller platform, setting up audit logging, or building out the documentation an assessor needs to see.
What GRC Actually Looks Like for a Small Business
Governance, Risk, and Compliance gets thrown around a lot. In a small business context it is simpler than it sounds.
It means:
Knowing what risks exist in your Microsoft 365 environment
Understanding where your controls fall short
Aligning your systems with whatever compliance requirements apply to your business
Implementing the technical changes that close the gaps
Documenting everything so you can prove it
GRC only works if it is actually implemented. A report sitting in a folder does not protect your business. The configuration changes do.
Would Your Microsoft 365 Environment Pass an Audit Today?
If someone asked to review your Microsoft 365 security setup right now, could you show them:
That MFA is policy-enforced, not just turned on per-user
That your domain has DKIM and DMARC configured
That Microsoft Defender is active and configured
Audit logs going back at least 90 days
Documentation of your security controls
If the answer to any of those is no or I am not sure, that is worth looking at before it becomes a bigger issue.
I Work With Small Businesses Across the Mid-Atlantic
If you are a small business in Columbia, MD, Northern Virginia, Washington DC, Maryland, Pennsylvania, West Virginia, or Delaware, this is something I can help you get ahead of.
Whether you are running a standard Microsoft 365 Business setup, pursuing CMMC compliance, or just want to know where your environment actually stands, I can walk through it with you and build a plan that makes sense for your business.
My Microsoft 365 security services for small businesses include:
Full Microsoft 365 security assessment
Defender configuration and policy management
DKIM, DMARC, and SPF setup
Tenant migration from reseller to direct Microsoft management
Conditional access and MFA enforcement
Audit logging setup and documentation
CMMC Level 2 technical implementation support
Frequently Asked Questions: Microsoft 365 Security for Small Business
Is Microsoft 365 secure when you first buy it?
No. Microsoft provides powerful security tools, but they are not turned on by default. Every small business using Microsoft 365 needs to have those features configured by someone who knows what they are doing.
What is the difference between per-user MFA and conditional access MFA?
Per-user MFA can be turned on and off at the account level and can be bypassed in certain scenarios. Conditional access MFA is policy-enforced at the tenant level and cannot be bypassed. For compliance purposes, conditional access is what assessors want to see.
Does it matter if my Microsoft 365 is through a reseller?
Yes, it can. Reseller-managed tenants often give you a restricted admin portal, which limits your ability to configure advanced security features, pull audit logs, and document your security posture. For businesses pursuing compliance, this is often a significant gap.
What is CMMC and do I need it?
CMMC stands for Cybersecurity Maturity Model Certification. If your business works with the Department of Defense as a contractor or subcontractor and handles Controlled Unclassified Information, you will likely need to meet CMMC requirements. Level 2 requires a third-party assessment.
Can I get compliant without migrating off my current reseller?
It depends on the reseller and the compliance level you need. For CMMC Level 2, a direct Microsoft tenancy with full admin access is almost always required. For general security improvements, it depends on what your reseller gives you access to.
How do I know if my Microsoft 365 is properly set up?
The honest answer is you probably do not know unless someone specifically audited it. Most security gaps in Microsoft 365 are invisible in day-to-day use. A security assessment will show you exactly where things stand.
What does a Microsoft 365 security assessment involve?
I review your tenant configuration, check which security features are enabled or missing, look at your email authentication setup, audit log availability, MFA policies, and admin access controls. From there I give you a clear picture of what is in place and what needs to change.
Do you help with CMMC implementation, not just assessment?
Yes. My role is on the implementation side. I take the findings from a compliance assessment and do the actual technical work inside your Microsoft 365 environment and broader IT infrastructure to close the gaps.
Ready to Find Out Where Your Environment Actually Stands?
Most small businesses do not find out their Microsoft 365 was never properly configured until something goes wrong. A compromised account. A failed audit. A compliance gap that costs real money to fix under pressure.
Getting ahead of it is always easier than cleaning it up after the fact.
Based in Columbia, MD, serving small businesses and government contractors across the DMV, Northern Virginia, Maryland, Pennsylvania, West Virginia, and Delaware.
Comments