Microsoft 365 Security: The Five Settings Every Texas Small Business Should Turn On

Across the Texas environments I take over from another IT provider — or the businesses still running themselves — there is a remarkably consistent pattern with Microsoft 365: the tenant is provisioned, the licenses are paid, and the security defaults are sitting exactly where Microsoft left them. Which means roughly 80% of the attacks I actually see in the field are attacks that Microsoft already gives you the tools to block, for free, in the plan the business already pays for.

This is the short list. Five settings. Each one is free at the Microsoft 365 Business Basic / Business Standard / Business Premium tier. Each one takes ten minutes or less to enable. Each one matters.

1. Enforce multi-factor authentication for every user — no exceptions

If you do nothing else on this list, do this. Multi-factor authentication is the single biggest reduction in account-compromise risk available to a small business. Microsoft's own published numbers put it at roughly a 99% reduction in account compromise. My own field experience over the last several years is consistent with that: every M365 account compromise I've responded to where MFA was actually enforced was a phishing-of-the-MFA-token attack, not a basic credential stuff. Without MFA, the attacks I see are trivially successful.

Where to turn it on

In the Microsoft Entra admin center (formerly Azure AD): Identity → Protection → Conditional Access → Policies. Create a policy that requires MFA for all users, all cloud apps, with a sensible exclusion only for emergency break-glass accounts (and those break-glass accounts should have a 30-character random password stored in your password vault).

If you're on Business Basic or Business Standard and don't have Conditional Access available, use Security defaults instead: Entra admin center → Identity → Overview → Properties → Manage security defaults. It's not as flexible, but it gets you 90% of the way there.

What it means for users

Every user will be prompted to re-register MFA the next time they sign in from a new device. Almost everyone will choose the Microsoft Authenticator app, and a small number of stubborn holdouts will choose SMS. Both are better than the status quo of password-only. The Authenticator app is meaningfully stronger and is what I recommend for every Texas business I onboard.

2. Block legacy authentication protocols

Legacy authentication — POP3, IMAP4, SMTP AUTH, older Outlook clients, and the like — predates MFA and cannot enforce it. Every credential-stuffing attack I have personally cleaned up in a Texas environment got in through legacy auth, not modern auth. If your users have already moved to modern Outlook clients and the Microsoft Authenticator app (which they have, even if no one told them), you can almost certainly block legacy auth and nothing will break.

Where to turn it off

In the Microsoft Entra admin center: Identity → Protection → Conditional Access → Policies → New policy → Block legacy authentication. Microsoft publishes a baseline template for this; use it. Apply to all users, exclude break-glass accounts, set the access control to Block access.

Before you hit Save, set the policy to Report-only mode for a week. The sign-in logs will show you which accounts are still using legacy protocols. Fix or migrate those accounts. Then flip the policy to On.

3. Turn on the anti-phishing policy with impersonation protection

Microsoft's default anti-phishing policy in Microsoft 365 is okay. The anti-phishing policy with impersonation protection enabled — which is included in Microsoft 365 Business Premium and Defender for Office 365 plans — is meaningfully better. The most common targeted attack on small Texas businesses I see in 2026 is what people call "CEO fraud" or "vendor invoice fraud": a sender that looks like your boss or your bookkeeper, asking for a wire transfer or a gift-card purchase. Impersonation protection is specifically designed to catch this.

Where to turn it on

In the Microsoft Defender portal (security.microsoft.com): Email & collaboration → Policies & rules → Threat policies → Anti-phishing. Edit the default policy. Under Impersonation, add your owner, your bookkeeper, and your top vendor email domains. Set the action for impersonated users to Quarantine the message and for impersonated domains to Move to Junk.

This single setting has prevented at least three wire-fraud attempts at BVTech client environments in the last twelve months alone. It is worth the ten minutes.

4. Enable unified audit logging — before you need it

If something does go wrong — an account is compromised, a mailbox forwarding rule is mysteriously created, files are exfiltrated from SharePoint — the first question an investigator or insurance carrier will ask is: do you have the audit logs?

Microsoft 365 ships with unified audit logging available, but it is not always turned on by default in older tenants. In every tenant I touch, the first thing I do is verify it's on, and verify it's been on for long enough to be useful.

Where to turn it on

In the Microsoft Purview portal: Audit → Start recording user and admin activity. If the button is missing, it's already on — verify by running a quick search for any activity in the last 24 hours.

Audit retention varies by license. Business Basic and Business Standard get 90 days. Business Premium gets a year. If you handle regulated data, longer retention is available as an add-on and is usually worth it.

5. Read your Secure Score, then act on the top five recommendations

Microsoft Secure Score is built into the Defender portal and gives your tenant a quantified security posture rating from 0 to whatever the maximum is for your license set. More importantly, it gives you a ranked, prioritized list of specific recommendations — most of which are one-click fixes.

Where to read it

In the Microsoft Defender portal: Exposure management → Secure Score. Microsoft will show you your current score, the score of comparable organizations, and a list of recommended actions sorted by impact-to-effort ratio.

I tell every client this: don't try to chase a perfect score. Most Texas small businesses can comfortably sit at 60–75% and be operating in a very strong security posture for their size. What matters is the top five recommendations the score lists for you — go through them, implement what makes sense for your environment, and revisit quarterly.

What this gets you

The five settings above, applied together, will block the overwhelming majority of opportunistic attacks against your Microsoft 365 tenant. They will not protect you from targeted attacks by a determined attacker, and they will not substitute for layered endpoint protection, a tested backup, user training, and a documented incident response plan. But they will block the kind of low-effort, automated, credential-stuffing-and-phishing attacks that account for almost every Texas small business compromise I see in the field.

None of it costs extra. Most of it takes under an hour. If you'd like help implementing it — or if you want a second pair of eyes on what's already turned on in your tenant — that's exactly the kind of work BVTech does for Texas businesses every week.