Security defaults & key settings in Microsoft 365
The baseline security settings every Microsoft 365 business account should have — including security defaults, admin account protection, and app permissions.
Microsoft 365 includes a range of security features. Many of them are not turned on by default. This guide covers the most important settings to review and enable — even if you have no IT background.
Quick summary
The most important security steps for Microsoft 365 are: turn on security defaults (which enables MFA for everyone), limit the number of global admins, review which apps have access to your account, and make sure your admin accounts have strong passwords. Most of these take five minutes each.
1. Turn on security defaults
Security defaults is a free Microsoft feature that automatically turns on multi-factor authentication (MFA) and blocks risky sign-ins for your whole organization. It's designed for small businesses that don't have a dedicated IT team.
If you haven't already, enable this first. See the full guide: Turning on multi-factor authentication.
2. Limit global admin accounts
A global admin has unlimited access to everything in your Microsoft 365 account. The fewer global admin accounts you have, the smaller the target for attackers.
Best practice:
- Have two global admin accounts — one for everyday use, one as a backup in case the first is ever locked out.
- Everyone else should have more limited admin roles (or no admin role at all).
To review your admins:
Sign in to the admin center at admin.microsoft.com.
Go to Users → Active users.
Filter by role: look for the Roles filter or column. Check who has the Global administrator role.
Remove the global admin role from anyone who doesn't need full access. Assign a more specific role instead (like User admin or Billing admin).
3. Use a dedicated admin account
Many admins use their regular work email account for admin tasks. This is a risk — if that email is compromised through a phishing attack, the attacker immediately has admin access.
Best practice: Create a separate account just for admin tasks (for example, admin@yourcompany.com) that is not used for day-to-day email. Protect it with MFA and a strong, unique password.
Use the dedicated admin account only for admin tasks
Don't use your admin account to read email, browse the web, or do everyday work. It should only be used when you need to make changes in the admin center.
4. Review app permissions
Third-party apps can request access to your Microsoft 365 data — this happens when you or your team install apps or authorize services. It's worth reviewing what has been granted access.
Go to the Microsoft 365 admin center and navigate to Settings → Org settings → Services.
Look for Integrated apps or visit the Azure Active Directory portal for a full list of app permissions.
Review any unfamiliar apps and revoke access to anything you don't recognize or no longer use.
5. Enable audit logging
Audit logs record who did what in your Microsoft 365 environment — sign-ins, file access, permission changes, and more. This is important for spotting suspicious activity and responding to security incidents.
Audit logging may need to be turned on explicitly:
Go to the Microsoft Purview compliance portal (accessible from the admin center under Compliance).
Search for Audit in the left navigation.
Turn on auditing if it isn't already enabled. Microsoft will start recording activity from this point forward.
6. Check password policies
Review your password policy to make sure it's sensible. Go to Settings → Org settings → Security & privacy → Password expiration policy.
Microsoft's current guidance: do not force frequent password changes unless you also have MFA enabled. Instead, focus on strong initial passwords and MFA. See Resetting a user's password for more.
7. Check the Secure Score
Microsoft provides a Secure Score — a measure of how secure your Microsoft 365 setup is, with specific recommendations to improve it.
Find it by searching "Secure Score" in the admin center, or go to the Microsoft 365 Defender portal. Each recommendation comes with step-by-step instructions.
Common questions
Related guides
- Turning on multi-factor authentication
- The Microsoft 365 admin center, explained
- Resetting a user's password
- Troubleshooting Microsoft 365
- Your business security checklist
Need a hand?
Learn more
Turning on multi-factor authentication in Microsoft 365
How to turn on multi-factor authentication (MFA) in Microsoft 365 — the single most effective step to protect your business email and files from hackers.
Microsoft 365 billing explained
How Microsoft 365 billing works — understanding your subscription, adding or removing licenses, reading your invoices, and managing payment methods.