Microsoft 365 Security Settings Every Canadian SMB Should Enable Today
Secure your Microsoft 365 environment with these essential settings. A practical guide for Canadian SMBs to prevent breaches and meet compliance.
Building the right tech stack is key
Nisi enim consequat varius cras aliquam dignissim nam nisi volutpat duis enim sed. Malesuada pulvinar velit vitae libero urna ultricies et dolor vitae varius magna lectus pretium risus eget fermentum eu volutpat varius felis at magna consequat a velit laoreet pharetra fermentum viverra cursus lobortis ac vitae dictumst aliquam eros pretium pharetra vel quam feugiat litum quis etiam sodales turpis.
- Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
- Adipiscing elit ut aliquam purus sit amet viverra suspendisse potent
- Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
- Excepteur sint occaecat cupidatat non proident sunt in culpa qui officia
How to choose the right tech stack for your company?
Porta nibh aliquam amet enim ante bibendum ac praesent iaculis hendrerit nisl amet nisl mauris est placerat suscipit mattis ut et vitae convallis congue semper donec eleifend in tincidunt sed faucibus tempus lectus accumsan blandit duis erat arcu gravida ut id lectus egestas nisl orci id blandit ut etiam pharetra feugiat sit congue dolor nunc ultrices sed eu sed sit egestas a eget lectus potenti commodo quam et varius est eleifend nisl at id nulla sapien quam morbi orci tincidunt dolor.
What to consider when choosing the right tech stack?
At risus viverra adipiscing at in tellus integer feugiat nisl pretium fusce id velit ut tortor sagittis orci a scelerisque purus semper eget at lectus urna duis convallis. porta nibh venenatis cras sed felis eget neque laoreet suspendisse interdum.
- Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
- Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
- Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
- Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
“Vestibulum eget eleifend duis at auctor blandit potenti id vel morbi arcu faucibus porta aliquet dignissim odio sit amet auctor risus tortor praesent aliquam.”
What are the most relevant factors to consider?
Lorem cras malesuada aliquet egestas enim nulla ornare in a mauris id cras eget iaculis sollicitudin. Aliquet amet vitae in luctus porttitor eget. parturient porttitor nulla in quis elit commodo posuere nibh. Aliquam sit in ut elementum potenti eleifend augue faucibus donec eu donec neque natoque id integer cursus lectus non luctus non a purus tellus venenatis rutrum vitae cursus orci egestas orci nam a tellus mollis.
What tech stack do we use at Simpletech?
Eget lorem dolor sed viverra ipsum nunc aliquet bibendum felis donec et odio pellentesque diam volutpat commodo sed egestas aliquam sem fringilla ut morbi tincidunt augue interdum velit euismod eu tincidunt tortor aliquam nulla facilisi aenean sed adipiscing diam donec adipiscing ut lectus arcu potenti eleifend augue faucibus bibendum at varius vel pharetra nibh venenatis cras sed felis eget.
Your Microsoft 365 Account Is Probably Less Secure Than You Think
Microsoft 365 is the backbone of most Canadian small and medium-sized businesses. Email, file storage, collaboration, calendars, video calls — it all runs through Microsoft's cloud ecosystem. Over 80% of Canadian SMBs rely on some combination of Outlook, Teams, SharePoint, and OneDrive for daily operations.
Here's the problem: most businesses deploy Microsoft 365 with its default settings and never look back. Those defaults prioritize convenience over security. They leave doors open that attackers know exactly how to exploit — and they do, relentlessly. Compromised Microsoft 365 accounts are one of the most common entry points in business email compromise attacks, which cost organizations billions globally every year.
The good news? Microsoft 365 includes powerful security features at every subscription tier. Most of them just need to be turned on. This guide walks Canadian SMB owners and IT managers through the most impactful security settings you should enable today — no enterprise budget or dedicated security team required.
Multi-Factor Authentication: The Single Most Important Setting
If you do nothing else after reading this article, enable Multi-Factor Authentication (MFA) for every user in your organization. MFA requires users to verify their identity with a second factor — typically a code from the Microsoft Authenticator app or a text message — in addition to their password.
Microsoft's own security research confirms that MFA blocks over 99.9% of automated account compromise attacks. Without it, a single stolen or guessed password gives an attacker full access to email, files, and everything connected to that account.
How to Enable MFA in Microsoft 365
Navigate to the Microsoft 365 admin centre, then go to Users > Active Users > Multi-factor authentication. From there you can enable MFA for individual users or in bulk. For the strongest protection, use Security Defaults (found under Azure Active Directory > Properties > Manage Security Defaults), which enforces MFA for all users and blocks legacy authentication protocols simultaneously.
For businesses on Microsoft 365 Business Premium or higher, Conditional Access policies offer more granular control — requiring MFA only from untrusted locations or unfamiliar devices, for example. But Security Defaults is the right starting point for most SMBs and costs nothing extra.
One critical note: require the Microsoft Authenticator app rather than SMS codes. SIM-swapping attacks can intercept text messages, but app-based authentication is significantly more resistant to interception.
Disable Legacy Authentication Protocols
Legacy authentication protocols — POP3, IMAP, and older versions of Exchange ActiveSync — don't support MFA. Attackers know this. They specifically target these protocols to bypass your MFA enforcement entirely.
If you enabled Security Defaults in the previous step, legacy authentication is already blocked. If you're using Conditional Access instead, create a policy that explicitly blocks legacy authentication for all users. You can verify whether legacy protocols are being used in your tenant by checking the Azure AD Sign-in Logs and filtering by client app type.
Some older email clients and devices may stop working after this change. That's actually the point — those clients are security liabilities. Migrate any holdout users to Outlook desktop, Outlook mobile, or Outlook on the web before flipping the switch.
Configure Email Authentication: SPF, DKIM, and DMARC
Email spoofing — where attackers send emails that appear to come from your domain — is a cornerstone of phishing and business email compromise. Three complementary DNS records protect your domain from being impersonated:
SPF (Sender Policy Framework) tells receiving mail servers which servers are authorized to send email on behalf of your domain. Microsoft 365 provides a specific SPF record to add to your DNS settings. Without SPF, anyone can send emails that appear to come from your domain.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing emails, proving they haven't been tampered with in transit. Enable DKIM in the Microsoft 365 Defender portal under Email & collaboration > Policies & rules > Threat policies > DKIM.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving servers what to do with emails that fail authentication — quarantine them, reject them, or just monitor. Start with a monitoring policy (p=none), review the reports, and progressively tighten to p=quarantine and eventually p=reject.
Together, these three records dramatically reduce the chance that someone can impersonate your business via email — protecting your clients, your reputation, and your team from inbound spoofed messages. If your domain doesn't have all three configured, this should be a priority this week.
Enable Mailbox Audit Logging
Mailbox audit logging tracks who accesses each mailbox and what actions they take — reading emails, deleting messages, forwarding rules being created, and more. This data is invaluable during incident investigation and is often required by cyber insurance underwriters and compliance auditors.
Microsoft has enabled audit logging by default for most tenants since 2019, but it's worth verifying. In the Microsoft Purview compliance portal, navigate to Audit and confirm that auditing is active for your organization. For individual mailboxes, you can verify with PowerShell using Get-Mailbox -Identity user@domain.com | Format-List AuditEnabled.
Under PIPEDA and provincial privacy legislation in Canada, maintaining audit trails of access to personal information isn't just a best practice — it supports your ability to investigate and report breaches within the mandatory notification timelines. Canada Breaches tracks incidents where inadequate logging delayed breach detection and response, compounding the damage.
Review and Restrict Mail Forwarding Rules
One of the first things attackers do after compromising a Microsoft 365 account is create an inbox forwarding rule. This silently copies all incoming email to an external address, giving the attacker persistent access to sensitive communications even after the password is changed.
To prevent this, disable automatic external forwarding at the tenant level. In the Exchange admin centre, go to Mail flow > Remote domains > Default and set Automatic forwarding to Off. This prevents any user — or any attacker controlling a user's account — from setting up external forwarding rules.
Additionally, audit existing forwarding rules across all mailboxes. In Exchange Online PowerShell, run Get-Mailbox -ResultSize Unlimited | Get-InboxRule | Where-Object {$_.ForwardTo -or $_.ForwardAsAttachmentTo -or $_.RedirectTo} | Format-Table MailboxOwnerId, Name, ForwardTo. Any unexpected forwarding rules should be investigated immediately — they may indicate a compromised account.
Configure Anti-Phishing Policies in Microsoft Defender
Microsoft 365 Business Premium and E5 subscriptions include Microsoft Defender for Office 365, which offers advanced anti-phishing capabilities beyond basic spam filtering.
In the Microsoft 365 Defender portal, navigate to Email & collaboration > Policies & rules > Threat policies > Anti-phishing. Configure the following:
- Impersonation protection: Add your executives, finance team members, and key vendors to the protected users list. Defender will flag emails that attempt to impersonate these individuals.
- Mailbox intelligence: Enable this feature to learn each user's communication patterns and flag anomalous senders.
- Spoof intelligence: Review and manage which external senders are permitted to send on behalf of your domain.
- Safety tips: Enable all safety tips so users see warnings when emails come from first-time senders, external domains, or impersonated identities.
Even with strong technical controls, phishing emails will occasionally reach inboxes. That's why pairing these settings with ongoing security awareness training and phishing simulations is essential — technology and trained employees together form a much stronger defense than either alone.
Enable Safe Attachments and Safe Links
Also part of Microsoft Defender for Office 365, Safe Attachments opens email attachments in a sandboxed environment before delivering them, detonating any malicious payloads before they reach the user. Safe Links rewrites URLs in emails and Office documents, checking them at click time against Microsoft's threat intelligence database.
Enable both in the Threat policies section of the Defender portal. For Safe Attachments, select Dynamic Delivery mode, which delivers the email body immediately while scanning the attachment — minimizing workflow disruption while maintaining protection.
These features are particularly important for Canadian businesses handling sensitive financial or personal data. A single malicious attachment can deploy ransomware across your network in minutes, and Canada Breaches regularly documents incidents that began with exactly this vector.
Restrict Admin Access and Apply Least Privilege
How many Global Administrators does your Microsoft 365 tenant have? If the answer is more than two or three, you have a problem. Every Global Admin account is a high-value target for attackers — compromising one gives complete control over your entire environment.
Audit your admin roles in the Microsoft 365 admin centre under Roles > Role assignments. Apply the principle of least privilege: users should have only the permissions they need to do their job. Someone who manages SharePoint doesn't need Global Admin rights. Someone who resets passwords can be a Helpdesk Administrator instead.
For the Global Admin accounts you do maintain, ensure they have MFA enabled, use strong unique passwords, and are not used for daily email or browsing. Ideally, create dedicated admin accounts separate from regular user accounts — so your administrator logs in with admin@yourdomain.com only when performing admin tasks, not with their everyday mailbox.
Enable Unified Audit Log and Alert Policies
The Unified Audit Log captures activity across Exchange, SharePoint, OneDrive, Teams, and Azure AD in a single searchable location. This is your forensic evidence in the event of an incident and your compliance trail for regulatory purposes.
Verify it's enabled in the Microsoft Purview compliance portal under Audit. Then configure Alert policies (under Policies > Alert policies) to notify you of suspicious activity automatically. Key alerts to enable include unusual volume of file deletions, external sharing of sensitive documents, mailbox forwarding rule creation, elevation of admin privileges, and sign-ins from unusual locations or impossible travel patterns.
These alerts transform your Microsoft 365 environment from a passive system into an active monitoring platform that flags potential compromises in real time — without requiring a dedicated security operations centre.
Secure SharePoint and OneDrive Sharing Settings
Default sharing settings in SharePoint and OneDrive are often far too permissive. Review and tighten them in the SharePoint admin centre under Policies > Sharing.
Set external sharing to the most restrictive level your business can tolerate. For most SMBs, "New and existing guests" (requiring sign-in) is the right balance between collaboration and security. Disable "Anyone" links — these create unauthenticated access links that can be forwarded to anyone.
Set link expiration policies so shared links automatically expire after a defined period. Enable access requests so users must request sharing permissions rather than granting them unilaterally. And review existing shared links periodically to identify and revoke stale or unnecessary access.
Data shared externally without controls is data you've lost visibility over. For Canadian businesses with obligations under PIPEDA to protect personal information, uncontrolled sharing is a compliance risk as much as a security risk.
Create a Security Baseline and Review Quarterly
Microsoft provides Secure Score — a built-in security posture assessment tool accessible in the Microsoft 365 Defender portal. Secure Score evaluates your current configuration against Microsoft's security recommendations and provides a numerical score with prioritized improvement actions.
Check your Secure Score today and document it as your baseline. Then commit to reviewing it quarterly, implementing the highest-impact recommendations each cycle. Most businesses can improve their Secure Score by 30-50% in the first quarter simply by enabling the settings described in this article.
Secure Score is also increasingly referenced by Canadian cyber insurance providers during underwriting. A documented history of improving security posture strengthens your negotiating position for better coverage terms and premiums. Many Sonark plans complement these technical settings with the human layer — training your team to recognize threats that bypass even well-configured systems.
Don't Stop at Settings — Train Your Team Too
Configuring Microsoft 365 security settings is essential, but it's only half the equation. The most secure tenant in the world can still be compromised if an employee enters their credentials on a phishing page or shares sensitive files with the wrong person.
Technical controls and human awareness work together. MFA stops automated attacks; trained employees stop sophisticated social engineering. Safe Links blocks known malicious URLs; awareness training helps people recognize the suspicious ones that haven't been catalogued yet.
Sonark's security awareness platform is built specifically for Canadian SMBs and integrates seamlessly alongside your Microsoft 365 environment — providing phishing simulations, bite-sized training modules, dark web monitoring, and compliance reporting in a single platform.
Secure Your Microsoft 365 Environment This Week
Every setting described in this guide can be implemented within a few hours. You don't need a consultant. You don't need an enterprise budget. You need someone with admin access, this guide, and a commitment to protecting your business and your clients' data.
Start with MFA. Then disable legacy authentication. Configure SPF, DKIM, and DMARC. Restrict forwarding rules. Review admin access. Check your Secure Score. Each step meaningfully reduces your attack surface.
Ready to pair these technical hardening measures with a security awareness program that trains your team to recognize what technology misses? Contact Sonark today to discuss a complete security strategy for your Canadian SMB — because the strongest Microsoft 365 security configuration is one backed by employees who know what to look for.