Most Canadian small businesses with 10–50 employees run on Microsoft 365 — Outlook, Teams, SharePoint, OneDrive, Word, Excel. It's familiar, it's everywhere, and Microsoft does a reasonable job keeping the platform itself secure.
But here's the part nobody tells you: when you signed up for Microsoft 365, Microsoft handed you a sturdy front door and a set of locks. They did not install the locks. That is your job, or your IT person's job.
In 2026, the difference between a Microsoft 365 tenant with the locks installed and one without is the difference between a routine Tuesday and a $200,000 ransomware incident. Carriers know this. That's why nearly every cyber-insurance questionnaire now asks specifically about M365 configuration.
Here are the eight settings every small business should have, in priority order, with plain-language explanations of what each one does and why it matters.
1. Multi-Factor Authentication enforced on every user
This is the single most important setting in your tenant. With MFA enforced, an attacker who steals or guesses an employee's password still can't log in without also stealing the second factor (typically the phone-based Authenticator app).
Microsoft published in 2024 that MFA blocks more than 99.9% of credential-based attacks. That number hasn't changed in 2026. It is the highest-leverage thirty minutes you will spend on cybersecurity, full stop.
If your IT person tells you MFA "would be too disruptive" or "the staff don't like it," push back. Modern MFA — using Microsoft Authenticator with the device-trust feature — prompts users only when they sign in from a new device or location. After the first setup week, most employees see a prompt once every few weeks. Not daily. Not even weekly.
How to check: In the Microsoft 365 admin centre, go to Users → Active Users → Multi-factor authentication. Every account should be "Enforced."
2. Conditional Access policies
Conditional Access is Microsoft's rule engine for who can access what, from where, on what device. It's where MFA enforcement actually gets configured properly, along with rules like "block sign-ins from countries we don't operate in" and "require MFA when accessing email from a personal device."
The recommended baseline policies for a small business:
- Require MFA for all users when accessing any cloud app
- Block legacy authentication (an old, weak way of connecting that's responsible for huge numbers of credential attacks)
- Require MFA for risky sign-ins (Microsoft's algorithm flags unusual sign-ins automatically)
- Block sign-ins from countries where your business has no presence
These four policies, properly configured, eliminate roughly 99% of practical credential attacks. They take an hour to set up correctly.
3. Disable mailbox forwarding to external addresses
This sounds obscure. It's not. A common attack pattern: attacker phishes an employee, gets their credentials, then sets up an Outlook rule that quietly forwards every incoming email to an external address. The attacker leaves quietly with months of access to the inbox — invoices, banking confirmations, sensitive conversations — without the employee ever noticing.
Disabling external auto-forwarding in your Exchange Online configuration takes thirty seconds and eliminates this entire attack class. There is no legitimate small-business reason to allow automatic external forwarding from individual mailboxes.
How to check: Exchange admin centre → Mail flow → Remote domains → Default → set "Allow automatic forwarding" to No.
4. Audit logging enabled and retained
If something does happen — a phishing breach, a malicious internal action, anything you need to reconstruct after the fact — you need a log of what happened, who logged in from where, what was downloaded, what was forwarded. By default, Microsoft 365 turns audit logging on for new tenants, but many older tenants have it disabled, and the default retention is 90 days, which is rarely enough.
Turn on audit logging, then enable advanced audit if your license supports it, and configure retention to at least one year. Your insurance carrier may require this — read your policy.
5. Block sign-ins from unsupported clients
There's a small set of older programs and apps that still try to connect to Microsoft 365 using the obsolete "basic authentication" protocol. This protocol does not support MFA. Attackers love it precisely because of this.
Microsoft retired basic auth in stages between 2022 and 2024, but a surprising number of small business tenants have exceptions in place that never got cleaned up. The Conditional Access policy that "blocks legacy authentication" should sweep this up — verify that it's actually enabled and not just configured in report-only mode.
6. Restrict admin role assignments
How many people in your business have "Global Administrator" rights to your Microsoft 365 tenant? In most small businesses we assess, the answer is "everyone in the office, just in case." The correct answer is "two people — the owner, and one backup person who only logs in when needed."
Excessive admin rights mean that a single phished employee can hand your attacker the keys to the entire tenant. Reduce the admin count to two. Have those two admins use separate admin accounts (not their daily-driver accounts) for admin work — see point 7.
7. Separate admin accounts
If your IT person uses the same account for reading their daily email and for changing your Conditional Access policies, you have a problem. If that account is phished, the attacker can not only read email but reconfigure the entire tenant.
Best practice: create a second account for admin work. Daily-driver account (john@yourbiz.ca) for email and Teams; admin account (john.admin@yourbiz.ca) used only for admin actions. The admin account has Global Admin rights; the daily-driver account does not. Both accounts require MFA. The admin account should have additional protection like FIDO2 hardware key or Authenticator with number-matching.
Carriers explicitly ask about this in 2026 questionnaires.
8. Microsoft Secure Score baseline review
Microsoft 365 includes a "Secure Score" feature that grades your tenant configuration against best practices. It's not perfect — it weights some recommendations strangely — but it's a useful starting point. A score below 50% indicates significant gaps. A small-business target is 65–80%; a serious cybersecurity-led business should aim for 80%+.
The Secure Score dashboard tells you exactly which settings would improve your score and how much. Spend an afternoon working through the top ten recommendations and you'll see meaningful improvement.
What "good" looks like in 2026
A properly configured small-business Microsoft 365 tenant has:
- MFA on every account, enforced via Conditional Access
- Legacy authentication blocked
- External auto-forwarding disabled
- Audit logging enabled with at least 1-year retention
- Two admin accounts maximum, with separated daily/admin accounts
- Secure Score above 65%
- Defender for Office 365 with anti-phishing and safe-attachments policies (if licensed)
- Quarterly review of guest accounts and stale users
If your IT person hasn't done these eight things, the answer to "are we secure?" is no, regardless of what else they've done.
How to get there
If you're inside Microsoft 365 right now, you can work through this list yourself in an evening. Microsoft's documentation for each setting is good. Search "Microsoft 365 secure baseline" and you'll find Microsoft's official guidance, which tracks closely to what we've described.
If you'd rather have someone else handle this — and have it documented, monitored, and maintained alongside your other security needs — that's what Peace Country Cyber's Cyber Essentials tier is built for. We deploy this baseline plus managed EDR, phishing simulation, and quarterly vulnerability scans starting at $95 per user per month.
Either way: get the locks installed. The front door is already there.
Peace Country Cyber is northern Alberta's local cybersecurity partner. We help businesses in Mackenzie County and the broader Peace River region stay safe online. Take the free Security Risk Report →