If your school or business relies on Microsoft 365 every day, this guide highlights 12 essential security protections that most tenants are still missing – and how to close those gaps.

Microsoft 365 Security: 12 Protections 90% of Schools and Businesses Haven’t Enabled

Microsoft 365 is at the heart of how most schools and businesses work. Email, files, Teams, OneDrive and SharePoint all live there – which makes it one of your biggest security risks if it isn’t configured properly.

Out of the box, Microsoft 365 is not fully locked down. There are dozens of powerful security features that are either switched off, misconfigured or only partially used. At Remedian IT Solutions, we regularly audit tenants for schools and SMEs across the North West and consistently find the same gaps.

This guide walks you through 12 essential Microsoft 365 security protections that most organisations haven’t fully enabled – and why you should address them before the next phishing email or account breach hits.

1. Strong Identity and Access Controls

Your users’ identities are the front door into Microsoft 365. If accounts are not properly protected, everything else is at risk.

Multi-Factor Authentication (MFA) for All Staff

MFA is one of the most effective ways to stop account compromise – yet many organisations only enable it for admin or SLT.

MFA should be enabled for:

• All staff and admin accounts
• Anyone with access to sensitive data (finance, HR, safeguarding, SLT)
• Remote access and third-party integrations where supported

Conditional Access Policies

Conditional Access allows you to control how and where people sign in. For example, you can:

• Block risky sign-ins from unusual countries
• Require MFA for off-site access
• Restrict access to certain apps to managed devices only

Blocking Legacy Authentication

Older protocols like POP, IMAP and basic authentication do not support MFA and are heavily abused by attackers. They should be disabled unless absolutely required.

2. Email and Anti-Phishing Protection

Most cyber attacks still start with email. Microsoft 365 includes advanced tools to reduce this risk, but they must be configured correctly.

Advanced Threat Protection (Safe Links & Safe Attachments)

These tools provide:

• Time-of-click scanning for malicious links
• Detonation of suspicious attachments
• Protection across email, Teams and Office apps

Anti-Phishing Policies

Essential for detecting and blocking:

• Display-name impersonation
• Look-alike domains
• Hijacked accounts are sending internal phishing

Email Authentication: SPF, DKIM and DMARC

Correct configuration helps prevent criminals from spoofing your domain and improves the deliverability of legitimate mail.

3. Data Loss Prevention and Information Protection

Data Loss Prevention (DLP) Policies

DLP policies help stop sensitive data from being emailed or shared externally by accident.

Sensitivity Labels and Encryption

Labels such as “Confidential” or “Internal Only” allow you to:

• Encrypt sensitive documents
• Prevent forwarding or printing
• Add protective watermarks

Safe Sharing Defaults in OneDrive and SharePoint

Safer defaults include:

• Internal-only sharing by default
• Domain-restricted external sharing
• Expiry dates on external links

4. Device and Endpoint Security

Defender for Endpoint

Provides next-generation protection, including:

• Behaviour-based threat detection
• Real-time antivirus
• Centralised monitoring

Device Compliance and Configuration Policies

Intune policies enforce:

• Minimum OS versions
• Password and screen-lock requirements
• Mandatory encryption

Full Disk Encryption with BitLocker

BitLocker protects data if a laptop is lost or stolen. Recovery keys should be stored securely and centrally.

5. Backup and Recovery for Microsoft 365

Microsoft does not provide full backup or long-term retention by default.

Dedicated Microsoft 365 Backup

A true backup solution should:

• Back up Exchange, OneDrive, SharePoint and Teams
• Store copies in a separate location
• Support point-in-time restores
• Provide long-term retention

6. Monitoring, Alerts and Secure Score

Security Alerts and Audit Logs

Alerts should be monitored for events such as:

• Failed login attempts
• Risky sign-ins from abroad
• New forwarding rules
• Admin role changes

Using Microsoft Secure Score

Secure Score provides:

• A security rating for your tenant
• Recommended actions ranked by impact
• Progress tracking over time

7. Quick Microsoft 365 Security Checklist

• MFA: Enabled for all staff and admins
• Conditional Access: Location/device-based policies
• Legacy Auth: Disabled
• Safe Links / Attachments: Enabled
• Anti-Phishing: Configured for VIPs
• SPF/DKIM/DMARC: Fully configured
• DLP: Enabled for sensitive data
• Sensitivity Labels: Configured and used
• Safe Sharing: Internal-first
• Endpoint Security: Defender + compliance policies
• Backup: Dedicated M365 backup
• Monitoring: Alerts + Secure Score

Need Help Securing Your Microsoft 365 Environment?

Remedian works with schools and businesses across Greater Manchester, West Yorkshire and the North West to secure Microsoft 365, reduce cyber risk and support compliance with DfE and NCSC guidance.

Next steps:

• Book a Microsoft 365 security health check
• Review your tenant against the checklist
• Get a clear, phased improvement plan

Contact Remedian today to strengthen your Microsoft 365 security