Microsoft 365 Security Checklist for Irish SMEs

Most Irish SME cyber breaches start in Microsoft 365. Here are the 10 security settings to enable in your M365 tenant — with exact locations in the admin centre.

Microsoft 365 Security Checklist for Irish SMEs: 10 Settings to Enable Today

Microsoft 365 is the dominant email and productivity platform for Irish SMEs. It is also, in our experience, the most common point of entry for cyber incidents affecting Irish businesses. Not because it is inherently insecure, but because it ships with default settings that prioritise ease of adoption over security — and most Irish SMEs never revisit those defaults after setup.

Legacy authentication protocols remain enabled by default, allowing attackers to bypass MFA entirely using older connection methods. The unified audit log — which records who did what across your M365 environment — is not turned on automatically on all licence tiers. Mailbox auditing has variable default settings. Auto-forwarding to external addresses is permitted unless you disable it. Safe Links and Safe Attachments, which scan inbound links and files for malicious content, are not active unless you have Defender for Office 365 Plan 1 and have explicitly turned them on.

An M365 tenant that has never been hardened beyond defaults is a significantly easier target than one that has spent two hours working through the settings below.

A note on licensing: some settings require Microsoft 365 Business Premium or Defender for Office 365 Plan 1. Where that is the case, it is noted. The majority are available on Business Basic and Business Standard.

The 10 Settings

1. Enable MFA for All Users

What it does: Requires a second factor — typically the Microsoft Authenticator app — when a user signs in. Without MFA, a stolen or guessed password is sufficient to access your entire M365 environment.

Where: Microsoft 365 Admin Centre → Users → Active Users → Multi-factor authentication. For tenants with Microsoft 365 Business Premium, use Conditional Access policies instead (see setting 8). For simpler setups, security defaults (Admin Centre → Settings → Org Settings → Security & Privacy → Security defaults) enable MFA for all users automatically.

Priority: Do this first.

2. Disable Legacy Authentication Protocols

What it does: Legacy authentication is used by older email clients that cannot support MFA, meaning an attacker using legacy auth can bypass MFA entirely even if you have enabled it.

Where: Azure Active Directory Admin Centre → Security → Conditional Access → New Policy → Conditions → Client Apps → select Exchange ActiveSync clients and Other clients → Block. If you are using Security Defaults, legacy auth is already blocked.

Note: Run the sign-in logs report first (Azure AD → Monitoring → Sign-ins, filter by client app) to identify any legacy auth usage over the past 30 days before enabling.

3. Enable the Unified Audit Log

What it does: Records user and admin activity across M365 — who signed in, who accessed what files, who changed which settings. Without it, forensic investigation of a breach is severely limited.

Where: Microsoft Purview Compliance Portal (compliance.microsoft.com) → Audit → Start recording user and admin activity. Confirm via PowerShell: Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled.

4. Turn On Mailbox Auditing

What it does: Records actions taken on mailboxes — emails read, deleted, forwarded, folders accessed. The log you need to determine what an attacker accessed if a mailbox is compromised.

Where: PowerShell: Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true -AuditOwner MailboxLogin,HardDelete,SoftDelete,Update,MoveToDeletedItems

5. Enable Safe Links and Safe Attachments

What it does: Safe Links rewrites URLs in inbound email and scans them at click-time for malicious content. Safe Attachments detonates email attachments in a sandbox before delivering them to the inbox.

Licence required: Microsoft Defender for Office 365 Plan 1 (included in Microsoft 365 Business Premium).

Where: Microsoft Defender Portal (security.microsoft.com) → Policies & Rules → Threat Policies → Safe Links and Safe Attachments. Create new policies, apply to all recipients, set Safe Attachments action to Dynamic Delivery.

6. Block Auto-Forwarding to External Addresses

What it does: Attackers who compromise a mailbox routinely set up auto-forwarding rules to silently copy all incoming email to an external address. Blocking this at the tenant level eliminates that persistence tactic.

Where: Exchange Admin Centre → Mail Flow → Remote Domains → Default → deselect "Allow automatic forwarding." Additionally in Defender portal: Policies & Rules → Anti-spam → Outbound policy → Automatic forwarding → Off.

7. Configure DMARC, DKIM, and SPF for Your Domain

What it does: Prevents attackers from spoofing your domain to send fraudulent email to your suppliers and customers. SPF defines which mail servers can send on your behalf. DKIM adds a cryptographic signature to outbound email. DMARC tells receiving servers what to do with failures — and sends you reports.

Where: SPF and DMARC are DNS TXT records at your domain registrar. DKIM: Defender Portal → Email Authentication Settings → DKIM → select your domain → Enable. Set DMARC to p=quarantine or p=rejectp=none is monitoring only and does not protect your domain. Check your current posture using the Digital Trust Checker.

8. Configure Conditional Access Policies

What it does: Allows you to set rules around when and how users can access M365. Two most valuable baseline policies: require MFA for all users, and block legacy authentication. You can also restrict sign-in to Ireland and approved countries.

Licence required: Azure AD P1 or Microsoft 365 Business Premium.

Where: Azure Active Directory Admin Centre → Security → Conditional Access → Policies. Microsoft provides templates for the most common baseline policies.

9. Set Up Alert Policies for Suspicious Sign-Ins

What it does: Generates alerts when M365 detects suspicious activity — sign-ins from unusual locations, sign-ins after multiple failed attempts, email forwarding rules created, mass deletion of files.

Where: Microsoft Purview Compliance Portal → Policies → Alert Policies. Several default alert policies exist; review and ensure they are active and routing to a monitored mailbox. Also configure alerts in Microsoft Defender Portal → Settings → Microsoft Defender XDR → Email notifications.

10. Disable Unused Services Per User

What it does: Every M365 licence includes a range of services that are enabled by default. Services that are not used still represent attack surface — a compromised account gives access to everything that account is licensed for.

Where: Microsoft 365 Admin Centre → Users → Active Users → select a user → Licences and Apps tab → Apps section. Start with accounts that have elevated permissions — Global Admins, Exchange Admins, SharePoint Admins — and ensure they run with the minimum service set required for their role.

The NIS2 Connection

If your business is in NIS2 scope, the settings above collectively address several required technical measures: access control (MFA, conditional access), audit logging, incident detection (alert policies), and email security (DMARC, Safe Links). Mapping your M365 configuration against NIS2 requirements is a sensible starting point for a broader compliance programme.


If you want a structured review of your M365 security configuration rather than working through this checklist alone, Pragmatic Security can assess your tenant and produce a prioritised remediation report. Get in touch.


James McGee is a CISA, CISSP, and CISM-certified security professional and founder of Pragmatic Security, an Irish vCISO advisory firm helping SMEs navigate cybersecurity and regulatory compliance.