When a Donegal business group suffered a business email compromise attack that cost them over one million euro, the forensic investigation identified the starting point within a few hours: a single Microsoft 365 account with no multi-factor authentication, accessed from an unfamiliar location, with no audit logging to track what happened next. Every setting that would have either prevented the attack or limited its damage was available in their existing Microsoft 365 subscription. None of them had been enabled.
Most Irish SMEs run on Microsoft 365. Email, documents, spreadsheets, Teams calls — it is the operating system of the modern small business. The default security settings are not enough to protect your business from the threats that matter most. But Microsoft 365 includes powerful security features that most businesses have already paid for and never turned on. This guide walks through the eight settings that make the biggest difference. You need admin access and 30 minutes.
Not sure which Microsoft 365 settings you already have enabled? Book a free 20-minute strategy call — we review Microsoft 365 security configurations with Irish businesses every week.
WHAT: The Eight Settings That Matter Most
Setting 1: Enable Multi-Factor Authentication for all users. MFA requires a second verification step when logging in, so a stolen password alone cannot access an account. According to Microsoft's own research, MFA blocks 99.9% of automated account compromise attacks. Enable it in the Microsoft 365 Admin Centre under Users → Active users → Multi-factor authentication. Select all users and choose Microsoft Authenticator as the default method rather than SMS, which can be intercepted.
Setting 2: Turn on Security Defaults. Security Defaults is a Microsoft feature that enforces a baseline set of security policies across your entire tenant — including MFA for all users, blocking legacy authentication protocols such as POP3 and IMAP that cannot support MFA, and requiring MFA for administrator actions. Enable it in the Microsoft Entra Admin Centre under Identity → Properties → Manage security defaults. Note that if you are using Conditional Access policies, Security Defaults may conflict — in that case, configure equivalent protections through Conditional Access instead.
Setting 3: Configure email authentication — SPF, DKIM, DMARC. These three protocols verify that emails claiming to come from your domain actually came from your authorised servers. Without them, anyone can send emails that appear to be from your business. SPF lists your authorised mail servers as a DNS record. DKIM adds a cryptographic signature to outgoing emails. DMARC tells receiving servers what to do with emails that fail SPF or DKIM checks. Attackers routinely spoof business email addresses to trick suppliers, customers, and staff into transferring money or sharing sensitive information. Proper email authentication makes this significantly harder and is a requirement the NCSC Ireland consistently highlights as a baseline security measure.[^1]
Setting 4: Enable Audit Logging. Audit logging records who did what, when, and from where across your Microsoft 365 environment — login attempts, file access, email forwarding rule changes, admin actions. If your business is compromised, audit logs are the first thing an incident responder will ask for. Without them, you cannot determine what the attacker accessed or what data was exfiltrated. Under GDPR, you may need this information to fulfil breach notification obligations to the Data Protection Commission.[^2] Enable it in the Microsoft Purview Compliance Portal under Audit.
Setting 5: Block auto-forwarding to external addresses. This blocks users — or attackers who have compromised a user account — from setting up automatic email forwarding to external addresses. This is one of the most common techniques in business email compromise attacks: an attacker compromises an email account, sets up a forwarding rule to an external address, and silently monitors the mailbox for invoices and payment instructions for weeks before striking. Block it through the Exchange Admin Centre under Mail flow → Rules.
Setting 6: Enable Mailbox Auditing. This logs specific actions within individual mailboxes — when emails are read, deleted, moved, or sent by someone other than the mailbox owner. If an attacker gains access to a mailbox, mailbox auditing tells you exactly what they read and what they sent. Mailbox auditing is enabled by default for Microsoft 365 organisations created after January 2019. Verify it is active by connecting to Exchange Online via PowerShell and running Get-OrganizationConfig | Format-List AuditDisabled.
Setting 7: Review and restrict admin roles. Global Administrators can do anything in your Microsoft 365 environment — change passwords, access any mailbox, delete data, modify every security setting. Most Irish SMEs have far too many Global Admins. Best practice is two to four Global Administrators maximum, using dedicated admin accounts that are not used for daily email. Review admin roles quarterly and remove access that is no longer needed. Assign specific admin roles — Exchange Admin, SharePoint Admin — rather than Global Admin wherever possible.
Setting 8: Enable Safe Attachments and Safe Links. Safe Attachments opens email attachments in a virtual sandbox to check for malicious behaviour before they reach the inbox. Safe Links rewrites URLs in emails to check them at the time of click, not just at the time of delivery. Phishing emails with malicious attachments and links remain the primary delivery mechanism for ransomware targeting Irish businesses. An Garda Síochána's National Cyber Crime Bureau reports that ransomware almost always arrives via email.[^3] These features are available in Microsoft 365 Business Premium and above.
WHAT NOW: The 30-Minute Security Checklist
Work through these settings in order of impact. Enable MFA for all users first — this is the single highest-impact action available. Then turn on Security Defaults, which takes two minutes. Block external auto-forwarding, enable audit logging, and review admin roles can each be done in five to ten minutes. Safe Attachments and Safe Links require a Defender for Office 365 licence, which is included in Business Premium.
These settings will not make your business impenetrable. But they will close the gaps that attackers exploit most frequently against Irish businesses — and they are all included in your existing Microsoft 365 subscription.
WHY IT MATTERS: The Regulatory and Business Stakes
The Data Protection Commission expects organisations holding personal data to implement appropriate technical measures to protect it. An unconfigured Microsoft 365 environment — with no MFA, no audit logging, and no email authentication — is not appropriate by any reasonable standard. Under GDPR, a breach that results from the absence of these basic controls is difficult to defend.
NIS2, now transposed into Irish law, requires that in-scope entities implement access control measures, incident logging, and email authentication as part of their baseline security posture. These eight settings are not the ceiling of what NIS2 requires — they are the floor.
Your Microsoft 365 subscription includes the tools to protect your business. The gap is configuration, not cost.
WHAT NEXT: Three Actions Before Friday
1. Enable MFA for all users and turn on Security Defaults today. These two actions take under ten minutes and deliver immediate, significant protection.
2. Enable audit logging in Microsoft Purview if it is not already active. Confirm the status and ensure logs will be available if you need them.
3. Create a rule in the Exchange Admin Centre to block external auto-forwarding. This closes one of the most commonly exploited post-compromise attack techniques used against Irish businesses.
Related Reading
- MFA Rollout Roadmap: Essential 8 to CyFUN Protect
- Microsoft 365 Security Settings to Pass a Supplier Audit
- MFA Bypass: How Hackers Are Defeating Multi-Factor Authentication
[^1]: NCSC Ireland — advice and guidance on email security: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: Data Protection Commission Ireland — breach notification and technical controls: https://www.dataprotection.ie [^3]: An Garda Síochána — National Cyber Crime Bureau on ransomware: https://www.garda.ie/en/crime/cyber-crime/
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.