Home  /  Microsoft 365 Security

Solutions

Microsoft 365 Security

Microsoft 365 is not as secure as you think. Most businesses have never switched on the security features included in their licence. We configure, enforce, and monitor them so you don't have to think about it.

Microsoft 365 Security

Microsoft 365 is powerful. Out of the box, it is not secure.

Most London businesses running Microsoft 365 are paying for security features they have never switched on. The tools are there. They just need someone to configure them, enforce them, and keep an eye on them.

That is what we do.

The problem with default Microsoft 365 settings

When a new Microsoft 365 tenant is created, most security controls are switched off or set to minimum by default. Multi-factor authentication is not enforced. Email links are not scanned before you click them. Attachments are not checked for malware. Admin accounts share login credentials with everyday user accounts. Devices connecting to company data have no compliance requirements.

None of this is Microsoft’s fault. The tools exist. They are just not turned on.

We turn them on, configure them correctly, and make sure they stay that way.

What we manage and configure

Two-step login, enforced for everyone (MFA: Multi-Factor Authentication)

Two-step login is the single most effective security control in Microsoft 365. Even if an attacker has someone’s password, they cannot get into the account without the second verification step. We enforce this across every user in your organisation, with no exceptions, and set up Microsoft Authenticator as the verification method.

Secure email (anti-phishing, safe links, safe attachments)

Microsoft 365 includes powerful email protection tools that most businesses never activate. We configure anti-phishing policies to catch impersonation attempts and spoofed emails, safe links to check URLs at the moment of click rather than at delivery, and safe attachments to detonate suspicious files in a sandbox before they reach the inbox.

Protection against malware and ransomware

We configure Microsoft’s built-in malware protection policies, block file types commonly used to deliver ransomware, and set up alerts for suspicious activity across your tenant. For clients on eligible Microsoft 365 plans, we also activate Microsoft Defender for Business, which extends endpoint protection across the devices connecting to your Microsoft environment.

Secure admin accounts

Many Microsoft 365 tenants run with global administrator accounts that are also used for day-to-day email. This is a significant risk. We separate admin privileges from user accounts, apply dedicated admin accounts with stricter access controls, and enforce MFA specifically on all accounts with elevated permissions.

Monitoring your security posture (Microsoft Secure Score)

Microsoft provides a Secure Score within the Defender portal, a running measure of how well your Microsoft 365 environment is configured against security best practices. We review this regularly, identify the highest-impact improvements, and work through them systematically. You get a straightforward report on where you stand and what has changed.

Device compliance policies

If someone connects to your Microsoft 365 data from an unmanaged, unencrypted personal device, your data is exposed regardless of how well your tenant is configured. We use Microsoft Intune or equivalent tools to enforce device compliance requirements, ensuring only devices that meet your security baseline can access company email, files, and applications.

Conditional access

We configure conditional access policies that control who can access your Microsoft 365 environment, from where, and on which devices. Logins from unusual locations, unexpected countries, or non-compliant devices can be blocked automatically without anyone having to make a manual decision.

Backup for your Microsoft 365 data

This is the one most businesses do not know about. Microsoft does not back up your email, SharePoint, or OneDrive. Their terms and conditions say so explicitly. Native recycle bin retention runs from 14 to 93 days depending on the application. After that, deleted data is gone permanently.

We put proper third-party backup in place for your Microsoft 365 environment so that accidental deletion, a malicious act by a departing employee, or a ransomware attack does not mean permanent data loss.

Who this is for

Any business using Microsoft 365, whether that is a handful of staff on Business Basic or a larger team on Business Premium, will benefit from proper security configuration. The licence gives you access to the tools. We make sure the tools are actually doing their job.

This is particularly relevant if:

  • You have never had a security review of your Microsoft 365 tenant
  • Staff are accessing company email and files from personal devices
  • You have no MFA in place across your accounts
  • Someone has recently left the business and you are not certain their access was fully removed
  • You need to demonstrate compliance with Cyber Essentials, and Microsoft 365 configuration is part of that

Part of your managed support contract

For Network Fish managed support clients, Microsoft 365 security configuration and ongoing management is included as part of your contract. We set it up correctly from day one and review it regularly, so your Microsoft environment stays secure as your team and tools evolve.

One monthly fee. One number to call.

The day-to-day risk of keeping your Microsoft 365 environment secure becomes our job, not yours.

Book your free site survey   or call +44 (0) 207 403 4031

FAQ

Common questions

Is Microsoft 365 secure by default?

No. Microsoft 365 provides the security tools but does not switch them on by default. Multi-factor authentication, anti-phishing policies, safe links, safe attachments, and device compliance controls all need to be configured before they protect anything.

Most businesses running Microsoft 365 have never had these settings reviewed, which means they are paying for security features that are not working.

Does Microsoft back up my email and SharePoint data?

No. Microsoft keeps your data available but does not back it up. Their terms and conditions state this explicitly and recommend using a third-party backup tool.

If a file is deleted, an email account is removed, or ransomware encrypts your SharePoint, Microsoft’s native recycle bin gives you a recovery window of 14 to 93 days depending on the application. After that window closes, the data is permanently gone. Network Fish puts proper third-party backup in place for Microsoft 365 as part of our managed support service.

What is multi-factor authentication and do I need it on Microsoft 365?

Multi-factor authentication (MFA) means requiring a second verification step when someone logs into an account, usually a code sent to a phone or generated by an app, in addition to their password. Yes, you need it.

Microsoft’s own data shows MFA blocks over 99% of automated account takeover attempts. It is included in every Microsoft 365 plan at no extra cost but is not enforced by default. We switch it on across every user account as a standard part of our Microsoft 365 security configuration.

What is Microsoft Secure Score?

Microsoft Secure Score is a running measure inside the Microsoft Defender portal that scores how well your Microsoft 365 environment is configured against security best practices. A higher score means more security controls are in place and correctly configured.

Network Fish reviews your Secure Score regularly, identifies the highest-impact improvements, and works through them systematically. You receive a straightforward report on where you stand and what has changed.

What is conditional access in Microsoft 365?

Conditional access is a Microsoft 365 feature that controls who can log into your environment, from where, and on which devices. For example, a login attempt from an unexpected country, an unmanaged personal device, or outside your normal working hours can be blocked automatically without anyone making a manual decision.

We configure conditional access policies as part of our Microsoft 365 security management service.

What happens if a member of staff leaves and still has access to Microsoft 365?

An account that is not properly deprovisioned when someone leaves is a significant security risk. The former employee may still be able to access company email, SharePoint files, Teams conversations, and any other Microsoft 365 data until their account is removed.

We handle user offboarding as a standard part of our managed support service, ensuring accounts are disabled, data is handled correctly, licences are reallocated, and shared inbox and group access is reviewed as part of every leaver process.

What is the difference between Microsoft Defender for Business and Microsoft Defender for Office?

Microsoft Defender for Office is included in most Microsoft 365 business plans and focuses on email security, covering anti-spam, anti-phishing, and basic malware filtering for email and Office files.

Microsoft Defender for Business is available on Microsoft 365 Business Premium and above and extends protection to the devices themselves, covering endpoint detection and response, automated investigation, and vulnerability management across the computers and laptops in your organisation. Network Fish configures and manages both as part of our Microsoft 365 security service, depending on which plan you are on.

Do personal devices accessing Microsoft 365 create a security risk?

Yes. If a member of staff accesses company email or SharePoint from a personal phone or laptop that is unmanaged, unencrypted, or running out-of-date software, your data is exposed regardless of how well your Microsoft 365 tenant is configured.

We use device compliance policies to ensure that only devices meeting your security baseline can access company data, which is also a requirement for Cyber Essentials certification.

Is Microsoft 365 security configuration included in a Network Fish managed support contract?

Yes. For clients on a full managed support contract, Microsoft 365 security configuration and ongoing management is included at no extra charge. This covers the initial configuration of security controls, enforcement of multi-factor authentication, anti-phishing and email protection policies, regular Secure Score reviews, and ongoing management of user accounts including onboarding and offboarding.

The only costs not included are Microsoft licence fees themselves, which are charged directly by Microsoft or via your existing reseller arrangement.

Does Microsoft 365 security help with Cyber Essentials certification?

Yes, significantly. Several of the five Cyber Essentials technical controls map directly to Microsoft 365 configuration: secure device configuration, user access controls, malware protection, and patch management all have Microsoft 365 equivalents.

Getting your Microsoft 365 environment properly configured is one of the most effective steps a business can take towards passing a Cyber Essentials assessment. For managed support clients, Cyber Essentials readiness support is included in the contract.