Core IT Services
Managed IT Services Full-stack IT management for Toronto businesses
Co-Managed IT We work alongside your existing internal team
IT Consulting Strategy, roadmap, and technology alignment
Virtual CIO and Fractional CTO Executive IT leadership without the full-time cost
Security and Continuity
Cybersecurity MDR, endpoint protection, and threat response
Managed Detection and Response 24/7 SOC monitoring with active threat response
Dark Web Monitoring Credential leak detection and threat intelligence
Business Continuity Disaster recovery and operational resilience
Cloud Services
Cloud Services AWS, Azure, and cloud infrastructure management
Cloud Migration Seamless migration to cloud infrastructure
Microsoft 365 Management Licensing, security, and full tenant management
Managed Hosting Application hosting on AWS and Azure
Also:
Pricing About Us
Platform Highlight
Powered by MyITFleet
The MSP Platform We Built for Your Business
Most MSPs use generic tools. We built MyITFleet to give you a live dashboard showing exactly what we are doing for you, every minute of every day.
NOC Control Tower Fleet Health SLA Tracking Jamf Pro
Explore the platform
Healthcare and Compliance
Healthcare and Pharma PIPEDA and PHIPA compliant IT for health organizations
Dental Practices Dentrix support, imaging IT, and patient data security
Legal and Law Firms Document security and compliance for legal practices
Professional Services IT for accounting firms, CPA practices, and financial advisors
Technology and Startups
SaaS and Tech Startups Mac fleet management, Jamf Pro, SOC 2 readiness
Mac and Apple Fleet Specialists Jamf Pro, MDM, and Mac-first IT for Toronto startups
Industrial and Operations
Mining and Natural Resources Fleet management, remote site IT, OT security for mining
Supply Chain and Warehousing Warehouse WiFi, manufacturing cybersecurity, logistics
Why Industry Fit Matters

Every industry has unique compliance requirements, operational rhythms, and risk profiles. Echoflare tailors every engagement to your sector so nothing falls through the gaps.

Primary Markets
Vaughan Our headquarters. Fastest on-site response in the GTA.
Toronto Downtown core and Greater Toronto
Mississauga Full service coverage across Mississauga
East and North GTA
Markham Tech corridor and enterprise coverage
Scarborough East Toronto and Scarborough district
North York North York and Yonge corridor
West GTA
Brampton Full coverage across Brampton
Concord Our home base on Administration Road

All GTA area pages include local pricing context, on-site response times, and area-specific service details.

MyITFleet Platform
Platform Overview The complete MyITFleet feature set and architecture
IT Inventory Management Asset tracking, fleet health scoring, and device lifecycle
Alerts and Service Queue Real-time alerting, ticket triage, and SLA tracking
Free Network and Infrastructure Tools
Subnet Calculator What Is My IP / IP Lookup DNS Lookup Bandwidth Calculator Uptime / SLA Calculator Base64 Encoder / Decoder
Free Security and Developer Tools
Password Generator SSL Certificate Checker Hash Generator / Checksum JSON Formatter / Validator Regex Tester Cron Expression Generator
MyITFleet for MSPs
Visit myitfleet.com MyITFleet is now available to other MSPs worldwide

Built by an MSP, for MSPs

Every feature in MyITFleet was designed to solve real problems we faced managing client infrastructure.

About Echoflare
Our Story How and why Echoflare was built
Careers Join the Echoflare team
Pricing Transparent flat-rate plans for every business size
Contact Us We respond within one business hour
Resources
IT Knowledge Center Guides, insights, and IT strategy for Toronto businesses
Pricing Compare models and build your custom IT plan
Build Your Custom Plan Interactive quote builder — get a custom IT plan in 5 minutes
IT Support FAQ Common questions about managed IT services and costs
Certified Partners
Microsoft Veeam Datto Bitdefender Jamf Blackpoint Wasabi TitanHQ
Free Consultation
Core IT Services
Managed IT Services Co-Managed IT IT Consulting Virtual CIO and Fractional CTO
Security and Continuity
Cybersecurity Managed Detection and Response Dark Web Monitoring Business Continuity
Cloud Services
Cloud Services Cloud Migration Microsoft 365 Management Managed Hosting
Industries
Healthcare and Pharma Dental Practices Legal and Law Firms Professional Services SaaS and Tech Startups Mining and Natural Resources Supply Chain and Warehousing
GTA Areas
Concord (HQ) Vaughan Mississauga Markham Brampton North York Scarborough
Platform and Tools
MyITFleet Platform
Free Network Tools
Subnet Calculator What Is My IP DNS Lookup Bandwidth Calculator Uptime Calculator Base64 Encoder
Free Security / Dev Tools
Password Generator SSL Checker Hash Generator JSON Formatter Regex Tester Cron Generator
Pricing Blog Careers About
Cloud and M365

Microsoft 365 Security Settings Every Toronto Business Should Turn On

Most Microsoft 365 tenants are not secure by default. This checklist covers the settings that matter most, explained in plain terms so you can act on them today.

March 2026 9 min read Echoflare Managed Services
At a glance
99%
Of Microsoft 365 account compromises could be blocked by MFA
Microsoft Security Intelligence
3B+
Phishing emails targeting Microsoft 365 accounts sent daily
Microsoft Digital Defense Report 2024
Default
Microsoft 365 ships with legacy auth enabled, a critical attack vector
Must be blocked by policy

Microsoft 365 is the most widely deployed business productivity platform among Toronto and GTA small businesses, and it is also one of the most frequently targeted. The reason is straightforward: a single compromised Microsoft 365 account provides access to email, SharePoint, Teams, OneDrive, and any integrated business application. For an attacker, that is an exceptionally high-value target relative to the effort required to breach it.

The Microsoft 365 security settings SMB administrators most commonly miss are not obscure or technical. They are well-documented controls that Microsoft provides in the admin centre and Entra ID portal. The gap is not in availability. It is in awareness and implementation. This guide covers the Microsoft 365 security checklist that every Toronto business should work through, with plain-language explanations of what each setting does and why it matters.

Security Defaults are not sufficient

Microsoft enables Security Defaults on new tenants, which provides a basic MFA baseline. This is better than nothing, but it is not a substitute for properly configured Conditional Access policies, Defender for Office 365, audit logging, and admin account hardening. If your M365 MFA setup stops at Security Defaults, the remainder of this article is directly relevant to your environment.

Enforce MFA through Conditional Access, not Security Defaults

Multi-factor authentication is the most impactful Microsoft 365 security setting available. Proper M365 MFA setup through Conditional Access Microsoft 365 policies is the single highest-return security investment for any Toronto SMB. Microsoft's own data shows MFA blocks over 99% of automated credential attacks. Despite this, MFA is still not enforced as a hard policy in a significant proportion of Microsoft 365 SMB tenants.

The right implementation is Conditional Access, not Security Defaults. Security Defaults apply a blanket MFA prompt using Microsoft's defaults. Conditional Access lets you define precise policies: require MFA for all users, require MFA for all cloud app access, block legacy authentication protocols, and require compliant devices for sensitive application access.

Require MFA for all users via Conditional Access

Entra ID admin centre › Security › Conditional Access › New policy

Create a Conditional Access policy targeting all users and all cloud apps, requiring multi-factor authentication. Set this to Report-Only first to identify any service accounts or legacy clients that may break, then switch to Enforce once validated.

Required Included in M365 Business Premium

Block legacy authentication protocols

Conditional Access › New policy › Client apps condition

Legacy authentication protocols such as IMAP, POP3, SMTP AUTH, and older Exchange ActiveSync connections do not support MFA. An attacker with a stolen credential can bypass MFA entirely by using a legacy protocol. Create a Conditional Access policy blocking all legacy authentication client apps. Monitor the Sign-in logs for legacy auth attempts before enforcing to avoid disrupting legitimate workflows.

Required

Require compliant or Entra ID joined devices

Conditional Access › Device state conditions

This policy restricts Microsoft 365 access to devices that are enrolled in Intune and marked compliant, or joined to Entra ID. It prevents access from personal or unmanaged devices that may be compromised. Implement after device enrollment is complete across your fleet.

Recommended

Configure Microsoft Defender for Office 365

Microsoft Defender for Office 365 (included in Business Premium and available as an add-on) provides email and collaboration security capabilities that go well beyond the basic spam filtering included in all Microsoft 365 plans. The default configuration is not sufficient. The key features require deliberate activation and policy configuration.

Enable Safe Links

Microsoft 365 Defender portal › Email and collaboration › Policies › Safe Links

Safe Links rewrites URLs in emails and Office documents and scans them at click time rather than at delivery time. This catches links that were safe when the email was delivered but were later weaponized (time-of-click protection). Enable Safe Links for email, Teams messages, and Office apps. Enable the "Do not allow users to click through to the original URL" setting for maximum protection.

Required Included in Business Premium

Enable Safe Attachments

Microsoft 365 Defender portal › Email and collaboration › Policies › Safe Attachments

Safe Attachments opens email attachments in a detonation sandbox before delivering them to the recipient. This catches malicious attachments including weaponized PDFs, Office macros, and executable files before they reach your users' inboxes. Enable with the Dynamic Delivery option to minimize email delivery delays while attachments are being scanned.

Required Included in Business Premium

Configure anti-phishing policies with impersonation protection

Microsoft 365 Defender portal › Email and collaboration › Policies › Anti-phishing

The default anti-phishing policy provides basic protection. Configure an advanced policy that enables impersonation protection for your key executives and domain. This catches business email compromise (BEC) attacks where attackers spoof your executives' display names or register lookalike domains to intercept payment requests and sensitive communications.

Required

Enable DKIM and configure DMARC

Microsoft 365 Defender portal › Email and collaboration › Policies › Email authentication

DKIM (DomainKeys Identified Mail) cryptographically signs outbound emails from your domain. DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do with messages that fail SPF and DKIM checks. Start with DMARC in monitoring mode (p=none) to review reports, then move to p=quarantine and eventually p=reject. This prevents attackers from successfully spoofing your domain in outbound phishing campaigns targeting your clients and partners.

Required

Enable and configure audit logging

The Microsoft 365 Unified Audit Log, sometimes called the Office 365 audit logging console, records activity across Exchange, SharePoint, Teams, OneDrive, and Entra ID. It must be explicitly enabled and is the primary source of forensic evidence after any security incident. Without audit logging, you cannot determine what an attacker accessed, when they accessed it, or what they did. It is also required for PIPEDA breach reporting and the vast majority of regulatory compliance frameworks.

Enable the Unified Audit Log

Microsoft Purview compliance portal › Audit › Start recording user and admin activity

Audit logging is not enabled by default on all tenants. Verify its status and enable it immediately if it is off. Logs are retained for 90 days under standard plans and 365 days under Microsoft 365 Business Premium and above. Note the retention period: if you are involved in a compliance investigation and logs have expired, they cannot be recovered.

Required Included in all plans

Configure mailbox auditing for all users

Exchange admin centre › Recipients › Mailboxes › Mailbox auditing

Mailbox auditing logs actions taken on mailboxes by owners, delegates, and administrators. It is enabled by default for Exchange Online mailboxes but should be verified. Confirm that SendAs, SendOnBehalf, and MailItemsAccessed actions are being logged for all mailboxes, particularly executive and finance team accounts that are frequent targets for business email compromise.

Required

Set up alert policies for critical events

Microsoft Purview compliance portal › Alert policies

Configure alert policies that notify your IT administrator or managed IT provider when high-risk events occur: mass file download or deletion, forwarding rules created on mailboxes (a common post-compromise technique), elevation of admin privileges, and sign-ins from unfamiliar locations. Microsoft provides default alert policies. Review them and add organization-specific alerts for your environment.

Recommended

Harden administrator accounts

Administrator accounts are the highest-value target in any Microsoft 365 environment. A compromised admin account provides an attacker with the ability to create new accounts, disable security controls, exfiltrate data, and cover their tracks. Admin account hardening for Microsoft is one of the most consistently missed areas in SMB Microsoft 365 environments.

Use dedicated admin accounts with no Microsoft 365 licences

Microsoft 365 admin centre › Users › Active users

Administrators should have two separate accounts: a regular licensed account for day-to-day work such as email and Teams, and a separate unlicensed account used only for administrative tasks. The unlicensed admin account has no mailbox, so phishing emails cannot be delivered to it. This significantly reduces the attack surface for admin credential compromise.

Required

Enforce phishing-resistant MFA for all admin accounts

Entra ID › Authentication methods

Admin accounts must use phishing-resistant MFA methods: hardware security keys (FIDO2) or Windows Hello for Business rather than SMS or authenticator app push notifications. Push notification MFA can be bypassed through MFA fatigue attacks. For admin accounts, the additional inconvenience of a hardware key is justified by the access those accounts provide.

Required

Apply just-in-time privileged access through Privileged Identity Management

Entra ID › Identity Governance › Privileged Identity Management

Privileged Identity Management (PIM) allows admin roles to be activated on demand for a defined time period rather than permanently assigned. An administrator requests elevation, provides MFA, and receives temporary role access that expires automatically. This means admin privileges are active only when needed, drastically reducing the window an attacker has if an admin account is compromised. Requires Entra ID P2 licensing.

Advanced

Remove unused admin role assignments

Microsoft 365 admin centre › Roles › Role assignments

Review all accounts with Global Administrator, Exchange Administrator, SharePoint Administrator, and other high-privilege roles. Remove assignments from accounts that do not actively require them. Most Microsoft 365 environments have more admin accounts than necessary, often inherited from initial setup or created for temporary projects and never cleaned up. Limit Global Administrator assignments to two or three accounts at most.

Required

Additional settings worth enabling

Beyond the four main categories, several additional Microsoft 365 security settings provide meaningful protection for Toronto SMBs without requiring additional licensing or complex configuration.

  • Disable anonymous sharing in SharePoint and OneDrive. The default SharePoint and OneDrive configuration allows anyone with a link to access shared files without authentication. Restrict external sharing to authenticated guests only via the SharePoint admin centre unless your business has a specific operational need for anonymous links.
  • Enable self-service password reset with MFA verification. Self-service password reset reduces helpdesk burden while ensuring users verify identity through MFA before resetting their password. Without it, password reset processes can become a social engineering vector.
  • Configure data loss prevention (DLP) policies for sensitive data. DLP policies detect and prevent the unauthorized sharing of sensitive information such as credit card numbers, health information, and personal identification numbers through email and Teams. Microsoft provides pre-built policy templates for common regulatory frameworks including PIPEDA.
  • Review and restrict OAuth app consent. Microsoft 365 allows third-party applications to request access to user data through OAuth. By default, users can grant consent to apps without administrator approval. Restrict this to administrator-approved apps only via Entra ID app registration policies to prevent malicious OAuth phishing attacks.
  • Enable Microsoft Secure Score monitoring. Microsoft Secure Score provides a continuous assessment of your Microsoft 365 security configuration and prioritizes improvement actions by impact. Use it as an ongoing benchmark rather than a one-time configuration checklist.
Implementation sequence

Implement in the order presented: MFA and Conditional Access first, then Defender for Office 365, then audit logging, then admin hardening, then the additional settings. MFA and blocking legacy authentication provide the largest immediate risk reduction. Audit logging enables you to detect and investigate any incidents that occur while the remaining controls are being implemented.

Key takeaways

  • Microsoft 365 does not ship with a fully secure configuration. Security Defaults provide a basic MFA baseline but leave significant gaps in Conditional Access, Defender configuration, audit logging, and admin hardening.
  • MFA enforced through Conditional Access and blocking of legacy authentication are the two highest-priority Microsoft 365 security settings. Together they address the majority of credential-based attacks targeting M365 environments.
  • Safe Links and Safe Attachments through Microsoft Defender for Office 365 protect against the most common email-based attack vectors and are included in Microsoft 365 Business Premium at no additional cost.
  • The Unified Audit Log must be explicitly enabled. Without it, forensic investigation after a security incident is severely limited and PIPEDA breach reporting obligations may not be fulfillable.
  • Dedicated unlicensed admin accounts and phishing-resistant MFA for administrators are consistently missed in SMB Microsoft 365 environments and represent a material security gap when absent.

Frequently asked questions

What are the most important Microsoft 365 security settings for a small business?

The four highest-priority settings are: enforcing MFA for all users via Conditional Access, enabling Microsoft Defender for Office 365 with Safe Links and Safe Attachments, activating the Unified Audit Log, and hardening admin accounts with dedicated unlicensed administrator accounts. These four changes address the majority of attack vectors used against Microsoft 365 environments.

Does Microsoft 365 come secure by default?

No. Microsoft 365 ships with Security Defaults enabled for new tenants, which provides a basic MFA baseline, but many important settings require configuration to be effective. Conditional Access policies, Defender for Office 365 features, audit logging, and admin account hardening all require deliberate configuration beyond what Security Defaults provides. Legacy authentication protocols are also enabled by default and must be explicitly blocked.

What is Conditional Access in Microsoft 365?

Conditional Access is a Microsoft Entra ID feature that enforces access policies based on conditions such as user identity, device compliance, location, and application. For Toronto SMBs, the most important Conditional Access policies are requiring MFA for all users, blocking legacy authentication protocols, and requiring compliant devices for access to sensitive applications. Conditional Access is included in Microsoft 365 Business Premium.

What is the Microsoft 365 Unified Audit Log?

The Unified Audit Log records user and administrator activity across Microsoft 365 services including Exchange, SharePoint, Teams, and Entra ID. It must be explicitly enabled and is the primary source of forensic evidence after a security incident. Without it you cannot determine what an attacker accessed, when, or what they did. It is also required for PIPEDA breach reporting and most compliance frameworks.

How long does it take to configure Microsoft 365 security settings?

For an IT administrator familiar with the Microsoft 365 admin centre and Entra ID, implementing the core settings in this article typically takes three to five hours. Conditional Access policy design and testing is the most time-consuming step because policies must be validated in Report-Only mode before enforcement to avoid locking out legitimate users or breaking service accounts. Echoflare can implement and validate the full configuration in a single scheduled session as part of our IT consulting or managed services engagement.

Want your Microsoft 365 security configuration reviewed?

Echoflare assesses your current Microsoft 365 security posture as part of a free 30-minute review. We identify the gaps and give you a prioritized remediation plan.

Book a free M365 review Microsoft 365 services
Cybersecurity
Cybersecurity for Toronto Small Businesses: What You Actually Need
Cybersecurity
What Is Dark Web Monitoring and Does Your Business Need It?
Service Page
Cybersecurity Services for Toronto and GTA Businesses
Share