If your business runs on Microsoft 365 — and most South African SMBs do — then understanding Microsoft 365 security best practices is no longer optional. Microsoft 365 is the most targeted business platform by cybercriminals worldwide, and South African businesses are increasingly in the crosshairs. According to cybersecurity research, Africa saw a sharp rise in business email compromise (BEC) and ransomware attacks in recent years, with Microsoft 365 accounts being a primary entry point. The good news is that most of these attacks are preventable — but only if your environment is properly configured. This guide walks you through the six most important steps to secure your M365 tenant, written for business owners and office managers, not IT specialists.

Why Microsoft 365 Security Cannot Be Left on Default Settings

Many business owners assume that because they are paying for Microsoft 365, they are automatically protected. Unfortunately, that is not how it works. Out of the box, Microsoft 365 ships with baseline settings that prioritise ease of use and broad compatibility over security. Features like multi-factor authentication, advanced email filtering, and audit logging are either disabled by default or require deliberate activation. This gap between what M365 offers and what is actually switched on is exactly what attackers exploit.

The consequences of a poorly secured M365 environment are serious. A compromised business email account can be used to intercept payments, impersonate executives, or lock you out of your own data. For South African businesses, there is also a regulatory dimension: the Protection of Personal Information Act (POPIA) requires organisations to implement reasonable security measures for personal data. A breach resulting from a preventable misconfiguration is not just a financial risk — it is a compliance risk too.

Step 1 — Enable Multi-Factor Authentication (MFA) for All Users

Multi-factor authentication is the single most effective security control you can implement. In simple terms, MFA means that logging in requires more than just a username and password — it also requires a second proof of identity, such as a code sent to your phone or generated by an authenticator app. Even if a cybercriminal obtains your password through a phishing email or a data breach, they cannot access your account without that second factor.

For M365 MFA to be effective, it needs to be enforced for every user in your organisation — not just administrators. Studies consistently show that accounts without MFA are significantly more likely to be compromised. Your IT provider or MSP can enable MFA across your entire tenant through the Microsoft 365 admin centre or through Azure Active Directory (now called Microsoft Entra ID), and set it up in a way that is minimally disruptive to your team’s daily workflow.

Step 2 — Configure Conditional Access Policies

Once MFA is in place, the next layer is conditional access — a feature that adds intelligent rules around when and how users can log in. Think of it as a security checkpoint that evaluates context before granting access. For example, a conditional access policy can block logins from high-risk countries, require MFA only when accessing from an unrecognised device, or prevent access to sensitive data from personal smartphones that are not enrolled in your company’s device management.

For SMBs, conditional access is particularly valuable because it adds security without adding friction for users working in their normal environment. Your staff log in from the office or their usual laptop without extra steps — but if someone tries to sign in from an unusual location or an unmanaged device, the system flags it or blocks it entirely. This feature is available with Microsoft 365 Business Premium licences and is a compelling reason to be on that tier if you handle sensitive client data.

Step 3 — Enable Microsoft Defender and Email Protection

Email is the number one attack vector for businesses. Phishing emails — messages designed to trick your staff into clicking malicious links or revealing credentials — are responsible for the majority of SMB breaches. Microsoft Defender for Business includes a suite of email protection tools that significantly reduce this risk, and most of them simply need to be switched on and properly configured.

Anti-phishing policies analyse incoming messages for signs of impersonation — for example, an email that appears to come from your bank or a supplier but is actually from a lookalike domain. Anti-malware scanning checks attachments before they reach your inbox. Safe Links rewrites URLs in emails and scans them at the time you click, catching malicious links even if they were safe when the message was sent. Safe Attachments opens suspicious files in a protected sandbox environment before delivering them to your mailbox. Taken together, these Microsoft 365 security settings form a meaningful defence against the most common email-based threats facing South African businesses today.

Step 4 — Audit User Permissions and Licence Assignments

Over time, Microsoft 365 environments accumulate unnecessary access. Former employees whose accounts were not properly deactivated. Staff members who were given admin rights for a once-off task and never had them removed. Licences assigned to people who have long since left the company. Each of these represents a potential security vulnerability.

A regular permissions audit — at a minimum every six months — should check that every active user has only the access they genuinely need, that there are no dormant accounts with active licences, and that administrative rights are limited to those who require them. This is closely tied to your staff offboarding process: when an employee leaves, their M365 account needs to be handled correctly and promptly. For a detailed checklist on this, see our guide on IT offboarding best practices for South African SMBs. Getting this right is both a security imperative and a POPIA requirement.

Step 5 — Enable Unified Audit Logging

Unified Audit Logging is one of the most overlooked Microsoft 365 security settings — and one of the most important. When enabled, it records activity across your M365 environment: who logged in, from where, what files were accessed or shared, whether any emails were forwarded externally, and much more. Without it, if a security incident occurs, you have no reliable way to understand what happened, when it started, or what data was affected.

For South African businesses, audit logging is directly relevant to POPIA compliance. The Act requires organisations to be able to investigate and report on data breaches. If a breach occurs and you cannot demonstrate what happened because audit logs were never activated, your exposure — both legal and reputational — is significantly greater. Your MSP or IT provider can enable unified audit logging in the Microsoft 365 compliance centre and configure alerts for suspicious activity, giving you both visibility and an evidence trail.

Step 6 — Set Up Data Loss Prevention (DLP) Policies

Data Loss Prevention policies allow you to define rules about how sensitive information can be shared — and to automatically enforce those rules. For example, a DLP policy can detect when an email contains what appears to be an ID number, banking detail, or confidential contract, and either block the message, warn the sender, or require manager approval before it is sent. These policies apply across email, SharePoint, Teams, and OneDrive.

For SMBs handling personal information — which under POPIA includes virtually any data that can identify an individual — DLP provides an automated safety net against accidental or intentional data exposure. It is particularly relevant for consulting engineering firms, professional services practices, and any business handling sensitive client records. Microsoft 365 includes built-in DLP templates for common data types, making it practical for smaller organisations to deploy meaningful protection without building policies from scratch.

How an MSP Keeps Your Microsoft 365 Security Best Practices in Place 24/7

Configuring these six steps is not a once-off project — it is an ongoing discipline. Microsoft regularly updates its security features, new threats emerge, staff join and leave, and your IT environment evolves. For most SMBs, maintaining this level of oversight without dedicated IT staff is not realistic.

A managed service provider like 2KR IT Solutions handles this continuously on your behalf. We monitor your M365 environment for suspicious sign-ins and anomalous activity, review and update security configurations as Microsoft releases new controls, manage MFA enrolment for new staff, run quarterly permission audits, and ensure your DLP and audit logging remain active and correctly scoped. Our managed IT services for Western Cape SMBs include M365 security management as a core component, not an optional add-on.

The businesses we work with — from small professional services firms in Cape Town to consulting engineering practices across the Western Cape — do not need to become cybersecurity experts. They need an IT partner who makes sure the right controls are in place and stays accountable for keeping them there. That is what we do.

🔒  Get a Free Microsoft 365 Security Assessment

Is your Microsoft 365 environment as secure as it should be? 2KR IT Solutions offers a complimentary Microsoft 365 security assessment for Western Cape SMBs. We will review your current configuration against the six steps above and give you a clear, jargon-free report with no obligation.

Contact us at here or call us to speak with one of our IT advisors.

Frequently Asked Questions

What are the most important Microsoft 365 security settings for a small business?

The highest-impact settings are multi-factor authentication (MFA) for all users, conditional access policies, and unified audit logging. Together, these three controls address the most common attack vectors — compromised credentials, unauthorised access, and undetected breaches. From there, enabling Microsoft Defender email protection and setting up data loss prevention policies builds a more comprehensive defence.

Is Microsoft 365 Business Basic secure enough for a small business?

Microsoft 365 Business Basic provides access to the core apps but lacks many of the advanced security controls discussed in this guide — including conditional access, Microsoft Defender for Business, and some DLP capabilities. For businesses handling sensitive client information or operating under POPIA obligations, Business Premium is the more appropriate licence tier. The cost difference is modest compared to the additional security it provides.

Does Microsoft 365 help with POPIA compliance in South Africa?

Yes — when properly configured, Microsoft 365 provides several tools that support POPIA compliance, including unified audit logging (which helps you investigate incidents and demonstrate accountability), data loss prevention policies (which reduce the risk of unauthorised disclosure of personal information), and information protection features that control how sensitive data is stored and shared. However, the platform must be actively configured — simply having a Microsoft 365 subscription does not make you POPIA-compliant.

How often should Microsoft 365 security settings be reviewed?

At a minimum, your M365 security configuration should be reviewed every quarter. This review should cover user access and permissions (especially following staff changes), active MFA enrolment, any new Microsoft security recommendations via the Secure Score dashboard, and alert configurations. If your business is growing or your team is changing regularly, more frequent reviews are warranted.

What is Microsoft Secure Score and should I be tracking it?

Microsoft Secure Score is a built-in dashboard within the Microsoft 365 security centre that gives your organisation a numerical score based on how well your security controls are configured. It also provides a ranked list of recommended actions to improve that score. It is a useful benchmark tool, and your MSP should be monitoring it on your behalf and acting on its recommendations over time. A higher Secure Score does not guarantee you will never be breached, but it does mean you have significantly reduced your exposure.