Microsoft 365 Security for UK SMEs: The Complete 2026 Guide

What is Microsoft 365 security?

Microsoft 365 security refers to the combination of settings, policies, and tools used to protect your organisation's M365 environment — your user accounts, email, SharePoint, Teams, OneDrive, and the devices that connect to them.

Microsoft operates a shared responsibility model. Microsoft secures the underlying infrastructure — the datacentres, the network, the platform itself. Securing what runs on that infrastructure is your responsibility: how accounts are configured, which devices can connect, how data is shared, and whether the right protections are switched on.

Many UK SMEs assume that using Microsoft 365 means they are protected. They are not — not without deliberate configuration. The platform provides the tools to secure Microsoft 365 for small businesses; your organisation has to implement them correctly.

Why UK SMEs are at risk

Small and medium businesses are a primary target for cyber attacks — not despite their size, but because of it. They hold valuable data while typically having weaker defences than larger organisations, making them an efficient target.

The UK government's Cyber Security Breaches Survey 2025 found that 43% of UK businesses experienced a cyber breach or attack in the preceding 12 months. Phishing accounted for 93% of those incidents. Ransomware attacks doubled year-on-year, affecting an estimated 19,000 UK organisations.

For UK SMEs running Microsoft 365, the specific risks concentrate around three areas:

• Compromised accounts — attackers obtaining M365 credentials through phishing and using them to access email, files, and internal systems
• Business Email Compromise (BEC) — impersonating staff or suppliers to redirect payments or extract sensitive data
• Ransomware via endpoint — malware delivered through email or unpatched devices that encrypts files synced to OneDrive and SharePoint

All three are directly addressed by correct Microsoft 365 security configuration. The problem is that most UK SME tenants are not correctly configured.

Common Microsoft 365 security mistakes UK SMEs make

These are the M365 security gaps found most consistently when reviewing UK small business tenants. Each is a real, exploitable weakness — and each is fixable through configuration.

MFA not enforced on all accounts

Multi-Factor Authentication is the single highest-impact Microsoft 365 security control available. Microsoft's own data shows MFA blocks 99.9% of automated account compromise attacks. Yet approximately 40% of UK SMEs still do not have MFA enforced across their workforce. Admin accounts are the most critical gap — from 2025, Microsoft requires MFA on administrator accounts, but standard user accounts must be configured separately.

Legacy authentication left active

Legacy authentication protocols — SMTP AUTH, POP3, IMAP, basic auth — do not support MFA challenges. When active, an attacker with a stolen password can authenticate through these pathways without triggering your MFA prompt at all, making MFA worthless for those connections. Blocking legacy authentication is one of the highest-value Microsoft 365 security best practices for UK SMEs and costs nothing to implement.

No DMARC, DKIM, or SPF on the domain

Without these three DNS email authentication records, attackers can send emails that appear to come from your domain — impersonating your business to customers, suppliers, or your own staff. This is the foundation of most BEC attacks targeting UK SMEs. All three are essential to any secure Microsoft 365 small business configuration and should be set up at your domain registrar.

Defender for Office 365 left on default settings

Defender for Office 365 includes Safe Attachments and Safe Links, but in their default state these are not configured for maximum protection. Safe Attachments should detonate suspicious files in a sandbox before delivery. Safe Links should rewrite and check URLs at the moment of click, not just at delivery time. Both require deliberate hardening.

No Conditional Access policies

Without Conditional Access, any device from any location can sign into your Microsoft 365 environment with valid credentials alone. Conditional Access evaluates the risk of each sign-in — device compliance, location, sign-in risk — and responds accordingly. It is available on Business Premium and is the cornerstone of Microsoft 365 security best practices for UK businesses.

Devices not enrolled in Defender for Business or Intune

Unmanaged devices connecting to Microsoft 365 without any security baseline represent a significant and frequently overlooked risk. Defender for Business (EDR) and Microsoft Intune (device management) are both included in Business Premium and directly address this gap — but devices must be actively onboarded; it does not happen automatically.

Microsoft 365 security checklist for UK SMEs

This M365 security checklist covers the essential controls in priority order. The items at the top address the vulnerabilities exploited most frequently against UK small businesses.

1. Enforce MFA on all user and admin accounts — Security Defaults on any plan; Conditional Access on Business Premium for granular control
2. Block legacy authentication protocols — eliminates MFA bypass via older connection methods; free to implement via Exchange authentication policies
3. Review your Microsoft Secure Score — visit security.microsoft.com and work through prioritised recommendations; most untouched SME tenants score below 30
4. Configure SPF, DKIM, and DMARC on your domain — prevents domain spoofing and is the foundation of email security for UK SMEs on Microsoft 365
5. Harden Defender for Office 365 policies — Safe Attachments and Safe Links at maximum protection settings (Business Premium)
6. Deploy Conditional Access baseline policies — require MFA on all sign-ins, block legacy auth, restrict high-risk locations (Business Premium)
7. Onboard devices to Defender for Business — EDR, vulnerability management, and automated remediation across Windows, Mac, iOS, Android (Business Premium)
8. Enrol devices in Microsoft Intune — enforce encryption, compliance baselines, and remote wipe for lost or stolen devices (Business Premium)
9. Set up a separate cloud backup — Microsoft 365 is not a backup; a dedicated solution protects against accidental deletion and ransomware on synced files
10. Run regular staff phishing awareness sessions — monthly 10-minute sessions beat annual training; Attack Simulator is included in Defender for Office 365 Plan 2

We cover each of these in detail in our guide to the M365 security settings most businesses have switched off.

Multi-Factor Authentication in Microsoft 365

MFA is the most important Microsoft 365 security best practice for UK SMEs — and the cheapest, as it is included on every M365 plan via Security Defaults.

Security Defaults enforce basic MFA for all users and block legacy authentication automatically. They are a solid baseline for businesses on Business Basic or Standard. For businesses on Business Premium, Conditional Access offers more control: require MFA only from unmanaged devices, apply stricter requirements for admin accounts, and respond dynamically to sign-in risk signals from Entra ID Protection.

Before rolling out MFA organisation-wide, communicate the change in advance, confirm authenticator apps are installed, and plan for users who get locked out. A phased rollout — admin accounts first, then by department — minimises disruption. Read our full MFA rollout guide for a step-by-step walkthrough.

Conditional Access and Zero Trust

Conditional Access is a policy engine in Microsoft Entra ID that evaluates every sign-in request before granting access. It is the practical implementation of Zero Trust for Microsoft 365 — the principle that no user or device is trusted by default, regardless of whether they are inside or outside your network.

For a UK SME, the most valuable Conditional Access policies are: require MFA for all users on all sign-ins, block legacy authentication, block sign-ins from countries you do not operate in, and require a compliant device to access sensitive SharePoint sites. These four policies alone close the majority of M365 security gaps in a typical small business tenant.

Conditional Access is included with Microsoft 365 Business Premium only. It is not available on Business Standard or Basic.

Microsoft Defender for Business

Defender for Business is Microsoft's endpoint protection platform built for organisations with up to 300 employees. Included in Business Premium, it provides enterprise-grade Endpoint Detection and Response (EDR), vulnerability management, attack surface reduction rules, and automated investigation and remediation — without the complexity of the full enterprise product.

For UK SMEs, Defender for Business replaces the need for a separate third-party antivirus or EDR product. It integrates with the Microsoft 365 security portal, so endpoint alerts, email threats, and identity risks appear in a single view. Devices must be actively onboarded — this does not happen automatically when you activate Business Premium.

Business Standard vs Business Premium — which is right for your SME?

Your Microsoft 365 licence tier determines which security features you can access. This is the most consequential decision for a UK SME looking to implement Microsoft 365 security best practices.

Business Standard includes Office apps, Exchange Online, Teams, and SharePoint, with Security Defaults for basic MFA. It has no Conditional Access, no Defender for Business, no Intune, and no Defender for Office 365 Plan 1. For businesses handling any sensitive client data, Business Standard alone leaves a material security gap.

Business Premium adds the full M365 security stack: Conditional Access, Defender for Business (EDR), Microsoft Intune (device management), Defender for Office 365 Plan 1 (Safe Attachments, Safe Links, anti-phishing), and Azure Information Protection P1. For most UK SMEs, Business Premium is the right licence — it replaces several separate products at a lower combined cost with a single integrated platform.

Microsoft 365 security and Cyber Essentials

Cyber Essentials is the UK government-backed certification covering five technical security controls: firewalls, secure configuration, user access control, malware protection, and patch management. It is mandatory for government contracts involving sensitive data and increasingly expected by larger private sector clients across the UK.

A correctly configured Microsoft 365 Business Premium tenant provides direct coverage across several Cyber Essentials controls. MFA enforcement addresses user access control. Defender for Business covers malware protection and secure configuration. Intune handles patch management and device compliance.

Cyber Essentials assessors also review your network configuration and physical controls, so M365 alone will not guarantee certification — but getting your Microsoft 365 security right eliminates most of the common failures seen in UK SME assessments. Read our full guide on whether Cyber Essentials is worth it for small businesses.

Staff awareness — the human layer

Technical controls address most automated attacks, but phishing campaigns target human behaviour specifically. AI-generated phishing emails are now grammatically perfect, contextually relevant, and difficult to distinguish from legitimate messages — making staff awareness a critical complement to your Microsoft 365 security configuration.

For UK SMEs on Microsoft 365, the most common attack scenarios are fake Microsoft sign-in alerts, supplier bank detail change requests, shared document notifications, and invoice chasers. Short monthly sessions — 10 minutes, tied to real threats your team encounter in Outlook and Teams — are measurably more effective than annual training. Defender for Office 365 Plan 2 includes Attack Simulator for running internal phishing simulations with trackable results over time.