June 20, 2022
Keyboard close up and an lock icon

All Microsoft 365 Business plans (Basic, Standard or Premium) offer basic protection and security but are they all enabled by default? 

Once you’ve migrated your customer to Microsoft 365, do you take the time to configure the security features that are included in this solution?  

Your customer trusts you and it’s important to make sure their Microsoft 365 account is secure. This is also an opportunity for you to make more income by adding this service to your offer.  

For good practice, here are some essential features to implement:  

Configure Multi-Factor Authentication 

Protect your customer against lost or stolen passwords by implementing multi-factor authentication (MFA). When you make this change, users will be prompted to set up their phone for two-factor authentication the next time they log in. This extra step can prevent hackers from taking over if they know their passwords. 

A simple way to do this is to enable the default security settings. 

Enable Security Defaults 

The default security settings in Microsoft 365 reside in Azure Active Directory (from the Properties pane for Azure Active Directory (Azure AD) in the Azure portal). For most of your customers, these settings provide a good level of security.  

If you need finer control over authentication, you can enable Conditional Access. In this case, do not activate the default security settings. If you need additional control over authentication, you can use Conditional Access instead of the default settings. 

Enable conditional access 

  • Your client may want more control for access to their environment. In this case Conditional Access policies can help you meet the customer’s need like: 
  • Require multi-factor authentication for users with administrative roles 
  • Block logins for users attempting to use traditional authentication protocols 
  • Block or grant access from specific locations 
  • Require organization-managed devices for specific apps 

Use of this feature requires an Azure AD Premium P1 license which is included with Microsoft 365 Business Premium. 

Use dedicated administrator accounts 

Set up administrator accounts for your client only for administration. Administrators should have a separate user account for regular, non-administrative use and only use their administrative account when necessary. 

Protect your client against malware 

Your customer’s Microsoft 365 environment includes protection against malware. You can increase its protection: 

  1. By using predefined security policies included in EOP (Exchange Online Protection) 
  • Standard protection: suitable for most users 
  • Strict protection: a more aggressive protection profile for selected users 
  1. By blocking attachments with certain file types. By configuring anti-malware policies in EOP, you can enable and configure common attachments filter. 
  1. With Microsoft Defender for Office 365, by using a built-in profile you can protect your client against malicious attachments, files, and URLs, but this protection is not enabled by default. We recommend that you create a new rule to start using this protection. This protection extends to files in SharePoint, OneDrive, and Microsoft Teams. 
  1. By using anti-virus/anti-malware protection on your customer’s devices. Microsoft Defender Antivirus offers powerful anti-virus and anti-malware protection and is integrated into the Windows operating system. If your customer is using Microsoft 365 Business Premium, they get additional device protection included in Microsoft Defender for Business

Protect your client against ransomware 

Your customer gets ransomware protection for email hosted in Microsoft 365 and for files stored in OneDrive. If they use Microsoft 365 Business Premium, they get additional protection for devices in their organization. To protect it, create one or more mail flow rules to block file extensions commonly used for ransomware or to notify users who receive these email attachments. 

Protect your customer against phishing 

Policies to configure anti-phishing protection settings are available with EOP (Exchange Online Protection) and with Microsoft Defender for Office 365. These can help you protect your customers from malicious spoofing attacks and more. 

Microsoft Defender for Office 365 gives you access to more advanced features. However, some of these features and advanced settings are not configured or enabled in the default policy. To enable all protection features, modify the default anti-phishing policy or create additional anti-phishing policies.  

Protect sensitive emails 

Microsoft 365 includes Message Encryption, which allows encrypted email messages to be sent and received between people inside and outside the organization, and only the intended recipients can see them. Encryption works with Outlook.com, Yahoo!, Gmail, and other email services. 

Increase the protection of your customer’s devices 

With Microsoft 365 Business Premium, your customer gets enhanced security features like device management and advanced threat protection. (Devices are monitored and protected by Intune

Train users 

End-user training is very important to protect your customer from cyber threats. Over 90% of threats start with the end user. It is therefore important to offer your client training to raise awareness of cybersecurity among its employees.  

ITCloud.ca offers you the opportunity to resell training through our ITCloud Academy program for End Users. These courses are given by our own expert trainers. Among the list of our training courses, you will find the training “Understanding cybersecurity”. For more information, you can visit our web page:


Our security experts are always available to answer your questions and to assist you. Feel free to contact us at partners@itcloud.ca