Microsoft 365 Security Best Practices for Toronto Businesses
Microsoft 365 powers the daily operations of hundreds of thousands of Canadian businesses — email, file storage, video meetings, team collaboration, and increasingly, business applications. It is also the most targeted platform by cybercriminals attacking Canadian businesses in 2026. Over 60% of the cyber incidents we respond to at Group 4 Networks involve a compromised Microsoft 365 account as either the initial entry point or the primary impact.
The reason Microsoft 365 accounts are so frequently compromised is not that Microsoft 365 is insecure. It is that most organizations deploy it with the default configuration and never revisit the security settings. The default Microsoft 365 configuration prioritizes ease of onboarding over security. It ships with legacy authentication enabled, weak password policies, no conditional access, minimal email filtering, and admin accounts unprotected by MFA. Every one of these defaults is a known attack vector.
This guide covers the specific Microsoft 365 security controls that Toronto businesses should configure, what Microsoft includes in each license tier, and how to use Microsoft Secure Score to measure and improve your security posture.
Start with Microsoft Secure Score
Microsoft Secure Score is a dashboard in the Microsoft 365 Defender portal that measures your current security configuration against Microsoft's recommended controls. It gives you a score from 0-100 and a prioritized list of recommended improvement actions, each with an estimated score impact and implementation instructions.
Before making any changes, review your current Secure Score. In our experience, most Toronto businesses that have never formally reviewed their Microsoft 365 security settings score between 20-40 out of 100. A well-configured environment should score 70 or above.
Use Secure Score as your implementation roadmap — work through the highest-impact recommendations systematically.
Multi-factor authentication — the most critical control
MFA is the single most impactful Microsoft 365 security control available. Microsoft's own data shows that MFA blocks 99.9% of automated credential attacks. Without MFA, a stolen password is all an attacker needs to access your email, files, Teams chats, and any business applications integrated with Microsoft 365.
Enable Security Defaults — if your organization has not configured any MFA, enable Security Defaults in Azure AD immediately. Security Defaults enables MFA for all users, blocks legacy authentication protocols, and requires MFA for all admin actions. It is a one-click improvement that takes effect within 24 hours.
Move to Conditional Access — Security Defaults is a starting point, not an endpoint. Organizations with Microsoft 365 Business Premium or higher should replace Security Defaults with Conditional Access policies that provide more granular control: requiring MFA from all locations, blocking access from risky sign-in locations, requiring compliant devices, and applying different controls to different user groups.
Protect admin accounts — all Global Administrators and privileged role holders must have MFA enabled, no exceptions. Admin accounts should be dedicated accounts used only for administration, not the daily email accounts of IT staff. Privileged Identity Management (PIM) should be used to require just-in-time elevation for admin roles, so admin privileges are not permanently active.
Block legacy authentication
Legacy authentication protocols — IMAP, POP3, SMTP AUTH, and older OAuth flows — do not support MFA. When legacy authentication is enabled, an attacker with a stolen password can authenticate using these protocols and bypass MFA entirely. Legacy authentication is involved in 98% of password spray attacks against Microsoft 365 tenants.
Block legacy authentication via Conditional Access policy or, at minimum, via Security Defaults. Audit which users and applications are using legacy authentication before blocking (the Azure AD sign-in logs filter by client app) and migrate any legitimate legacy authentication dependencies before enforcement.
Email security configuration — DMARC, DKIM, and SPF
Email authentication records protect your domain from spoofing and dramatically reduce phishing sent in your organization's name.
SPF (Sender Policy Framework) — a DNS TXT record that specifies which mail servers are authorized to send email from your domain. Without SPF, anyone can send email that appears to come from your domain. Configure SPF to include Microsoft's sending infrastructure (include:spf.protection.outlook.com) and end with -all to reject unauthorized senders.
DKIM (DomainKeys Identified Mail) — adds a cryptographic signature to outbound emails that receiving mail servers can verify. Enable DKIM signing in the Microsoft 365 admin centre. DKIM confirms that email claiming to be from your domain was actually sent by Microsoft 365 on your behalf.
DMARC (Domain-based Message Authentication, Reporting and Conformance) — ties SPF and DKIM together and tells receiving mail servers what to do with messages that fail authentication. Set DMARC policy to p=quarantine initially (failed messages go to spam), then advance to p=reject (failed messages are blocked) once you have confirmed your legitimate mail flows pass authentication. Configure DMARC aggregate reporting to a monitoring service so you can see who is sending email claiming to be from your domain.
Anti-phishing policies — in Microsoft 365 Defender, configure anti-phishing policies with impersonation protection for your executives and your most commonly spoofed external domains. Enable mailbox intelligence to improve detection accuracy based on your communication patterns.
Microsoft Defender for Business and Safe Links
Safe Links — rewrites URLs in emails and Office documents so that links are checked against Microsoft's threat intelligence at click time. This means a link that was safe when delivered but later turned malicious (a common tactic called time-of-click delivery) is caught when the employee clicks it. Enable Safe Links for all users.
Safe Attachments — routes attachments through a sandbox environment before delivering them to the recipient. Malicious attachments are blocked before reaching the employee's mailbox. Enable Safe Attachments for all users and configure it to block and replace malicious attachments rather than dynamic delivery if your business workflows permit.
Microsoft Defender for Business — available with Microsoft 365 Business Premium, this provides endpoint detection and response (EDR) for all Windows devices. It monitors device behaviour for suspicious activity, isolates compromised devices, and integrates with the Microsoft 365 Defender portal for unified security visibility.
SharePoint and OneDrive permissions
Default SharePoint and OneDrive sharing settings allow users to share files with anyone via an anonymous link. This creates significant data exposure risk — files shared anonymously can be accessed by anyone with the link, including attackers who obtain the link through phishing or social engineering.
External sharing policy — change the organization-wide sharing setting from "Anyone" to "New and existing guests" (requiring guest account authentication) or "Only people in your organization" if your workflows do not require external sharing. Apply stricter settings to sensitive SharePoint sites.
Site permissions audit — many organizations accumulate SharePoint sites with excessive permissions over time. Audit site membership and remove users who no longer need access. Pay particular attention to SharePoint sites that contain sensitive data.
Sensitivity labels — Microsoft Purview sensitivity labels allow you to classify documents as Confidential or Highly Confidential and apply automatic protections including encryption, watermarking, and access restrictions. Implement sensitivity labels for documents containing personal information, financial data, or intellectual property.
Admin role security
Principle of least privilege — assign the minimum Microsoft 365 admin role necessary for each administrative task. A user who only manages Exchange Online does not need Global Administrator. Review admin role assignments quarterly and remove unnecessary elevated privileges.
Dedicated admin accounts — administrators should have separate accounts for daily use (email, Teams, browsing) and administrative tasks. Admin accounts should never be used as primary email accounts.
Break-glass accounts — maintain two emergency Global Administrator accounts with very strong passwords, no MFA device dependency (to ensure access if MFA infrastructure fails), stored securely offline, and monitored with alerts for any sign-in activity.
Microsoft 365 backup — the gap Microsoft does not fill
Microsoft 365 protects the infrastructure — availability, replication, and disaster recovery of the platform itself. Microsoft does not protect your data from accidental deletion, ransomware encryption via a connected device, or malicious actions by an insider.
The Microsoft 365 recycle bin retains deleted items for 30-93 days depending on configuration. After that, data is permanently gone. A third-party backup solution for Microsoft 365 is essential for any business that cannot afford to lose email, SharePoint, or OneDrive data. Solutions like Veeam for Microsoft 365, Acronis Cyber Cloud, and Datto SaaS Protection provide daily backup with granular item-level recovery.
Ongoing security monitoring
Azure AD sign-in logs — review sign-in logs for failed authentication attempts, sign-ins from unusual locations, and unusual application authorizations. Set up alerts for high-risk sign-ins in Azure AD Identity Protection if your license includes it.
Microsoft 365 Message Center — Microsoft regularly publishes changes to the Microsoft 365 platform. Monitor the Message Centre for security-related changes that may require action.
Quarterly security review — review your Microsoft Secure Score quarterly and implement newly recommended controls. Microsoft updates recommendations as new attack techniques emerge.
Group 4 Networks configures and manages Microsoft 365 security for Toronto businesses. We assess your current configuration, implement missing controls, and provide ongoing monitoring. Contact us at (416) 623-9677 for a free Microsoft 365 security assessment.