What Is Microsoft 365 Security?
Microsoft 365 is not secure out of the box. The platform provides powerful security tools, but they require deliberate configuration. This guide explains what Microsoft 365 security means, which licence tier provides meaningful protection, and what configuration is required to protect a UK business using M365.
Overview
Microsoft 365 security means configuring the security tools Microsoft provides — not assuming the platform is secure by default. Business Premium is the right licence tier for UK SMEs, providing Conditional Access, Defender for Business, and Intune. MFA via Conditional Access and blocking legacy authentication are the highest-impact controls. Microsoft Secure Score tracks configuration progress.
Learn about M365 securityWhat Does Microsoft 365 Security Actually Mean?
When people talk about Microsoft 365 security, they mean two related things: the security capabilities that Microsoft builds into the M365 platform, and the security configuration that organisations apply to make those capabilities effective. Both matter — and confusing them is one of the most common mistakes UK businesses make.
Microsoft invests billions of dollars annually in security across its cloud platform. The infrastructure on which Microsoft 365 runs is exceptionally well-secured. But this infrastructure-level security does not protect you against the threats that matter most to UK businesses: phishing attacks that steal your users' credentials, ransomware delivered through email attachments, business email compromise that tricks your finance team, or data breaches caused by accidental oversharing. These threats require configuration of the security tools Microsoft provides — and that configuration is the responsibility of the business, not Microsoft.
Microsoft 365 Licence Tiers and Security
The security capabilities available in Microsoft 365 differ significantly between licence tiers. Understanding which tier you are on determines what security tools you have access to:
- Microsoft 365 Business Basic (from ~£5/user/month): Includes Exchange Online, Teams, SharePoint, and OneDrive. Security features are limited — Exchange Online Protection (basic email security), Security Defaults for MFA, and Microsoft Defender Antivirus. No Conditional Access, no Defender for Business, no Intune.
- Microsoft 365 Business Standard (from ~£10.30/user/month): Adds desktop Office apps to Business Basic. Same security feature set as Basic — the additional cost buys productivity apps, not additional security.
- Microsoft 365 Business Premium (from ~£19.70/user/month): Adds comprehensive security: Conditional Access (Entra ID P1), Microsoft Defender for Business (EDR), Microsoft Intune (device management), Azure Information Protection, Microsoft Defender for Office 365 Plan 1 (Safe Links, Safe Attachments, anti-phishing). This is the recommended tier for any business serious about security.
What Microsoft Defender for Business Adds
Microsoft Defender for Business is an endpoint detection and response (EDR) solution that Microsoft includes in Business Premium. It provides substantially more protection than the basic Microsoft Defender Antivirus included in all Windows devices — adding behavioural detection, threat hunting, automated investigation and remediation, and attack surface reduction rules.
Defender for Business monitors endpoint activity for suspicious behaviour, can automatically contain threats (isolating a device from the network if malware is detected), and provides a centralised view of endpoint security across all managed devices. For UK businesses without a dedicated security operations team, Defender for Business provides enterprise-grade endpoint protection that would otherwise require a significantly more expensive standalone EDR solution.
Why Out-of-Box M365 Is Not Secure Enough
Even on Business Premium, a freshly provisioned Microsoft 365 tenant is not adequately secured. Security features are available but not configured. Conditional Access policies do not exist until you create them. Defender for Business is licensed but not deployed to devices. Safe Links and Safe Attachments are available but not enabled. Legacy authentication protocols that bypass MFA are still active.
A Business Basic or Standard tenant in its default configuration is particularly exposed — it has no MFA (unless Security Defaults are enabled), no endpoint protection beyond basic antivirus, and no device management. Most of the common attacks against UK businesses — phishing, credential theft, business email compromise — succeed against un配置d M365 tenants that would have been protected by properly configured Business Premium.
The Key Security Controls for M365
Effective Microsoft 365 security requires implementing the following controls as a baseline:
- MFA for all users: Via Conditional Access (Business Premium) or Security Defaults (all tiers). Blocks 99%+ of credential-based attacks.
- Block legacy authentication: Eliminates protocols that bypass MFA. Required alongside MFA for meaningful protection.
- Defender for Business deployed: Endpoint protection on all Windows and Mac devices, centrally managed.
- Email security hardened: Anti-phishing policy with impersonation protection, Safe Links and Safe Attachments enabled.
- DMARC, DKIM, SPF configured: Email authentication records preventing domain spoofing.
- Audit logging enabled: Essential for incident investigation — without it, determining what happened after a breach is nearly impossible.
How AMVIA Manages M365 Security
AMVIA manages Microsoft 365 security for UK businesses as part of its managed IT service. This includes licence management (ensuring businesses are on Business Premium or an equivalent security-capable tier), initial hardening of the tenant configuration, ongoing monitoring of Microsoft Secure Score, management of Conditional Access policies, and Defender for Business monitoring and response. For businesses that have M365 but have never had the security configuration reviewed, AMVIA offers a Secure Score review as a starting point. Contact AMVIA on 0333 733 8050 to discuss your Microsoft 365 security requirements.
Key Points
What UK businesses need to know about Microsoft 365 security.
Licence Determines Available Tools
Business Basic and Standard lack Conditional Access and Defender for Business. Business Premium is the right tier for any UK business that needs meaningful endpoint and identity security.
Configuration Is the Business's Responsibility
Microsoft secures the infrastructure. Configuring the security tools — Conditional Access policies, Defender for Business deployment, email security settings — is the business's responsibility.
MFA Blocks 99% of Account Takeover Attacks
Multi-factor authentication via Conditional Access is the single highest-impact security control. Combined with blocking legacy authentication, it closes the most exploited vulnerabilities in M365.
Secure Score Tracks Your Configuration
Microsoft Secure Score provides a real-time measure of your M365 security configuration with an ordered improvement list. Available free in every tenant at security.microsoft.com.
M365 Security Baseline Checklist
Business Premium licensed — not Basic or Standard for security-conscious environments
MFA enforced for all users via Conditional Access — not per-user settings
Legacy authentication blocked via Conditional Access
Defender for Business deployed to all Windows and Mac devices
Safe Attachments and Safe Links enabled for email and Teams
Anti-phishing policy configured with impersonation protection
DMARC, DKIM, and SPF configured for all sending domains
Audit logging enabled with appropriate retention
Frequently Asked Questions
For most UK businesses, Business Standard does not provide sufficient security. It lacks Conditional Access (so MFA cannot be enforced reliably), Defender for Business (no EDR), and Intune (no device management). The additional cost of Business Basic to Standard buys desktop Office apps, not security features. The step from Standard to Premium adds the full security stack. AMVIA recommends Business Premium for any business that needs meaningful protection.
On Business Premium, the built-in security tools are comprehensive for most UK SMEs — Conditional Access, Defender for Business, Intune, and Defender for Office 365 together cover identity, endpoint, and email security. Additional products may be warranted for specific gaps: managed EDR with 24/7 monitoring (such as Huntress layered on Defender for Business), email gateway products (such as Barracuda for additional email filtering), or backup solutions. AMVIA assesses what Business Premium provides versus what additional tools genuinely add for each client.
Microsoft Secure Score at security.microsoft.com gives an immediate view of your configuration against recommended settings. The industry average is approximately 50% — anything significantly below this indicates meaningful gaps. The improvement action list identifies specific settings to address. AMVIA offers a Secure Score review that maps your current configuration against both Microsoft's recommendations and NCSC guidance, with a prioritised improvement plan. Contact AMVIA on 0333 733 8050.
Review Your Microsoft 365 Security Configuration
AMVIA reviews your M365 tenant against Microsoft's recommended security baseline, implements required configurations, and manages your M365 security on an ongoing basis.
Related Resources
Microsoft 365 Security Guide
The complete AMVIA guide to securing Microsoft 365 for UK businesses.
M365 Tenant Hardening Guide
Step-by-step M365 hardening — the specific configurations that make Business Premium secure.
Microsoft Secure Score
Using Secure Score to measure and improve your M365 security configuration.