Office 365 Security Features (2026): What Each Plan Includes — and What Ships Switched Off
Every Microsoft 365 (Office 365) plan carries more security capability than most tenants ever switch on. This guide maps the security features included in each plan tier in 2026 — Business Basic, Standard, Premium and Enterprise — what is off by default, and the hardening steps UK businesses should apply first, from MFA and conditional access to Defender and DLP.
Nathan Hill-Haimes
Technical Director
By: Nathan Hill-Haimes, Technical Director | 10 min read · Mar 2026
Why does Microsoft 365 security depend on configuration?
A Microsoft 365 subscription is secure by configuration, not secure by default. Most controls that meaningfully cut breach risk are available across paid plans but are not enabled out of the box, leaving tenants exposed to account compromise, data exfiltration, ransomware and phishing regardless of tier.
The UK's National Cyber Security Centre (NCSC) consistently identifies compromised credentials and misconfigured cloud services as the leading causes of business email compromise and ransomware (ncsc.gov.uk). Nearly every control below maps directly to those two attack vectors. This is the core of what our Microsoft 365 security practice fixes for SME tenants — turning latent capability into active protection.
Treat this as a checklist a practitioner would actually run, not a feature tour. The order matters: identity first, then admin, then email, then data.
How do you enable multi-factor authentication for all users?
Multi-factor authentication is the single highest-impact control in Microsoft 365. It stops a stolen or guessed password from being enough to reach an account. Microsoft's own data states that "MFA blocks over 99% of account compromise attacks" (microsoft.com/en-gb/security) — no other single setting comes close.
For Business Basic or Standard tenants without Entra ID Premium P1, enable Security Defaults in Microsoft Entra ID. It enforces MFA registration for every user and requires the Microsoft Authenticator app at sign-in. It is free and takes minutes.
For Business Premium and Enterprise tenants, use Conditional Access policies instead. They give granular control — requiring MFA off-network, blocking non-compliant devices, and demanding stronger authentication for administrators. Our conditional access and MFA setup services design these for you.
Enforce Authenticator app push with number matching rather than SMS. SMS codes are vulnerable to SIM-swapping; app-based prompts are far more phishing-resistant.
How should you protect Microsoft 365 admin accounts?
Global Administrator accounts hold unrestricted access to the entire tenant, so they are the highest-value target an attacker can reach. Protecting them means separating admin identity from daily work, enforcing the strongest authentication, and granting privilege only when it is actually needed.
- Use dedicated admin accounts, separate from day-to-day user accounts, for administrative tasks
- Apply Conditional Access policies that target all admin roles with MFA
- Enable Privileged Identity Management (PIM) on Entra ID Premium P2 or E5 for just-in-time elevation rather than standing access
- Minimise Global Administrators — most tasks use least-privilege roles such as Exchange Admin or SharePoint Admin instead
A common finding in tenant reviews is five or more permanent Global Admins, several tied to ex-staff or shared logins. That is the first thing to fix.
How do you configure Microsoft Defender for Office 365?
Exchange Online ships with basic anti-spam and anti-malware filtering. For real protection against phishing and weaponised attachments, layer on Defender policies. These are included with Business Premium (via Defender for Office 365 Plan 1) and the enterprise security plans.
- Safe Attachments sandboxes attachments before delivery, catching malware that signature scanning misses
- Safe Links rewrites URLs in email and Teams, checking them against Microsoft threat intelligence at click time
- Anti-phishing policy enables impersonation protection against spoofed domains and senior-staff names
- DKIM and DMARC DNS records prevent domain spoofing and surface reports on unauthorised senders
Endpoint coverage matters just as much as the inbox. Pair this with Microsoft Defender for Business for device-level detection, and read our guidance on phishing protection for the human layer.
Why should you block legacy authentication?
Legacy authentication protocols — Basic Auth, and IMAP or POP3 without modern auth — bypass MFA entirely, so a conditional access policy cannot protect accounts that use them. Blocking legacy auth is one of the single most effective moves to cut account-compromise risk across a tenant.
Check that mail clients support Modern Authentication before you switch it off. Outlook 2013 and later on Windows supports modern auth; some older or third-party mobile clients do not. The Microsoft 365 Admin Centre's sign-in and usage reports show exactly which clients still connect over legacy protocols, so you can migrate them first and block cleanly.
How do you set up Data Loss Prevention (DLP) in Microsoft 365?
Data Loss Prevention scans email and documents for sensitive patterns — card numbers, National Insurance numbers, health and financial data — and can warn or block when that content leaves the organisation. DLP is available on Business Premium and above through Microsoft Purview (learn.microsoft.com).
Start every DLP rollout in audit-only mode. That lets you observe what sensitive content actually moves before you risk blocking legitimate communication. Once the patterns are clear, enforce on the highest-risk scenarios first — external sharing of regulated data — and widen from there.
Pair DLP with sensible external-sharing controls. By default, users can share SharePoint and Teams content with any email address, a frequent source of accidental exposure. Restrict anonymous links, set link expiry, and limit sharing to approved domains where appropriate.
What logging and scoring should you turn on?
Two tenant-wide settings give you visibility: the Unified Audit Log and Microsoft Secure Score. The audit log records user and admin activity across Exchange, SharePoint, Teams, OneDrive and Entra ID — essential for incident investigation and many compliance frameworks. Secure Score grades your posture and ranks the next best actions.
Audit logging is on by default in most tenants, but confirm it explicitly. Retention is 90 days on Business plans; E5 or the Advanced Audit add-on extends this to one year or longer.
Microsoft Secure Score (at security.microsoft.com) turns your configuration into a number with prioritised recommendations — an excellent way to find the highest-impact gaps. Our Microsoft Secure Score service tracks and improves that figure over time.
Microsoft 365 security controls by plan tier
Use this table to see which hardening controls you already own. Microsoft licence list prices below are current UK figures (microsoft.com/en-gb/microsoft-365).
| Control | Business Basic (£4.60) | Business Standard (£9.60) | Business Premium (£16.90) |
|---|---|---|---|
| MFA / Security Defaults | Yes | Yes | Yes |
| Conditional Access | No | No | Yes |
| Block legacy auth | Yes | Yes | Yes |
| Unified Audit Log (90 days) | Yes | Yes | Yes |
| Defender for Office 365 | No | No | Yes |
| Defender for Business (endpoint) | No | No | Yes |
| Intune device management | No | No | Yes |
| DLP via Purview | No | No | Yes |
Prices are per user, per month, ex VAT, annual commitment. Basic and Standard cover identity hardening; Business Premium is the tier that adds endpoint, device and data protection.
What does AMVIA recommend you do first?
If you do nothing else this quarter: enforce MFA for every user, block legacy authentication, and configure SPF, DKIM and DMARC. Those three steps close the vectors behind most SME breaches and can be done for most tenants in a day. Then work the Secure Score list from the top.
For businesses handling regulated or client-sensitive data, Business Premium is worth the step up — it enables Defender, Intune and DLP in one licence. A structured review removes the guesswork: our Microsoft 365 security audit maps every gap against the controls above and gives you a prioritised remediation plan.
Is Your Microsoft 365 Tenant Properly Secured?
AMVIA performs Microsoft 365 security assessments and configuration hardening for UK businesses. Most tenants have significant gaps that can be closed quickly.
Frequently Asked Questions
Microsoft 365 includes baseline protection, but the controls that meaningfully reduce breach risk — MFA, conditional access, Defender configuration, DLP and blocking legacy authentication — all require explicit setup. Tenants deployed without professional configuration usually carry significant gaps that attackers actively exploit, which is why hardening is a priority rather than an optional extra.
Microsoft Secure Score measures your tenant's security posture from the security.microsoft.com portal. It awards points for controls you have enabled and ranks recommendations by impact, giving you a single figure to track over time. It is the fastest way to see where a tenant stands and which hardening action will move the needle most next.
Core hardening — MFA, blocking legacy auth and audit logging — is available on every paid plan, including Business Basic. Business Premium adds Defender for Business, Intune device management and advanced conditional access. For businesses handling sensitive or regulated data, Premium delivers materially stronger protection than Basic or Standard and is usually the right baseline.
Account compromise through phishing remains the leading cause of breaches in Microsoft 365. An attacker with valid credentials and no MFA can read email, download files and send convincing phishing from a trusted address. Enabling MFA and blocking legacy authentication closes that path for most businesses and should be the first project you complete.
Basic hardening — Security Defaults, blocking legacy auth, SPF, DKIM and DMARC, and audit logging — can be completed in a day for most tenants. More comprehensive work, including Defender configuration, conditional access design, DLP and device compliance, typically takes one to three weeks depending on the size and complexity of the environment.
Related Reading
The 7 Microsoft 365 Misconfigurations Behind Most SME Breaches
The most common Microsoft 365 security mistakes that lead to breaches in UK businesses.
Microsoft 365 Spam Filter | How to Manage Email Filtering
Configuring email filtering and anti-phishing protection in Microsoft 365.
Microsoft 365 Business Premium | Features & Pricing
How Business Premium improves on Standard with Defender, Intune and conditional access.