Microsoft 365 Security

Your M365 Is Configured for Convenience, Not Security — Let's Fix That

85% of UK businesses using Microsoft 365 have at least one critical misconfiguration. AMVIA audits and hardens M365 environments — configuring Conditional Access, Defender, MFA, and DLP to close the gaps attackers exploit. Trusted by 1,200+ UK businesses.

85%of UK businesses using Microsoft 365 have at least one critical misconfiguration in their tenant (Microsoft Security)
99%of account compromise attacks can be blocked by enforcing MFA — yet many M365 tenants still do not enforce it
1,200+UK businesses whose Microsoft 365 environments are managed and secured by AMVIA

Microsoft 365 security is the work of configuring, hardening and monitoring the security controls inside your M365 tenant — MFA, Conditional Access, Microsoft Defender, DLP and backup — because the platform ships set for convenience, not protection. AMVIA audits, fixes and manages all of it. One provider. Security-first. Microsoft-certified.

What Is Microsoft 365 Security?

Microsoft 365 security covers the configuration, management, and ongoing monitoring of the security controls available within the Microsoft 365 platform. Out of the box, Microsoft 365 is not secure — it ships with conservative default settings designed to avoid disrupting existing workflows, not to maximise security. A properly secured M365 tenant requires Conditional Access policies, enforced MFA, Defender for Office 365 configuration, Data Loss Prevention rules, and regular Secure Score review. AMVIA's M365 security service handles all of this on your behalf.

What Our Microsoft 365 Security Service Includes

AMVIA audits, configures, and manages the security of your Microsoft 365 environment — ensuring the tools you are already paying for are working as hard as they should be.

Microsoft 365 Security Audit

A comprehensive review of your M365 tenant configuration against Microsoft's security best practices — identifying misconfigurations, unused security features, and gaps in your Secure Score.

Conditional Access Configuration

Conditional Access policies that enforce MFA based on risk signals — location, device compliance, sign-in risk — blocking attackers even if credentials are stolen.

Microsoft Defender for Business Management

Configuration and ongoing management of Defender for Business (included in Business Premium) or Defender for Endpoint — covering anti-malware, attack surface reduction, and endpoint detection.

MFA Enforcement

Enforce multi-factor authentication across all users — including admin accounts with Privileged Identity Management — eliminating the most common attack vector for account compromise.

Data Loss Prevention (DLP) Policies

Configure DLP rules to prevent sensitive data (financial information, personal data, client files) from being shared externally, printed, or downloaded to unmanaged devices.

Microsoft 365 Backup and Recovery

Microsoft does not back up your M365 data. AMVIA deploys and manages a third-party M365 backup solution covering Exchange, SharePoint, OneDrive, and Teams — with granular recovery capability.

Microsoft 365 Security Checklist

Key security controls every UK business should have configured in their Microsoft 365 tenant.

MFA enforced for all users — not just administrators

Conditional Access policies deployed and actively managed

Admin accounts protected with Privileged Identity Management (PIM)

Microsoft Secure Score reviewed and improvement actions prioritised

Data Loss Prevention policies configured for sensitive data types

Third-party M365 backup in place covering Exchange, SharePoint, and OneDrive

What is Microsoft 365 security and why does it matter?

Microsoft 365 security covers the configuration, management and ongoing monitoring of the security controls built into the M365 platform. Out of the box, M365 is not secure — it ships with conservative defaults designed to avoid disrupting workflows. Securing a tenant means enforcing MFA, deploying Conditional Access, configuring Defender and adding real backup.

The uncomfortable reality is that the tools are already in your licence; they are just switched off or left on baseline settings. In AMVIA's own tenant assessments, 85% of UK businesses using Microsoft 365 have at least one critical misconfiguration — most commonly missing MFA enforcement or legacy authentication left enabled. Microsoft itself reports that 99% of account compromise attacks can be blocked by enforcing MFA (Microsoft Security).

If you want a single technician-led pass over your environment first, start with a Microsoft 365 security audit — it maps every gap before anyone changes a policy.

What does AMVIA's Microsoft 365 security service include?

AMVIA audits, configures and manages the security of your Microsoft 365 environment so the tools you already pay for work as hard as they should. Every engagement starts with a baseline assessment, then a prioritised remediation plan, then ongoing management — not a one-off project that drifts back to insecure within months.

Core elements of the service:

For organisations that want the whole tenant run for them rather than just secured, our managed Microsoft 365 service layers day-to-day administration on top of the security baseline.

Why is Microsoft 365's default configuration not secure?

Microsoft 365 prioritises usability over security, so a fresh tenant leaves several doors open. The platform assumes you will harden it — it does not do that for you. The most common gaps are predictable, and attackers know exactly where to look.

Default-tenant weaknesses we find repeatedly:

  • MFA not enforced — users sign in with just a username and password
  • Legacy authentication protocols enabled — these bypass MFA entirely
  • No Conditional Access policies — any device from any location can connect
  • Defender for Office 365 anti-phishing left on default settings
  • No DLP policies — sensitive files shared externally without restriction
  • Admin accounts unprotected by Privileged Identity Management (PIM)
  • No third-party backup — Microsoft's retention is not a backup

This is not a Microsoft fault so much as a configuration responsibility. The UK Government's 2025 Cyber Security Breaches Survey found only 40% of UK businesses have two-factor authentication enabled (DSIT 2025) (gov.uk) — the single control that blocks the overwhelming majority of account takeovers.

How do Microsoft 365 licence tiers compare on security?

Your licence tier decides which security tools you can switch on. Business Basic and Standard give you almost nothing beyond basic mail filtering; Business Premium is the first tier with a genuine security stack. The table below shows what each tier actually includes.

TierPriceEmail securityDefender for BusinessConditional AccessIntune MDM
Microsoft 365 Business Basic£4.60/user/monthEOP basic filteringNoNoNo
Microsoft 365 Business Standard£9.60/user/monthEOP basic filteringNoNoNo
Microsoft 365 Business Premium£16.90/user/monthDefender for Office 365 P1Yes (up to 300 devices)Yes (Entra ID P1)Yes
  • Microsoft 365 Business Basic (£4.60/user/month) — Exchange Online, Teams, SharePoint and OneDrive with Exchange Online Protection only. No advanced threat protection. Not a security baseline for most businesses.
  • Microsoft 365 Business Standard (£9.60/user/month) — adds the Office desktop apps but does not upgrade the security stack. Third-party email security and MDM strongly recommended.
  • Microsoft 365 Business Premium (£16.90/user/month) — Defender for Business, Defender for Office 365 Plan 1, Entra ID Premium P1 (Conditional Access and risk-based MFA), Microsoft Intune and basic DLP. This is the tier we recommend as a security baseline.

If you are weighing the jump, Premium's Defender for Business covers endpoint detection and response for up to 300 devices, while the enterprise Defender for Endpoint Plan 2 removes the device limit and adds advanced hunting and Sentinel integration (Microsoft 365 plans).

Does Microsoft back up your Microsoft 365 data?

No — and this is one of the most misunderstood facts in M365. Microsoft provides short-term retention (a 30-day recycle bin, 14-day Teams retention), but that is not a backup. If data is permanently deleted, corrupted or lost beyond the retention window, Microsoft cannot restore it for you (Microsoft Learn).

AMVIA deploys third-party M365 backup covering Exchange Online, SharePoint, OneDrive and Teams, with point-in-time recovery and retention periods of 1–5 years. Under the shared responsibility model, protecting your data is your job, not Microsoft's.

How do you measure Microsoft 365 security posture?

Microsoft Secure Score is a free tool in the M365 security portal that scores your tenant configuration against Microsoft's recommendations, with improvement actions ranked by impact and effort. It is the cleanest single number to track whether your security is getting better or quietly drifting backwards.

AMVIA establishes a Secure Score baseline during the initial audit, then tracks it monthly. Most AMVIA clients improve their Microsoft Secure Score by 20–40 percentage points within the first three months — most of that from enforcing MFA, killing legacy authentication and deploying Conditional Access.

How much does Microsoft 365 security management cost?

AMVIA's Microsoft 365 security management — covering the initial audit, Conditional Access configuration, Defender management, DMARC setup, DLP policies and ongoing Secure Score monitoring — starts from £5 per user per month for tenants on Business Premium. That sits on top of your Microsoft licence cost, not instead of it.

There is no per-incident surprise billing and no lock-in to a telecoms bundle: you get a single accountable provider, Microsoft-certified engineers, and a security baseline you can audit at any time.

Frequently Asked Questions

99% of Account Attacks Are Blocked by MFA — Is Yours Even Turned On?

Get a free M365 security audit — we will review your tenant configuration and Secure Score in under an hour. No commitment. Response within 2 hours.

Trusted by 1,200+ UK Businesses
Cyber Essentials Plus
Microsoft Solutions Partner — Modern Work, Security & Azure Infrastructure