Your M365 Is Configured for Convenience, Not Security — Let's Fix That
85% of UK businesses using Microsoft 365 have at least one critical misconfiguration. AMVIA audits and hardens M365 environments — configuring Conditional Access, Defender, MFA, and DLP to close the gaps attackers exploit. Trusted by 1,200+ UK businesses.
Microsoft 365 security is the work of configuring, hardening and monitoring the security controls inside your M365 tenant — MFA, Conditional Access, Microsoft Defender, DLP and backup — because the platform ships set for convenience, not protection. AMVIA audits, fixes and manages all of it. One provider. Security-first. Microsoft-certified.
What Is Microsoft 365 Security?
Microsoft 365 security covers the configuration, management, and ongoing monitoring of the security controls available within the Microsoft 365 platform. Out of the box, Microsoft 365 is not secure — it ships with conservative default settings designed to avoid disrupting existing workflows, not to maximise security. A properly secured M365 tenant requires Conditional Access policies, enforced MFA, Defender for Office 365 configuration, Data Loss Prevention rules, and regular Secure Score review. AMVIA's M365 security service handles all of this on your behalf.
What Our Microsoft 365 Security Service Includes
AMVIA audits, configures, and manages the security of your Microsoft 365 environment — ensuring the tools you are already paying for are working as hard as they should be.
Microsoft 365 Security Audit
A comprehensive review of your M365 tenant configuration against Microsoft's security best practices — identifying misconfigurations, unused security features, and gaps in your Secure Score.
Conditional Access Configuration
Conditional Access policies that enforce MFA based on risk signals — location, device compliance, sign-in risk — blocking attackers even if credentials are stolen.
Microsoft Defender for Business Management
Configuration and ongoing management of Defender for Business (included in Business Premium) or Defender for Endpoint — covering anti-malware, attack surface reduction, and endpoint detection.
MFA Enforcement
Enforce multi-factor authentication across all users — including admin accounts with Privileged Identity Management — eliminating the most common attack vector for account compromise.
Data Loss Prevention (DLP) Policies
Configure DLP rules to prevent sensitive data (financial information, personal data, client files) from being shared externally, printed, or downloaded to unmanaged devices.
Microsoft 365 Backup and Recovery
Microsoft does not back up your M365 data. AMVIA deploys and manages a third-party M365 backup solution covering Exchange, SharePoint, OneDrive, and Teams — with granular recovery capability.
Microsoft 365 Security Checklist
Key security controls every UK business should have configured in their Microsoft 365 tenant.
MFA enforced for all users — not just administrators
Conditional Access policies deployed and actively managed
Admin accounts protected with Privileged Identity Management (PIM)
Microsoft Secure Score reviewed and improvement actions prioritised
Data Loss Prevention policies configured for sensitive data types
Third-party M365 backup in place covering Exchange, SharePoint, and OneDrive
What is Microsoft 365 security and why does it matter?
Microsoft 365 security covers the configuration, management and ongoing monitoring of the security controls built into the M365 platform. Out of the box, M365 is not secure — it ships with conservative defaults designed to avoid disrupting workflows. Securing a tenant means enforcing MFA, deploying Conditional Access, configuring Defender and adding real backup.
The uncomfortable reality is that the tools are already in your licence; they are just switched off or left on baseline settings. In AMVIA's own tenant assessments, 85% of UK businesses using Microsoft 365 have at least one critical misconfiguration — most commonly missing MFA enforcement or legacy authentication left enabled. Microsoft itself reports that 99% of account compromise attacks can be blocked by enforcing MFA (Microsoft Security).
If you want a single technician-led pass over your environment first, start with a Microsoft 365 security audit — it maps every gap before anyone changes a policy.
What does AMVIA's Microsoft 365 security service include?
AMVIA audits, configures and manages the security of your Microsoft 365 environment so the tools you already pay for work as hard as they should. Every engagement starts with a baseline assessment, then a prioritised remediation plan, then ongoing management — not a one-off project that drifts back to insecure within months.
Core elements of the service:
- Microsoft 365 security audit — full tenant review against Microsoft and NCSC baselines
- Conditional Access configuration — the policy engine that gates every sign-in
- Microsoft Defender for Business management — endpoint detection and response, tuned and monitored
- MFA enforcement across all users — not just administrators
- Data Loss Prevention (DLP) policies — rules that stop sensitive data leaving the tenant
- Microsoft 365 backup and recovery — third-party point-in-time backup Microsoft does not provide
For organisations that want the whole tenant run for them rather than just secured, our managed Microsoft 365 service layers day-to-day administration on top of the security baseline.
Why is Microsoft 365's default configuration not secure?
Microsoft 365 prioritises usability over security, so a fresh tenant leaves several doors open. The platform assumes you will harden it — it does not do that for you. The most common gaps are predictable, and attackers know exactly where to look.
Default-tenant weaknesses we find repeatedly:
- MFA not enforced — users sign in with just a username and password
- Legacy authentication protocols enabled — these bypass MFA entirely
- No Conditional Access policies — any device from any location can connect
- Defender for Office 365 anti-phishing left on default settings
- No DLP policies — sensitive files shared externally without restriction
- Admin accounts unprotected by Privileged Identity Management (PIM)
- No third-party backup — Microsoft's retention is not a backup
This is not a Microsoft fault so much as a configuration responsibility. The UK Government's 2025 Cyber Security Breaches Survey found only 40% of UK businesses have two-factor authentication enabled (DSIT 2025) (gov.uk) — the single control that blocks the overwhelming majority of account takeovers.
How do Microsoft 365 licence tiers compare on security?
Your licence tier decides which security tools you can switch on. Business Basic and Standard give you almost nothing beyond basic mail filtering; Business Premium is the first tier with a genuine security stack. The table below shows what each tier actually includes.
| Tier | Price | Email security | Defender for Business | Conditional Access | Intune MDM |
|---|---|---|---|---|---|
| Microsoft 365 Business Basic | £4.60/user/month | EOP basic filtering | No | No | No |
| Microsoft 365 Business Standard | £9.60/user/month | EOP basic filtering | No | No | No |
| Microsoft 365 Business Premium | £16.90/user/month | Defender for Office 365 P1 | Yes (up to 300 devices) | Yes (Entra ID P1) | Yes |
- Microsoft 365 Business Basic (£4.60/user/month) — Exchange Online, Teams, SharePoint and OneDrive with Exchange Online Protection only. No advanced threat protection. Not a security baseline for most businesses.
- Microsoft 365 Business Standard (£9.60/user/month) — adds the Office desktop apps but does not upgrade the security stack. Third-party email security and MDM strongly recommended.
- Microsoft 365 Business Premium (£16.90/user/month) — Defender for Business, Defender for Office 365 Plan 1, Entra ID Premium P1 (Conditional Access and risk-based MFA), Microsoft Intune and basic DLP. This is the tier we recommend as a security baseline.
If you are weighing the jump, Premium's Defender for Business covers endpoint detection and response for up to 300 devices, while the enterprise Defender for Endpoint Plan 2 removes the device limit and adds advanced hunting and Sentinel integration (Microsoft 365 plans).
Does Microsoft back up your Microsoft 365 data?
No — and this is one of the most misunderstood facts in M365. Microsoft provides short-term retention (a 30-day recycle bin, 14-day Teams retention), but that is not a backup. If data is permanently deleted, corrupted or lost beyond the retention window, Microsoft cannot restore it for you (Microsoft Learn).
AMVIA deploys third-party M365 backup covering Exchange Online, SharePoint, OneDrive and Teams, with point-in-time recovery and retention periods of 1–5 years. Under the shared responsibility model, protecting your data is your job, not Microsoft's.
How do you measure Microsoft 365 security posture?
Microsoft Secure Score is a free tool in the M365 security portal that scores your tenant configuration against Microsoft's recommendations, with improvement actions ranked by impact and effort. It is the cleanest single number to track whether your security is getting better or quietly drifting backwards.
AMVIA establishes a Secure Score baseline during the initial audit, then tracks it monthly. Most AMVIA clients improve their Microsoft Secure Score by 20–40 percentage points within the first three months — most of that from enforcing MFA, killing legacy authentication and deploying Conditional Access.
How much does Microsoft 365 security management cost?
AMVIA's Microsoft 365 security management — covering the initial audit, Conditional Access configuration, Defender management, DMARC setup, DLP policies and ongoing Secure Score monitoring — starts from £5 per user per month for tenants on Business Premium. That sits on top of your Microsoft licence cost, not instead of it.
There is no per-incident surprise billing and no lock-in to a telecoms bundle: you get a single accountable provider, Microsoft-certified engineers, and a security baseline you can audit at any time.
Frequently Asked Questions
No. Microsoft 365 ships with conservative defaults built for usability, not protection. Most tenants lack MFA enforcement, leave legacy authentication enabled and have no Conditional Access policies. Microsoft Secure Score typically shows most businesses below 50% on a first assessment, which is why an audit before any other work is the right starting point.
Microsoft Defender for Business, included in Microsoft 365 Business Premium, provides endpoint detection and response, vulnerability management, attack surface reduction and automated investigation and remediation for up to 300 devices. It is designed for SMEs with simplified management, making it a strong fit for businesses with 10–300 staff that want enterprise-style protection without enterprise complexity.
Business Standard (£9.60/user/month) gives you the Office apps and basic email filtering but minimal security tooling. Business Premium (£16.90/user/month) adds Defender for Business, Conditional Access through Entra ID Premium P1, Microsoft Intune and Defender for Office 365. For most UK SMEs, Premium is the realistic security baseline and the tier AMVIA recommends.
No. Microsoft provides short-term retention — a 30-day recycle bin and 14-day Teams retention — but this is not a backup. Once data passes the retention window or is permanently deleted, Microsoft cannot recover it. AMVIA deploys third-party M365 backup with point-in-time recovery and 1–5 year retention across Exchange, SharePoint, OneDrive and Teams.
AMVIA's M365 security management — initial audit, Conditional Access configuration, Defender management, DMARC setup, DLP policies and Secure Score monitoring — starts from £5 per user per month for tenants on Business Premium. That is on top of your Microsoft licence, with no per-incident billing and no long lock-in.
We secure and manage Microsoft 365 for 1,200+ UK businesses whose Microsoft 365 environments are managed and secured by AMVIA. In-house teams can configure these controls, but keeping them current as Microsoft changes defaults and attackers change tactics is a full-time job. You get Microsoft-certified engineers, an auditable baseline and one accountable provider rather than a stack of disconnected tools.
99% of Account Attacks Are Blocked by MFA — Is Yours Even Turned On?
Get a free M365 security audit — we will review your tenant configuration and Secure Score in under an hour. No commitment. Response within 2 hours.
Related Resources
Microsoft 365 Business Premium vs Business Standard
A detailed security comparison of the two most common M365 licence tiers for UK SMEs.
Email Security
Anti-phishing, DMARC, and BEC protection for your Microsoft 365 email environment.
Endpoint Security
Managed Defender for Business and EDR across all your business devices.
Managed Cybersecurity
Full managed security including M365, endpoints, email, and 24/7 SOC monitoring.
Cybersecurity for Accountancy Firms
M365 security and compliance for accountancy practices handling sensitive client data.
What Is Microsoft 365 Security?
In-depth explainer on microsoft 365 security? for UK businesses. Key concepts, best practices, and practical guidance from AMVIA's experts.
Microsoft 365 vs Google Workspace: Which Is More Secure…
Direct answer: Microsoft 365 vs Google Workspace: Which Is More Secure for SMEs?. Expert guidance with UK-specific data, key requirements…
Search AMVIA
Search the AMVIA website for service pages, guides, blog articles, and resources on managed IT, cybersecurity, connectivity, and VoIP.
99% of account attacks blocked by MFA → Get My Free M365 Audit