What Is Microsoft 365 Security?
Microsoft 365 is not secure out of the box. The platform provides powerful security tools, but they require deliberate configuration. This guide explains what Microsoft 365 security means, which licence tier provides meaningful protection, and what configuration is required to protect a UK business using M365.
Overview
Microsoft 365 security means configuring the security tools Microsoft provides — not assuming the platform is secure by default. Business Premium is the right licence tier for UK SMEs, providing Conditional Access, Defender for Business, and Intune. MFA via Conditional Access and blocking legacy authentication are the highest-impact controls. Microsoft Secure Score tracks configuration progress.
Learn about M365 securityMost UK businesses assume Microsoft 365 is secure because Microsoft is a large, trusted vendor. That assumption is where the risk starts. This guide explains what Microsoft 365 security actually involves, which licence tier gives you real protection, and the controls every tenant needs before it is safe to rely on.
What Does Microsoft 365 Security Actually Mean?
Microsoft 365 security is the deliberate configuration of the security tools Microsoft provides, not an assumption that the platform is safe by default. There are two different things at play: the capabilities Microsoft builds into M365, and the configuration your business must apply to make them effective. Confusing the two is the most expensive mistake UK SMEs make.
Microsoft invests heavily in securing its cloud infrastructure. The datacentres, networks and application platforms M365 runs on are well protected against infrastructure-level threats. But that does nothing to stop the attacks that actually cause damage: phishing that steals credentials, ransomware delivered by email, business email compromise that diverts payments, and breaches caused by misconfigured sharing.
With 43% of UK businesses experiencing a cybersecurity breach in 2025 (Department for Science, Innovation and Technology), and 85% of breached businesses identifying phishing as the attack vector (DSIT Cyber Security Breaches Survey 2025), the threats Microsoft's infrastructure security does not address are exactly the ones most likely to hit you. Under Microsoft's shared responsibility model, configuring those controls is the customer's job, not Microsoft's.
Which Microsoft 365 Licence Tier Includes Real Security?
The security tools you have depend entirely on your licence tier. Business Basic and Standard share the same limited security feature set; only Business Premium adds the stack a UK SME actually needs — Conditional Access, Defender for Business, Intune and advanced email protection. Paying more for Standard buys Office apps, not security.
| Licence tier | Price (ex VAT) | Security included | EDR / Conditional Access |
|---|---|---|---|
| Business Basic | £4.60 /user/mo | Exchange Online Protection, Security Defaults MFA, Defender Antivirus | No |
| Business Standard | £9.60 /user/mo | Same as Basic + desktop Office apps | No |
| Business Premium | £16.90 /user/mo | Defender for Business (EDR), Conditional Access (Entra ID P1), Intune, Defender for Office 365 P1, Information Protection | Yes |
Prices are Microsoft list prices per user per month, annual commitment, ex VAT (Microsoft 365 UK). The jump from Standard to Premium is the only step that adds meaningful protection, which is why we recommend Business Premium for any business that needs more than the bare minimum.
What Does Microsoft Defender for Business Add?
Microsoft Defender for Business, included in Business Premium, is an endpoint detection and response (EDR) tool that goes well beyond the basic Defender Antivirus built into Windows. Where antivirus matches known signatures, EDR adds behavioural detection, automated investigation and remediation, attack surface reduction rules, and threat hunting.
Defender for Business monitors activity across every enrolled device, can isolate a compromised machine from the network automatically, and gives you one dashboard showing the security status of the whole organisation. For a UK business without its own security operations centre, it delivers enterprise-grade endpoint protection that would otherwise need a far more expensive standalone EDR product and dedicated staff to run it.
Why Isn't Microsoft 365 Secure Out of the Box?
Even on Business Premium, a freshly provisioned tenant is not secured. The tools are licensed but none are configured. Conditional Access policies do not exist until you create them, Defender for Business is not yet deployed to devices, Safe Links and Safe Attachments are off, legacy authentication that bypasses MFA is still active, and admin accounts hold permanent elevated privileges.
A Basic or Standard tenant in its default state is more exposed still: no enforced MFA unless Security Defaults are switched on, no EDR, no device management and no advanced email security. The common attacks against UK businesses — phishing, credential theft, business email compromise and ransomware — routinely succeed against unconfigured tenants that properly configured Business Premium would have stopped. That gap between available capability and actual configuration is where most M365 security risk sits.
Which Security Controls Does Every M365 Tenant Need?
Every M365 tenant needs the same baseline regardless of size: enforced MFA, blocked legacy authentication, deployed EDR, hardened email and protected admin accounts. These controls close the vulnerabilities attackers exploit most often, and most can be configured in days rather than months.
- MFA for all users — enforced via Conditional Access on Business Premium or Security Defaults on lower tiers. MFA blocks over 99% of credential-based account compromise attacks (Microsoft). It is the single highest-impact control available. See our MFA setup guide for Microsoft 365.
- Legacy authentication blocked — protocols such as IMAP, POP3 and basic SMTP do not support MFA and are used to bypass it. Blocking them via Conditional Access removes the most common MFA bypass.
- Defender for Business deployed — EDR on all Windows and Mac devices, with attack surface reduction rules enabled and managed centrally.
- Email security hardened — anti-phishing policies with impersonation protection for executives and domains, plus Safe Links and Safe Attachments for email and Teams.
- DMARC, DKIM and SPF configured — email authentication records that stop attackers spoofing your domain to phish your clients and suppliers.
- Admin accounts protected with PIM — Privileged Identity Management replacing permanent admin rights with just-in-time elevation, approval and audit logging.
- Audit logging enabled — essential for incident forensics, made more critical by the fact that only 14% of UK businesses have a formal incident response plan (DSIT 2025).
How Does Microsoft Secure Score Measure Your Configuration?
Microsoft Secure Score is a free tool in every tenant at security.microsoft.com that scores your configuration against Microsoft's recommended actions as a percentage. The industry average sits around 50% (2025 industry benchmarking), meaning the typical organisation has implemented only half the recommended controls; a score above 70% indicates a well-hardened environment.
Secure Score gives an ordered list of improvement actions with impact ratings, so it is straightforward to prioritise the changes that matter most. We use it both as a baseline assessment for new clients and as an ongoing monitoring tool, reviewing the score quarterly so new Microsoft recommendations are assessed and applied where appropriate.
How Does M365 Security Fit a Wider Cybersecurity Strategy?
Microsoft 365 security is one layer of a broader strategy, not the whole of it. M365 covers identity (Entra ID and Conditional Access), endpoint (Defender for Business), email (Defender for Office 365) and data (Purview). Those controls should sit alongside network security, staff awareness training, an incident response plan, and backup and recovery — the connective tissue of managed cybersecurity.
For businesses pursuing certification, a correctly configured Business Premium tenant supports several Cyber Essentials technical requirements, including access control, malware protection and secure configuration. We advise on M365 configuration in the context of compliance requirements and the wider security picture, so the platform reinforces your strategy rather than sitting in isolation.
How Does AMVIA Manage Microsoft 365 Security?
AMVIA manages Microsoft 365 security for UK businesses as part of a managed service: licence management to keep you on a security-capable tier, initial tenant hardening, ongoing Secure Score monitoring, Conditional Access policy management, and Defender for Business monitoring and incident response. Our security stack is Microsoft Defender plus the Barracuda suite, run by Microsoft-certified engineers.
If you have M365 but the security configuration has never been reviewed, a Secure Score review is the right starting point — it identifies the highest-impact improvements for your specific environment and licence tier. Contact AMVIA on 0333 733 8050 to discuss your requirements.
Key Points
What UK businesses need to know about Microsoft 365 security.
Licence Determines Available Tools
Business Basic and Standard lack Conditional Access and Defender for Business. Business Premium is the right tier for any UK business that needs meaningful endpoint and identity security.
Configuration Is the Business's Responsibility
Microsoft secures the infrastructure. Configuring the security tools — Conditional Access policies, Defender for Business deployment, email security settings — is the business's responsibility.
MFA Blocks 99% of Account Takeover Attacks
Multi-factor authentication via Conditional Access is the single highest-impact security control. Combined with blocking legacy authentication, it closes the most exploited vulnerabilities in M365.
Secure Score Tracks Your Configuration
Microsoft Secure Score provides a real-time measure of your M365 security configuration with an ordered improvement list. Available free in every tenant at security.microsoft.com.
M365 Security Baseline Checklist
Business Premium licensed — not Basic or Standard for security-conscious environments
MFA enforced for all users via Conditional Access — not per-user settings
Legacy authentication blocked via Conditional Access
Defender for Business deployed to all Windows and Mac devices
Safe Attachments and Safe Links enabled for email and Teams
Anti-phishing policy configured with impersonation protection
DMARC, DKIM, and SPF configured for all sending domains
Audit logging enabled with appropriate retention
Frequently Asked Questions
For most UK businesses, no. Standard lacks Conditional Access, so MFA cannot be enforced reliably, and it has no Defender for Business EDR or Intune device management. The cost of Standard over Basic buys desktop Office apps, not security. Only the step up to Business Premium adds the full security stack, which is why we recommend it.
On Business Premium the built-in tools cover identity, endpoint and email security for most SMEs. Additional products are warranted only for specific gaps: 24/7 managed detection layered on Defender for Business, an email gateway such as Barracuda for extra filtering, or third-party backup. We assess what Premium already provides versus what genuinely adds value per client.
Microsoft Secure Score at security.microsoft.com gives an immediate view of your configuration against recommended settings, with an ordered list of fixes. A score well below the typical baseline indicates meaningful gaps. AMVIA offers a Secure Score review that maps your configuration against both Microsoft's recommendations and NCSC guidance, with a prioritised plan.
Multi-factor authentication enforced through Conditional Access. Microsoft reports MFA blocks over 99% of credential-based account compromise attacks. Pairing it with a policy that blocks legacy authentication closes the most commonly exploited bypass, so the two together remove a large share of account-takeover risk for very little effort.
Yes. A correctly configured Business Premium tenant supports several Cyber Essentials technical requirements, including access control, malware protection and secure configuration. It does not award the certification on its own, but it removes much of the configuration work, and AMVIA holds Cyber Essentials Plus and advises clients on aligning M365 with the scheme.
Review Your Microsoft 365 Security Configuration
AMVIA reviews your M365 tenant against Microsoft's recommended security baseline, implements required configurations, and manages your M365 security on an ongoing basis.
Related Resources
Microsoft 365 Security Guide
The complete AMVIA guide to securing Microsoft 365 for UK businesses.
M365 Tenant Hardening Guide
Step-by-step M365 hardening — the specific configurations that make Business Premium secure.
Microsoft Secure Score
Using Secure Score to measure and improve your M365 security configuration.