Introduction
Microsoft 365 includes strong security when you turn features on. SMEs in Thailand and Singapore often buy Standard licenses but skip MFA and legacy auth — the most common gap we see after migration. This checklist covers high-impact controls without an enterprise SOC.
Level 1 — Every tenant (free or included)
Multi-factor authentication (MFA)
Require MFA for all admins and users via Microsoft Entra ID → Security → MFA. Prefer Authenticator app over SMS where possible.
Why: Stops password-spray and phishing takeovers — the #1 cause of business email compromise.
Disable legacy authentication
Block POP/IMAP and old clients that bypass MFA: Entra ID → Security → Conditional Access (Premium) or legacy auth blocking policies.
Secure admin accounts
- 2–3 Global Admins maximum; use day-to-day non-admin accounts
- Separate admin UPN (e.g.
[your domain]) with MFA - No shared passwords in spreadsheets
Level 2 — Business Standard and above
Safe Links and Safe Attachments
Enable in Microsoft Defender portal → Email & collaboration → Policies. Standard includes baseline Defender for Office 365; tune policies for finance and HR mailboxes first.
Audit logging
Review audit log in Purview for unusual forwarding rules and new inbox rules — common after compromise.
Level 3 — Business Premium or Enterprise
Intune device compliance
Require managed devices for company email:
- Enroll Windows and mobile via Company Portal
- Block jailbroken phones from Exchange sync
- See Business Premium for Intune inclusion
Defender for Business
Endpoint antivirus and EDR on PCs — deploy from Microsoft 365 Defender console.
Conditional Access
Block sign-in from unexpected countries, require compliant device, or require MFA on risky sign-ins — needs Entra ID P1 (included in Premium / E3+).
Email hygiene habits (non-technical)
- Train staff to report phishing — use Report message in Outlook
- No payroll changes from email alone — verify by phone
- Disable automatic forwarding to external addresses unless required
PDPA and Singapore PDPA alignment
Security controls support accountability under PDPA: access control, breach detection, and retention. Microsoft 365 is not automatically compliant — you must configure retention labels, DLP, and processes. Premium / E3 unlocks tools; legal review still applies.
Plan mapping
| Control | Minimum plan |
|---|---|
| MFA, basic Defender | Business Basic+ |
| Desktop Office + Defender policies | Business Standard+ |
| Intune, Conditional Access P1, Defender for Business | Business Premium+ |
| Advanced DLP, eDiscovery | Enterprise E3/E5 |
When to upgrade plans for security alone
If you handle personal data at scale, health, or financial records, Business Premium or E3 is usually cheaper than breach recovery. Compare Premium vs Standard.
Next steps
Common questions
What is the most important security step for Microsoft 365?
Enable multi-factor authentication (MFA) for all users — especially admins. MFA stops most password-based attacks and takes less than 15 minutes to enable for a small business tenant.
Do I need Business Premium for security?
Not necessarily. Business Basic and Standard include MFA and basic Defender for Office 365. Business Premium adds Intune device management, Defender for Business EDR, and Conditional Access — needed if you manage devices or handle sensitive data.
How do I block legacy authentication in Microsoft 365?
Use Conditional Access policies (requires Business Premium or Enterprise) or legacy auth blocking policies. This prevents older email clients that bypass MFA from accessing your tenant.
Is Microsoft 365 secure enough for PDPA compliance?
Microsoft 365 has the technical controls needed for PDPA — but compliance depends on your configuration. You must enable MFA, configure retention policies, set up DLP, and process data appropriately. Premium or E3 plans give you the tools; you still need to configure them.
