Microsoft 365 has come a long way when it comes to security. What used to be a bare-bones security system now offers features such as automatic scanning of email attachments, phishing protection, and ransomware protection.

Users with a Microsoft 365 Business plan have even more advanced security features at their disposal. Most of these, however, have to be activated manually. Here's how to make sure Microsoft 365 is secure to use.

How to Set Up Multi-Factor Authentication

Multi-factor authentication (MFA) is, by far, one of the easiest and most effective ways to secure your Microsoft 365 account. It basically means that whenever you log in, you will be required to enter a code received via SMS or through an authenticator app on your phone.

So, even if your password is compromised, no one can access your account unless they also have the authentication code.

In order to take advantage of MFA, it needs to be enabled via the Microsoft 365 admin center, and it can only be done by the admins of your organization or business.

How to Enable MFA Using the Microsoft 365 Admin Center

Enable Security Defaults Microsoft 365 Admin Center
  1. Open the Microsoft 365 Admin Center and log in.
  2. On the navigation bar towards the left, click Show All and go to Admin centers > Azure Active Directory.
  3. In the Azure Active Directory admin center, again click on Azure Active Directory.
  4. On the navigation bar, scroll down and click on Properties.
  5. At the bottom of the page, find and click on Manage Security Defaults.
  6. Switch the slider to Yes and then click Save.

After enabling security defaults, MFA is automatically enabled for all users.

The next step is to set up your Microsoft 365 account for MFA, which means deciding whether you'll use SMS or an authentication app to receive your code.

Choosing Authentication method Microsoft 365 MFA
  1. Once MFA is enabled, log in to your Microsoft 365 account as you normally would.
  2. Upon clicking Sign In, you'll get a prompt that asks for more information. Click Next.
  3. Now, you'll be asked to choose an authentication method. Choose whichever suits you and go to Save.

How to Turn on Microsoft 365 Anti-Malware

Another great security feature in Microsoft 365 is the anti-malware feature. It automatically blocks certain types of attachments from running in Outlook. This is important because your computer can easily be hacked using an infected attachment.

Related: Understanding Malware: Common Types You Should Know About

The attachments usually have a .js, .exe, or .bat extension, all of which are blocked from running when you turn on malware protection.

Attachment scanning Microsoft 365

To make use of this feature, just go to the Microsoft 365 Admin Center:

  1. In the navigation bar on the left, click Show More.
  2. Now, click on Admin Centers > Security & Compliance.
  3. After this, select Threat Management and choose Policy.
  4. On the Policy dashboard, click Anti-malware.
  5. Double-click on Default to open the Default policy.
  6. Click Settings and under Common Attachments Type Filter, click the On radio button.
  7. Click on Save.

This will prevent you from receiving and sending the file types that are listed in the window.

You can also opt to receive notifications whenever an attachment is blocked. Additionally, you can also choose whether the sender will be notified about the blocked attachment.

How to Customize Anti-Phishing in Microsoft 365

Phishing is one of the most common ways to infect your computer. In a phishing attack, an email or file is designed to look like it's from a trusted or familiar source, but instead it tries to collect confidential data. This includes usernames, passwords, and credit card numbers. In fact, there are many types of phishing attacks you should be aware of.

While Microsoft claims that Microsoft 365 has anti-phishing protection built-in, there are quite a few settings that you will have to switch on manually to take full advantage of it.

To customize anti-phishing options, do the following:

Anti-phishing setting in Microsoft 365
  1. Go to the Microsoft 365 Admin Center.
  2. In the navigation bar on the left, under Admin centers, click Security.
  3. Now, expand Threat Management and click Policy.
  4. On the Policy dashboard, chose ATP anti-phishing.
  5. In the Anti-phishing window, click on Default policy.
  6. Under the Impersonation section, click Edit.
  7. On the navigation bar, you can choose whether you want to Add users to protect or Add domains to protect.
  8. It's recommended that you click Add domains to protect, then switch on Automatically include the domains I own.
  9. In the navigation bar, click Action.
  10. Choose what Microsoft 365 should do when it detects an email sent by an impersonated user or an impersonated domain.
  11. Now, click on Mailbox intelligence in the navigation bar and ensure the switch is toggled On.
  12. Click Review your settings and then select Save.

After enabling these settings, your Microsoft 365 account will be much better protected against phishing emails.

How to Enable Smart Lockout in Microsoft 365

Smart Lockout prevents a user from signing in after multiple unsuccessful attempts. Simply put, if you enter your password incorrectly a specific number of times, you will be barred from signing in for a fixed duration of time.

The lockout duration increases proportionally to the number of sign in attempts with a bad password. This is helpful when hackers try to use brute force in order to hack a user account. However, due to the way Smart Lockout works, if the same bad password is entered multiple times, the account won't lockout.

The Smart Lockout feature can be enabled via Azure Active Directory. You should keep in mind that this feature requires you and other users to have an Azure AD P1 License or higher.

Setting up Smart Lock in Azure Active Directory
  1. Go to the Azure portal and sign-in using administrator credentials.
  2. Expand the navigation bar on the left and click Azure Active Directory.
  3. Now, click Security and navigate to Authentication methods > Password protection.
  4. Here, you can set the Lockout threshold that will determine the number of unsuccessful sign-in attempts to trigger Smart Lockout.
  5. Set the Lockout duration in seconds to determine the duration of Smart Lockout.
  6. Click on Save and exit.

Plenty of Security Features in Microsoft 365

There are plenty of ways to secure your Microsoft 365 account and protect your organization. But the most effective way is to ensure that you practice proper internet safety etiquette.

This includes setting a strong password, enabling Windows firewall, and making sure other security features on your device are switched on.