The No-BS, Warranty-Free Guide to Locking Down Your Small Business with Microsoft 365 Business Premium#
Why this guide? You’re a small business owner. You don’t have an IT army or a Fortune 500 budget, but you need security that won’t let you down. Microsoft 365 Business Premium gives you enterprise-grade protection at a price that won’t break the bank—and it’s the same system we use for our big clients. It scales, it’s supported, and it works.
This guide is not exhaustive, but it covers everything you need to get started.
Why Microsoft 365 Business Premium?#
- Enterprise-grade security (MFA, DLP, Defender, Intune, Conditional Access) for up to 300 users.
- Same tools as the big guys, but priced for SMBs.
- Community and Microsoft support if you get stuck.
- New 2025 add-ons (like the Microsoft Defender Suite) bring even more advanced protection.
Identity Security: Lock Down Who Can Access What#
1. Create a Break Glass Account (Mandatory)#
Why? If you lock yourself out or get hacked, this is your emergency backdoor.
Setup:
- Create a unique username (e.g.,
EmergencyAdmin-YourCompany). - Set a long, unique password (16+ characters, mix of letters, numbers, symbols). Write it down and store it in a physical safe.
- Assign the Global Administrator role.
- Do NOT enable MFA on this account. If MFA breaks, this account is your lifeline.
Pro Tip: If you want to add MFA to this account later, you can. I would recommend to use 2 FIDO keys and store them in separate locations.
2. License Everyone for Business Premium#
Why? You need the full security suite for every user.
Steps:
- Buy Microsoft 365 Business Premium for every human user and your Break Glass account.
- Assign licenses via the Microsoft Admin Center.
- Remove old licenses (Business Basic/Standard) to avoid conflicts.
Pro Tip: Use the license portal to stop paying for old licenses.
3. Enforce Multi-Factor Authentication (MFA) for Everyone#
Why? MFA blocks 99.9% of account takeovers.
Setup:
- Create a Conditional Access Policy named “MFA Enforcement.”
- Assign to all users, but exclude your Break Glass account.
- Apply to all cloud apps (Teams, Outlook, SharePoint, etc.).
- Set access control: Grant access only if MFA is passed.
- Disable Security Defaults (if enabled) to use your custom policy.
Pro Tip: Use the Microsoft Authenticator app for the strongest MFA.
4. Block Legacy Authentication#
Why? Legacy protocols (POP, IMAP, SMTP) don’t support MFA and are prime attack vectors.
Setup:
- Create a new Conditional Access Policy.
- Assign to all users.
- Set condition: Client apps → “Other clients.”
- Action: Block access.
Pro Tip: Double-check that your Break Glass account is excluded.
Data Security: Protect Your Files and Emails#
1. Store All Data in SharePoint and OneDrive#
Why? Cloud storage is more secure than local servers and protects against ransomware, theft, and device loss.
Setup:
- Move all business data to OneDrive (personal files) and SharePoint (team files).
- Enable Restricted Sharing to prevent accidental external sharing.
- Add trusted domains if you need to share with partners.
Pro Tip: Use OneDrive Known Folder Move to auto-backup user desktops and documents.
2. Set Up Data Loss Prevention (DLP)#
Why? DLP stops accidental or malicious sharing of sensitive data (credit cards, SSNs, health records).
Setup:
- Go to the Microsoft Purview compliance portal.
- Create a new DLP policy:
- Locations: Exchange, SharePoint, OneDrive, Teams.
- Sensitive info types: Use built-in templates (PII, PCI, HIPAA) or create custom ones.
- Actions: Block, audit, notify, or encrypt sensitive data.
- Test in audit mode before enforcing.
Pro Tip: Start with Microsoft’s default DLP templates and customize as needed.
Device Security: Lock Down Laptops and Phones#
1. Enroll Devices in Intune#
Why? Intune lets you manage and secure both company and personal devices.
Setup:
- Go to the Intune admin center.
- Enroll devices:
- For company devices: Use Windows Autopilot for zero-touch setup.
- For BYOD: Use Mobile Application Management (MAM) to secure only work apps.
- Create compliance policies:
- Require minimum OS versions.
- Enforce encryption (BitLocker/FileVault).
- Block jailbroken/rooted devices.
Pro Tip: Use Intune’s built-in compliance policies for a quick start.
2. Enable Microsoft Defender for Endpoint#
Why? Defender for Endpoint stops malware, ransomware, and advanced threats.
Setup:
- Go to Intune → Endpoint security → Microsoft Defender for Endpoint.
- Onboard devices:
- Download the onboarding package.
- Create a new Endpoint protection profile in Intune and assign it to all devices.
- Configure ASR rules (see below).
Pro Tip: Use Defender’s automated investigation and response to handle threats automatically.
3. Require Windows Defender Firewall#
Why? Firewalls block unauthorized network access.
Setup:
- Go to Intune → Endpoint security → Firewall.
- Create a new firewall policy:
- Enable the firewall.
- Block all inbound connections (except for necessary exceptions, like Miracast for conference rooms).
Pro Tip: Test firewall rules with a pilot group before rolling out to everyone.
Mobile Device Security: Secure Phones and Tablets#
1. Set Up Application Protection Policies (MAM)#
Why? MAM secures company data in work apps without managing the entire device.
Setup:
- Go to Intune → Apps → App protection policies.
- Create a policy for Office apps (Outlook, Teams, OneDrive):
- Require MFA for app access.
- Prevent data sharing between work and personal apps.
- Wipe only company data if the device is lost or the user leaves.
Pro Tip: Send users this guide to help them set up their devices.
2. Enroll Mobile Devices in Intune (Optional)#
Why? Full device management gives you more control but is more invasive.
Setup:
- Follow Intune’s mobile enrollment guides for iOS and Android.
- Assign compliance policies (minimum OS, encryption, etc.).
Pro Tip: For Macs, treat them as mobile devices in Intune.
Bonus: Block Non-Registered Devices (Advanced)#
Why? Only allow company-managed devices to access company data.
Setup:
- Create a new Conditional Access Policy.
- Assign to all users (exclude Break Glass).
- Apply to all apps.
- Set condition: Device state → Not compliant.
- Action: Block access.
Caution: Only use this if all users have company-managed devices. If you use Macs or Chromebooks, skip this step.
Bonus: Attack Surface Reduction (ASR) Rules (For IT-Savvy Users)#
Why? ASR rules stop common attack vectors, like malicious Office macros.
Setup:
- Go to Intune → Endpoint security → Attack surface reduction.
- Create a new policy:
- Rule: Block Office apps from creating child processes (GUID:
D4F940AB-401B-4EFC-AADC-AD5F3C50688A). - Mode: Start with Audit to test, then switch to Block.
- Rule: Block Office apps from creating child processes (GUID:
Pro Tip: Use Microsoft’s ASR testing guide to validate your rules.
Final Checklist#
| Task | Done? |
|---|---|
| Created Break Glass account | ☐ |
| Assigned Business Premium licenses | ☐ |
| Enforced MFA for all users | ☐ |
| Blocked legacy authentication | ☐ |
| Moved data to SharePoint/OneDrive | ☐ |
| Set up DLP policies | ☐ |
| Enrolled devices in Intune | ☐ |
| Enabled Defender for Endpoint | ☐ |
| Configured firewall rules | ☐ |
| Set up mobile app protection | ☐ |
| (Optional) Blocked non-registered devices | ☐ |
| (Optional) Enabled ASR rules | ☐ |
You’re Done! Now What?#
- Monitor your security posture in the Microsoft 365 Defender portal.
- Review your Secure Score for improvement tips.
- Train your team on security best practices (phishing, passwords, etc.).
- Ask for help if you get stuck—Microsoft’s community and support are there for you.
