Microsoft 365 Security Checklist for Small Businesses (MFA, Security Defaults, and Passkeys)

If your business uses Microsoft 365 for email, files, Teams, or admin tasks, your Microsoft sign-in is the front door to basically everything. And attackers love front doors.

Here’s a practical, small-business-friendly checklist to harden Microsoft 365 without turning your week into a “why is nothing working” festival.

Why Microsoft 365 accounts get hijacked so often

Most Microsoft 365 compromises are not “elite hacking.” They’re usually one of these:

• Password reuse (a leaked password from some other site still works)
• Phishing (someone tricks a user into entering credentials)
• MFA spam or “push fatigue” (users approve a login prompt to make it stop)
• Admin accounts that are not locked down the same way as everyone else

The fix is boring, which is good. Boring security is usually the kind that works.

Step 1: Turn on Security Defaults (the fastest big win)

If you do not have fancy Conditional Access policies set up, Microsoft Entra “Security Defaults” is the fastest way to raise your baseline security.

What it does, in plain English: it pushes you toward modern sign-ins and requires stronger verification for risky or privileged access.

High-level steps:

1. Sign in to the Microsoft Entra admin center
2. Go to Entra ID → Overview → Properties
3. Select Manage security defaults
4. Set it to Enabled and save

If you already use Conditional Access policies, do not blindly flip this on. Security Defaults and Conditional Access are not meant to be enabled at the same time.

Step 2: Make sure every admin account uses MFA (no exceptions)

Admin accounts are your “keys to the kingdom.” Treat them that way.

At minimum:

• Every admin signs in with MFA every time
• No shared admin logins (each admin gets their own account)
• Separate admin accounts from daily-use accounts if you want to be extra clean

Also worth knowing: Microsoft began enforcing MFA for accounts accessing the Microsoft 365 admin center starting in 2025. Even if enforcement hits you eventually, you want this set up now, on your terms, not during a surprise Monday morning fire drill.

Step 3: Use Microsoft Authenticator with number matching

If you use push notifications for MFA, number matching is one of the best upgrades you can make because it blocks the “tap approve without thinking” problem.

The user sees a number on the sign-in screen and must enter that same number in the Authenticator prompt. Much harder to approve by accident, much harder for an attacker to socially-engineer with MFA spam.

Step 4: Move toward passkeys (phishing-resistant sign-ins)

Passwords are convenient, and also historically a disaster. Passkeys are the modern replacement: instead of typing a password, you approve sign-in using a device-based method like Face ID, fingerprint, or a PIN tied to your device.

Why small businesses should care:

• Passkeys are far more resistant to phishing than passwords
• They cut down on “I forgot my password” loops
• They reduce the odds of a breach turning into total account takeover

You do not have to go “all passkeys, all at once.” Start with your most important accounts first (owners, admins, finance).

Step 5: If you have Conditional Access, recreate the baseline properly

If your environment uses Conditional Access policies (common with Microsoft 365 business tiers that include Entra ID features), the goal is the same: require strong authentication and block risky access paths.

Important gotcha: Security Defaults and Conditional Access are not designed to run together. If you move from Security Defaults to Conditional Access, rebuild the baseline protections first before adding fancy rules.

Quick checklist you can knock out today

• Enable Security Defaults (or verify your Conditional Access baseline is solid)
• Confirm every admin account is protected with MFA
• Use Authenticator with number matching for push approvals
• Start passkeys with your admin and owner accounts
• Review who actually has admin roles and remove extras

Want PCRepair.us to do this for you?

If you’d rather not spelunk through admin portals and settings, PCRepair.us can help you harden your Microsoft 365 setup remotely and make sure it’s stable for real-world use (not just “secure on paper”).

We’ll verify your tenant security baseline, lock down admin access, and help roll out MFA and passkeys in a way your users will actually follow.