Microsoft 365 Business Premium: Security Features and Setup for SMBs
Why This Is Happening
You bought Microsoft 365 Business Premium , maybe because IT told you it was the right move, maybe because you kept hearing about ransomware and finally got scared enough to act. Either way, you're now staring at an admin center full of settings, tiles, and toggles, and the security you paid for is sitting there completely unconfigured. I've seen this exact scenario on dozens of SMB deployments. The subscription is active, the licenses are assigned, and the business is no more protected than it was on day one.
Here's the uncomfortable truth: Microsoft 365 Business Premium does not secure your organization automatically. It gives you the tools , some genuinely excellent ones, but you have to turn them on, point them at your users, and actually configure them. Out of the box, a freshly provisioned tenant is missing multi-factor authentication enforcement, device compliance policies, anti-phishing rules tuned for your domain, and the Defender for Business onboarding that makes endpoint protection actually work.
The frustration is real. Microsoft's own error messages in the admin center are vague, "Policy not applied," "Device not compliant," "License not assigned", without telling you what went wrong or in what order you should fix it. If you're a solo IT person or a business owner wearing the IT hat, that ambiguity is genuinely maddening, especially when a blocked login or a quarantined email brings work to a halt at 9 AM.
Microsoft 365 Business Premium is designed specifically for small and medium-sized businesses with up to 300 users. It bundles cloud productivity (Teams, Exchange, SharePoint) with enterprise-grade security tools that used to cost ten times more on dedicated plans. That's the good news. The catch is that the security layer, Microsoft Defender for Business, Intune device management, Azure AD Conditional Access, Defender for Office 365, each require their own setup pass. None of them talk to each other automatically from day one.
The threats this platform is built to stop are not theoretical. Phishing campaigns targeting small businesses increased sharply over the past three years. Ransomware groups now specifically target SMBs because they know smaller organizations often skip endpoint protection. Data loss, whether from an employee accidentally sharing a sensitive file or from a credential-stuffing attack, can be existential for a 50-person company in a way it simply isn't for a Fortune 500 firm.
This guide walks you through every major security configuration in Microsoft 365 Business Premium, in the order that makes sense, with the exact paths and settings you need to hit. Whether you're setting up a fresh tenant or hardening an existing one that's been coasting on default settings, you'll find what you need here. Browse all Microsoft fix guides →
The Quick Fix, Try This First
If you're dealing with an active security incident, a user who got phished, or a device flagged as non-compliant, here's the fastest set of things to check right now, before you go through the full setup process.
First, confirm that security defaults are either enabled or that you've replaced them with Conditional Access policies. Go to the Microsoft Entra admin center (entra.microsoft.com) → Properties → Manage Security Defaults. If this is toggled On and you haven't done anything else, that's your baseline, it forces MFA registration for all users and blocks legacy authentication protocols. It is not a full configuration, but it's better than nothing.
Second, check your Microsoft Defender for Business onboarding status. Open the Microsoft 365 Defender portal (security.microsoft.com) → Settings → Endpoints → Onboarding. If that page shows zero onboarded devices, your endpoints are completely unprotected at the Defender layer regardless of what your licenses say.
Third, verify that your Defender for Office 365 preset security policies are active. In the Microsoft 365 Defender portal, go to Email & Collaboration → Policies & Rules → Threat Policies → Preset Security Policies. You should see Standard protection or Strict protection enabled for your users. If both toggles are off, your anti-phishing, anti-malware, and Safe Links protections are not running.
Fourth, check whether your licenses are actually assigned. In the Microsoft 365 admin center (admin.microsoft.com) → Users → Active Users, click any user and look at the Licenses and apps tab. A user with no Microsoft 365 Business Premium license assigned gets no Defender protection, no Intune management, nothing. It's a five-second check that catches a surprising number of problems.
If all four of those look healthy and you're still seeing issues, move into the step-by-step configuration below, the problem is almost certainly in a specific policy or an onboarding step that got skipped.
MFA is the single most effective control you can turn on today. According to Microsoft's own data, MFA blocks over 99.9% of automated account-compromise attacks. Yet I've walked into SMB environments running Microsoft 365 Business Premium where MFA was simply never turned on because nobody got around to it. Don't be that business.
The right approach for most SMBs is to move past security defaults and implement a Conditional Access policy specifically designed to require MFA. Here's how:
Navigate to Microsoft Entra admin center (entra.microsoft.com) → Protection → Conditional Access → New policy.
- Name: Require MFA for All Users
- Assignments → Users: Select "All users" (exclude your break-glass emergency admin account)
- Target resources → Cloud apps: All cloud apps
- Conditions: Leave defaults unless you need location-based exclusions
- Grant → Access controls: Select "Require multi-factor authentication"
- Enable policy: Set to "On"
Save the policy. Users will be prompted to register the Microsoft Authenticator app on their next sign-in. Before flipping this live, run it in Report-only mode for 24–48 hours to see who it would affect without blocking anyone. Change the toggle from Report-only to On once you're satisfied.
If a user calls you saying they're locked out because they can't complete MFA, go to Entra admin center → Users → select the user → Authentication methods → Require re-register MFA. That clears their registered methods so they can set up a new authenticator without you having to disable the policy for everyone.
When it's working correctly, users will see a prompt to approve a push notification or enter a code every time they sign in from an unrecognized device. That's exactly what you want.
Microsoft Defender for Business is included in Microsoft 365 Business Premium, but it does nothing until your devices are onboarded. This is the most commonly skipped step I encounter. People assume installing the Microsoft 365 Apps on a machine means it's protected. It doesn't. Defender for Business needs a separate onboarding process to gain visibility into endpoints.
Go to the Microsoft 365 Defender portal (security.microsoft.com) → Settings → Endpoints → Onboarding.
For Windows 10 and 11 devices, the most practical method for small businesses is the Local Script option. Download the onboarding package, run the script on each machine as a local administrator, and within 5–10 minutes the device appears in your Defender portal under Assets → Devices.
For environments with Intune already configured (which you should set up, see step 3), you can push the Defender onboarding package automatically via a device configuration profile. In Intune admin center (intunepowershell.microsoft.com, or via endpoint.microsoft.com) → Endpoint Security → Endpoint Detection and Response → Create Policy. Select Windows 10 and Later as the platform and set the Defender for Endpoint client configuration package to "Auto from connector." This auto-onboards every Intune-managed Windows device without touching them individually.
For Mac devices, download the onboarding package from the same Defender portal page. Microsoft Defender for Business supports macOS, you'll deploy it via a .pkg file and a separate configuration profile. The full macOS onboarding guide is in the Defender portal under Onboarding → select macOS from the operating system dropdown.
Once a device is onboarded, you'll see it listed under Assets → Devices with a health status. A device showing "Active" with no active alerts is exactly where you want to be. A device showing "Inactive" means it hasn't checked in recently, that's worth investigating, as it could mean the sensor was removed or the device is offline.
One of the most underappreciated benefits of Microsoft 365 Business Premium is that it includes Microsoft Intune for device management. This lets you enforce security baselines on every Windows, Mac, iOS, and Android device that connects to your company data. Without this, you're relying on users to keep their own machines patched and configured, which, in my experience, never actually happens.
Start at the Microsoft Intune admin center (endpoint.microsoft.com) → Devices → Compliance policies → Create policy.
For Windows 10/11, a solid baseline compliance policy should include:
Require BitLocker: Yes
Require Secure Boot: Yes
Require code integrity: Yes
Minimum OS version: 10.0.19041 (Windows 10 2004 or later)
Password required: Yes
Minimum password length: 8
Password expiration: 90 days
Block simple passwords: Yes
Assign this policy to All Devices or a specific group. Devices that don't meet these requirements will show as "Not compliant." By itself, that just generates a report. The power comes when you combine this with a Conditional Access policy in Entra that requires device compliance as a condition for accessing company apps. That combination means a personal laptop without BitLocker enabled simply cannot access your Microsoft 365 data, the sign-in is blocked at the Entra level.
To auto-enroll Windows devices into Intune, go to Entra admin center → Mobility (MDM and MAM) → Microsoft Intune → set MDM user scope to "All." From that point on, any user who joins a Windows device with their work account will have that device automatically enrolled.
For mobile devices (iOS and Android), Intune App Protection Policies let you enforce controls on the Microsoft 365 mobile apps themselves without requiring full device enrollment. You can require a PIN to open Outlook, block copy-paste from work apps to personal apps, and remotely wipe only the work data if an employee leaves, without touching their personal photos. Configure these under Apps → App protection policies.
When it's working, the Devices overview screen shows your device compliance percentage. Aim for 100%. Every non-compliant device is an unlocked door.
Email is still the number one attack vector for small businesses. Microsoft 365 Business Premium includes Defender for Office 365 Plan 1, which covers anti-phishing, Safe Links, Safe Attachments, and anti-malware scanning for email. Again, included, but not automatically running. You need to configure it.
The fastest path to real protection is the Preset Security Policies. In the Microsoft 365 Defender portal → Email & Collaboration → Policies & Rules → Threat Policies → Preset Security Policies:
Enable Standard protection for all users. Click the toggle to On, then step through the wizard: apply it to all recipients (use "All recipients" or specify your domain as a condition). Standard protection activates anti-phishing, anti-spam, anti-malware, Safe Links, and Safe Attachments in one shot. If you want stricter settings, blocking more aggressively at the cost of more false positives, switch to Strict protection.
What's actually happening under the hood? Safe Links rewrites every URL in incoming email in real time. When a user clicks a link, Microsoft checks it against its threat intelligence database and either lets the request through or blocks it with a warning page. Safe Attachments detonates attachments in a sandbox environment before delivering them to the inbox. Anti-phishing policies detect impersonation attempts, someone pretending to be your CEO or a trusted vendor.
For more targeted tuning, open Threat Policies → Anti-phishing → click your active policy → Edit actions. You can configure what happens to messages detected as impersonation attempts: Quarantine the message is safer than Move to Junk for high-risk scenarios. Review the quarantine folder under Email & Collaboration → Review → Quarantine weekly, legitimate emails do occasionally end up there and users won't always know to tell you.
A useful PowerShell check to confirm your policies are applied correctly:
Connect-ExchangeOnline -UserPrincipalName admin@yourdomain.com
Get-AntiPhishPolicy | Select-Object Name, IsDefault, Enabled
Get-SafeLinksPolicy | Select-Object Name, IsEnabled
Get-SafeAttachmentPolicy | Select-Object Name, Enable
Every policy you expect to be active should show Enabled : True or IsEnabled : True. If any show False, they're not protecting anyone.
Data loss is the third major threat category Microsoft 365 Business Premium addresses, and in my experience, it's the one businesses think about the least until something goes wrong. A DLP policy watches for sensitive information, credit card numbers, Social Security numbers, health records, financial data, being sent in email, shared in Teams, or uploaded to SharePoint, and either alerts you or blocks the action automatically.
Navigate to the Microsoft Purview compliance portal (compliance.microsoft.com) → Data loss prevention → Policies → Create policy.
Microsoft provides pre-built policy templates for common compliance scenarios. Choose Financial → U.S. Financial Data (or whichever template matches your industry) as a starting point. Step through the wizard:
- Name your policy, be descriptive, e.g., "Block external sharing of financial data"
- Choose locations, apply to Exchange email, SharePoint sites, OneDrive accounts, and Teams messages
- Policy settings, start with "Alert me when content matches" before switching to blocking, so you can calibrate without disrupting users
- Incident reports, configure alerts to go to your security or IT admin mailbox
After you've run the policy in audit mode for a week or two and reviewed the alerts to confirm they're accurate, change the policy action from alert-only to Block the activity for external sharing while allowing internal sharing with a business justification override.
Sensitivity labels, configured under Information protection → Labels, let users manually tag documents as Confidential or Highly Confidential. These labels travel with the document, apply encryption and access restrictions, and appear in DLP alerts so you always know what class of data was involved. Start with three labels: General, Confidential, and Highly Confidential. Keep it simple, a labeling scheme nobody understands gets ignored.
To check what's being caught, go to Data loss prevention → Reports → DLP policy matches. If you're seeing zero matches on a policy you know should be firing, double-check that you saved the policy in enforcement mode rather than simulation mode, and that the locations are correctly targeted to your actual SharePoint sites and user accounts.
Advanced Troubleshooting
Once the basics are in place, you'll eventually hit scenarios that require digging deeper. Here are the most common advanced issues I see in Microsoft 365 Business Premium deployments.
Conditional Access policy conflicts. If users are getting unexpected blocks or MFA prompts in situations you didn't configure, run the What If tool in Entra. Go to Entra admin center → Conditional Access → Policies → What If. Enter a user, an app, and the conditions you want to test. The tool shows you which policies would fire and what the result would be. This is far faster than guessing why someone can't sign in to SharePoint from a specific location.
Defender for Business not showing device data. If a device shows as onboarded but you're not seeing any alert data or events, check the Defender sensor health. On the affected Windows machine, open an elevated PowerShell and run:
sc query sense
The SENSE service should show as RUNNING. If it's stopped, start it with sc start sense. If it fails to start, pull the event logs: open Event Viewer → Applications and Services Logs → Microsoft → Windows → SENSE → Operational. Event ID 5 means the sensor started successfully. Event IDs 15, 25, or 27 indicate connectivity problems, the sensor can't reach Microsoft's cloud endpoints. Check that the device can reach the Defender for Endpoint service URLs on ports 443 and 80 (documented in the Defender for Endpoint network configuration requirements on learn.microsoft.com).
Intune compliance policy not applying. The most common cause is that the device isn't actually enrolled in Intune even though the user thinks it is. On the Windows machine, run:
dsregcmd /status
Look at the output for AzureAdJoined : YES and MDMEnrolled : YES. If MDMEnrolled shows NO, the device has an Entra identity but was never handed off to Intune. Force enrollment via Settings → Accounts → Access work or school → click the work account → Info → Sync. If that doesn't trigger enrollment, remove the work account, re-add it, and the auto-enrollment should fire correctly this time.
Zero Trust configuration check. Microsoft 365 Business Premium's security guidance is grounded in the Zero Trust model, verify explicitly, use least privilege, assume breach. A quick sanity check: in the Defender portal, open Secure Score and filter the improvement actions by category. Anything in the Identity or Devices buckets with a score impact above 5 points that you haven't implemented yet is worth prioritizing. The downloadable Cybersecurity Playbook (available from Microsoft's SMB security documentation) maps these directly to the Zero Trust framework if you need a board-level summary.
Microsoft Defender Suite for Business Premium add-on. As of September 2025, Microsoft replaced the former Microsoft 365 E5 Security add-on with the Microsoft Defender Suite for Business Premium. If you purchased the E5 Security add-on before that date, check your billing in the admin center, you may need to transition to the new SKU to retain access to the upgraded identity, endpoint, and email protection features. This add-on layers on top of your Business Premium subscription and adds capabilities like Defender for Identity, Microsoft Sentinel integration, and advanced hunting.
Prevention & Best Practices
Getting your Microsoft 365 Business Premium security configuration right is not a one-time project. It's an ongoing practice. The threat landscape shifts, Microsoft releases new capabilities, and your organization's user base and device fleet changes. Here's how to stay ahead of it.
Review Secure Score monthly. Block 30 minutes in your calendar every month to open the Defender portal Secure Score dashboard. Microsoft continuously adds new recommended actions as the platform evolves. Each improvement action has a point value and a clear description of what it does and why it matters. Treat this like a maintenance checklist, not a one-time audit.
Keep an eye on the What's New feed. Microsoft 365 security features change fast. In September 2025, the Defender Suite add-on replaced the E5 Security SKU. In March 2025, the Defender Suite became available as an add-on to Business Premium for the first time. If you're not watching the admin message center, you'll miss these transitions and potentially lose functionality on a plan change. In the Microsoft 365 admin center → Health → Message center, filter for "Security" to see only security-relevant updates.
Test your incident response process. Once a quarter, simulate a phishing scenario. Microsoft Attack Simulator (part of Defender for Office 365) lets you send realistic but harmless phishing emails to your own users and measures click rates. If more than 10% of users click, that's a training signal. Use the results to target security awareness training at specific departments or individuals, the admin center links directly to Microsoft's built-in training modules.
Audit your admin accounts regularly. Overprivileged admin accounts are a leading cause of breach amplification. Every month, review who holds Global Administrator and Security Administrator roles in Entra. Global Admin access should be restricted to the minimum number of people who genuinely need it, ideally two accounts for redundancy, both protected with MFA and ideally hardware FIDO2 keys. Run Get-MgDirectoryRoleMember -DirectoryRoleId [global-admin-role-id] via the Microsoft Graph PowerShell module to get a clean list.
- Enable Self-Service Password Reset (SSPR) in Entra, reduces helpdesk calls and removes the risk of password reset social engineering against your IT team
- Turn on Risky sign-in alerts in Entra Identity Protection → even at the Business Premium tier, you get basic risk signals that fire on anomalous login patterns
- Configure Guest access policies in Teams and SharePoint, by default, external users can be invited too broadly; lock this down to only allow guest invitations from specific domains
- Enable Unified Audit Log in the compliance portal (this is on by default for newer tenants but disabled in older ones), without it you have no forensic trail if something goes wrong
Frequently Asked Questions
Why should I choose Microsoft 365 Business Premium over Business Standard?
Business Standard gives you the productivity apps, Teams, Exchange, SharePoint, Office, but it stops there. Business Premium adds the full security stack: Microsoft Defender for Business (endpoint protection), Defender for Office 365 Plan 1 (advanced email security), Microsoft Intune (device management), and Azure AD Premium P1 features (Conditional Access). If you're processing any sensitive customer data, handling financial records, or operating in a regulated industry, that security layer isn't optional. The price difference is meaningful but small compared to the cost of a single ransomware recovery.
How many users can I have on Microsoft 365 Business Premium?
Microsoft 365 Business Premium is licensed for organizations with up to 300 users. If your headcount goes above 300, you'll need to transition to Microsoft 365 E3 or E5, which are the enterprise-tier plans. Microsoft won't automatically cut you off the moment you hit 301, but you'll be out of compliance with the subscription terms and the admin center will flag it. For organizations approaching that threshold, it's worth planning the migration in advance, the feature sets are different and some configurations don't carry over automatically.
Does Microsoft 365 Business Premium protect Mac and mobile devices, not just Windows?
Yes, and this is one of the stronger selling points for mixed-device environments. Microsoft Defender for Business supports macOS, iOS, and Android in addition to Windows. Intune can manage and enforce compliance policies across all four platforms. The onboarding process is different for each OS, Mac uses a .pkg installer and configuration profile, iOS and Android use the Microsoft Defender app from the respective app stores, but the management experience lands in the same Defender portal dashboard. You get unified visibility across your entire fleet regardless of what operating systems your team runs.
What is the Microsoft Defender Suite for Business Premium add-on and do I need it?
As of September 2025, Microsoft introduced the Defender Suite for Business Premium as an add-on to Microsoft 365 Business Premium. It replaces the former Microsoft 365 E5 Security add-on and up-levels your security capabilities beyond what comes standard in Business Premium, adding enhanced identity protection, advanced threat hunting, Defender for Identity (protection against on-premises Active Directory attacks), and deeper SIEM integration. For most SMBs, the base Business Premium security stack is sufficient when configured properly. The add-on makes sense if you have a dedicated security analyst, face industry-specific compliance requirements, or have experienced targeted attacks that basic protection didn't catch.
My Conditional Access policy is blocking a user who should have access, how do I fix it without disabling the policy for everyone?
Use the What If tool in Entra (Conditional Access → What If) to diagnose which policy is firing and why. Once you identify the specific policy, edit it and add the affected user to the Exclusions list as a temporary measure while you figure out the root cause, this keeps the policy active for everyone else. Common reasons for unexpected blocks include: the user's device isn't Intune-enrolled when device compliance is required, the user is signing in from a flagged location, or a legacy authentication app (like an older Outlook client or IMAP-based tool) is trying to connect without supporting modern authentication. Long-term fix: update the client app, enroll the device, or add a named location exclusion if this is a known trusted network.
Is the Microsoft 365 Business Premium security setup based on Zero Trust and what does that mean practically?
Yes, Microsoft's security guidance for Business Premium is explicitly grounded in the Zero Trust model, and Microsoft publishes a downloadable Cybersecurity Playbook that maps the setup steps to Zero Trust principles. In practical terms, Zero Trust means you stop assuming that anything inside your network perimeter is trustworthy. Every access request, from any user, any device, any location, gets verified against identity, device health, and risk signals before it's approved. That's exactly what Conditional Access policies do: they check that the user authenticated with MFA, that the device is compliant with your Intune policies, and that the sign-in doesn't look anomalous before granting access to SharePoint or Teams. It sounds complex but the Microsoft 365 admin center wizards make the initial configuration straightforward, and this guide walks you through the main policies step by step.