What Is Microsoft 365 Security?

What Does Microsoft 365 Security Actually Mean?

Understanding Microsoft 365 security requires distinguishing between two related but different things: the security capabilities that Microsoft builds into the M365 platform, and the security configuration that organisations must apply to make those capabilities effective. Confusing these two concepts is one of the most common and most costly mistakes UK businesses make when adopting Microsoft 365.

Microsoft invests billions of dollars annually in securing its cloud infrastructure. The datacentres, networks, and application platforms on which Microsoft 365 runs are exceptionally well-protected against infrastructure-level threats. However, this infrastructure-level security does not protect individual businesses against the threats that cause the most damage: phishing attacks that steal user credentials, ransomware delivered through email attachments, business email compromise that diverts payments, or data breaches caused by misconfigured sharing settings. With 43% of UK businesses experiencing a cybersecurity breach in 2025 (Department for Science, Innovation and Technology), and 85% of businesses that experienced a breach identifying phishing as the attack vector (DSIT Cyber Security Breaches Survey 2025), the threats that Microsoft's infrastructure security does not address are precisely the ones most likely to affect your organisation.

These threats require deliberate configuration of the security tools Microsoft provides — and under Microsoft's shared responsibility model, that configuration is the responsibility of the business, not Microsoft. Microsoft secures the platform; you must secure your data and your users on that platform.

Microsoft 365 Licence Tiers and What Security They Include

The security capabilities available in Microsoft 365 differ substantially between licence tiers. Microsoft 365 is used by over 1 million UK businesses (Microsoft), but many are on licence tiers that lack the security tools needed to protect against current threats. Understanding which tier you are on determines what security controls are available to you:

• Microsoft 365 Business Basic (from approximately £5 per user per month): Includes Exchange Online, Teams, SharePoint, and OneDrive. Security features are limited to Exchange Online Protection (basic email filtering), Security Defaults for MFA enforcement, and Microsoft Defender Antivirus. Critically, it does not include Conditional Access, Defender for Business (EDR), or Microsoft Intune for device management.
• Microsoft 365 Business Standard (from approximately £10.30 per user per month): Adds desktop Office applications to Business Basic. The security feature set is identical to Basic — the additional cost provides productivity applications, not additional security capabilities. This is a common source of confusion for businesses that assume Standard includes better security than Basic.
• Microsoft 365 Business Premium (from approximately £19.70 per user per month): Adds the comprehensive security stack that SMEs need: Conditional Access through Entra ID P1, Microsoft Defender for Business providing endpoint detection and response, Microsoft Intune for device management, Azure Information Protection for data classification, and Defender for Office 365 Plan 1 including Safe Links, Safe Attachments, and enhanced anti-phishing. This is the recommended tier for any UK business that requires meaningful security.

What Microsoft Defender for Business Provides

Microsoft Defender for Business, included in Business Premium, is an endpoint detection and response (EDR) solution that provides substantially more protection than the basic Microsoft Defender Antivirus included in all Windows devices. Where basic antivirus relies primarily on signature matching to detect known threats, Defender for Business adds behavioural detection that identifies suspicious activity patterns, automated investigation and remediation that responds to threats without requiring manual intervention, attack surface reduction rules that block common attack techniques, and threat hunting capabilities that proactively search for indicators of compromise.

Defender for Business monitors endpoint activity across all enrolled devices, can automatically contain threats by isolating a compromised device from the network, and provides a centralised security dashboard showing the endpoint security status of the entire organisation. For UK businesses without a dedicated security operations centre, Defender for Business delivers enterprise-grade endpoint protection that would otherwise require a significantly more expensive standalone EDR solution and dedicated security staff to manage it.

Why Out-of-the-Box Microsoft 365 Is Not Secure Enough

Even on Business Premium, a freshly provisioned Microsoft 365 tenant is not adequately secured for business use. The security tools are available but none are configured. Conditional Access policies do not exist until you create them. Defender for Business is licensed but not deployed to devices. Safe Links and Safe Attachments are available but not enabled. Legacy authentication protocols that bypass MFA remain active. Admin accounts have permanent elevated privileges with no time-limited access controls.

A Business Basic or Standard tenant in its default configuration is particularly exposed — it has no MFA unless Security Defaults are manually enabled, no endpoint protection beyond basic signature-based antivirus, no device management, and no advanced email security. The common attacks against UK businesses — phishing, credential theft, business email compromise, and ransomware delivery — routinely succeed against unconfigured M365 tenants that would have been protected by properly configured Business Premium.

This gap between available capability and actual configuration is where the majority of Microsoft 365 security risk sits. The M365 hardening guide provides a step-by-step approach to closing this gap.

The Key Security Controls Every M365 Tenant Needs

Effective Microsoft 365 security requires implementing the following controls as a minimum baseline, regardless of organisation size:

• Multi-factor authentication for all users: Enforced via Conditional Access on Business Premium or Security Defaults on lower tiers. MFA blocks over 99% of credential-based account compromise attacks (Microsoft). This is the single highest-impact security control available.
• Legacy authentication blocked: Legacy protocols such as IMAP, POP3, and basic SMTP authentication do not support MFA and can be used to bypass it entirely. Blocking legacy authentication via Conditional Access eliminates the most commonly exploited MFA bypass.
• Defender for Business deployed and configured: Endpoint detection and response on all Windows and Mac devices, with attack surface reduction rules enabled and centrally managed through the Microsoft 365 Defender portal.
• Email security hardened: Anti-phishing policies configured with impersonation protection for key executives and domains, Safe Links and Safe Attachments enabled for inbound email and Teams messages.
• DMARC, DKIM, and SPF configured: Email authentication records that prevent attackers from spoofing your domain to send phishing emails to your clients, suppliers, and partners.
• Admin accounts protected with PIM: Privileged Identity Management replacing permanent admin assignments with just-in-time elevation, approval workflows, and full audit logging.
• Audit logging enabled: Essential for forensic investigation of security incidents — only 14% of UK businesses have a formal incident response plan (DSIT 2025), making comprehensive logging even more critical for effective incident response.

How Microsoft Secure Score Measures Your Configuration

Microsoft Secure Score is a free measurement tool available in every Microsoft 365 tenant at security.microsoft.com. It checks your current configuration against Microsoft's recommended security actions and provides a numerical score expressed as a percentage. The industry average is approximately 50%, meaning the typical organisation has implemented only half of the recommended security controls. A score above 70% indicates a well-hardened environment.

Secure Score provides an ordered list of improvement actions with impact ratings, making it straightforward to identify and prioritise the most impactful security changes. AMVIA uses Secure Score as both a baseline assessment tool for new clients and an ongoing monitoring tool for managed environments, reviewing the score quarterly to ensure new Microsoft recommendations are assessed and implemented where appropriate.

Microsoft 365 Security and Cybersecurity Strategy

Microsoft 365 security does not exist in isolation — it is one layer of a comprehensive cybersecurity strategy. M365 provides identity security through Entra ID and Conditional Access, endpoint security through Defender for Business, email security through Defender for Office 365, and data security through Purview. These controls should be complemented by network security, security awareness training for staff, an incident response plan, and backup and recovery capabilities.

For UK businesses pursuing Cyber Essentials certification, correctly configured Microsoft 365 Business Premium satisfies several of the scheme's technical requirements, including access control, malware protection, and secure configuration. AMVIA advises on M365 configuration in the context of Cyber Essentials requirements and broader cybersecurity strategy.

How AMVIA Manages M365 Security

AMVIA manages Microsoft 365 security for UK businesses as part of its managed IT service. This includes licence management to ensure businesses are on Business Premium or an equivalent security-capable tier, initial hardening of the tenant configuration, ongoing monitoring of Microsoft Secure Score, management of Conditional Access policies, and Defender for Business monitoring and incident response. For businesses that have M365 but have never had the security configuration reviewed, AMVIA offers a Secure Score review as a starting point — identifying the highest-impact improvements for your specific environment and licence tier. Contact AMVIA on 0333 733 8050 to discuss your Microsoft 365 security requirements.