{"id":982,"date":"2026-04-23T10:38:28","date_gmt":"2026-04-23T10:38:28","guid":{"rendered":"https:\/\/www.freethought.uk\/help\/microsoft-365-security-basics\/"},"modified":"2026-04-23T10:38:28","modified_gmt":"2026-04-23T10:38:28","slug":"microsoft-365-security-basics","status":"publish","type":"post","link":"https:\/\/www.freethought.uk\/help\/microsoft-365-security-basics\/","title":{"rendered":"Microsoft 365 Security Basics"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\"><strong>What Is Already Protecting You?<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Spam and malware filtering: Microsoft scans every incoming email for spam, phishing attempts, and malicious attachments. Most threats are caught before they reach your inbox.<\/li>\n\n\n\n<li>Data encryption: Your emails and files are encrypted both when they are being sent and when they are stored. This means they cannot be easily intercepted or read by outsiders.<\/li>\n\n\n\n<li>Sign-in monitoring: Microsoft tracks where and when people sign in to your accounts. Unusual activity (like a sign-in from another country) can trigger alerts or extra verification.<\/li>\n\n\n\n<li>Automatic security updates: The Microsoft 365 apps are kept up to date automatically, which means known security vulnerabilities are patched without you needing to do anything.<\/li>\n<\/ul>\n\n\n\n<p>Microsoft 365 comes with a decent set of security features built in, even on the basic plans. Understanding what is already working in the background can give you peace of mind, and knowing where the gaps are helps you close them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Quick Wins: Three Things to Do Today<\/strong><\/h3>\n\n\n\n<p><strong>Step 1: <\/strong><strong>Turn on Multi-Factor Authentication (MFA)<\/strong><\/p>\n\n\n\n<p><strong>This is the<\/strong> <strong>number one thing you can do<\/strong>. If you have not done it yet, follow our separate MFA guide to get it set up. It takes about 15 minutes and dramatically reduces your risk.<\/p>\n\n\n\n<p><strong>Step 2: <\/strong><strong>Check who has admin access<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to <a href=\"https:\/\/admin.microsoft.com\">admin.microsoft.com<\/a>, then Users > Active users.<\/li>\n\n\n\n<li>Filter by Admin roles to see who has admin access.<\/li>\n\n\n\n<li>Only the people who genuinely need to manage Microsoft 365 should be admins. The fewer admin accounts, the smaller the target for attackers.<\/li>\n\n\n\n<li>If someone has admin access and does not need it, remove it by editing their account and changing their role to User (no admin access).<\/li>\n<\/ul>\n\n\n\n<p><strong>Step 3: <\/strong><strong>Review your sign-in activity<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Go to the Microsoft Entra admin centre (entra.microsoft.com).<\/li>\n\n\n\n<li>Click Users &gt; Sign-in logs.<\/li>\n\n\n\n<li>Look for any sign-ins from unfamiliar locations or devices.<\/li>\n\n\n\n<li>If you spot something suspicious, reset that user&#8217;s password and check their account for any changes they did not make.<\/li>\n<\/ul>\n\n\n\n<p class=\"banner-tip\">\ud83d\udc49 <strong>Tip: <\/strong>Microsoft provides a free Secure Score in the admin centre (Security > Secure Score) that rates your current security posture and suggests improvements. It is a great way to see where you stand.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Common Threats to Be Aware Of<\/strong><\/h3>\n\n\n\n<p><strong>Phishing emails<\/strong>: These are emails that pretend to be from someone you trust (your bank, Microsoft, a supplier) to trick you into clicking a link or entering your password. Teach your team to check the sender&#8217;s actual email address, hover over links before clicking, and report anything suspicious.<\/p>\n\n\n\n<p><strong>Password reuse<\/strong>: If someone uses the same password for their work email and a personal account that gets breached, attackers can get into your business. MFA helps, but encouraging unique passwords for work accounts is important.<\/p>\n\n\n\n<p><strong>Invoice fraud<\/strong>: Attackers who gain access to a business email account often look for invoices and payment information. They then send fake invoices or change bank details on real ones. Always verify bank detail changes by phone.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>When to Get Professional Help<\/strong><\/h3>\n\n\n\n<p>The steps in this guide cover the essentials, but every business is different. If you handle sensitive data, process payments, or are subject to industry regulations, it is worth getting a professional security review.<\/p>\n\n\n\n<p><a href=\"https:\/\/www.freethought.services\/\">Freethought Services<\/a> can carry out a security health check of your Microsoft 365 environment and recommend improvements tailored to your business. Get in touch and they will take a look for you.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What Is Already Protecting You? Spam and malware filtering: Microsoft scans every incoming email for spam, phishing attempts, and malicious attachments. Most threats are caught before they reach your inbox. Data encryption: Your emails and files are encrypted both when they are being sent and when they are stored. This&hellip;<\/p>\n","protected":false},"author":7,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[29],"tags":[],"class_list":["post-982","post","type-post","status-publish","format-standard","hentry","category-microsoft"],"_links":{"self":[{"href":"https:\/\/www.freethought.uk\/help\/wp-json\/wp\/v2\/posts\/982","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.freethought.uk\/help\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.freethought.uk\/help\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.freethought.uk\/help\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.freethought.uk\/help\/wp-json\/wp\/v2\/comments?post=982"}],"version-history":[{"count":0,"href":"https:\/\/www.freethought.uk\/help\/wp-json\/wp\/v2\/posts\/982\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.freethought.uk\/help\/wp-json\/wp\/v2\/media?parent=982"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.freethought.uk\/help\/wp-json\/wp\/v2\/categories?post=982"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.freethought.uk\/help\/wp-json\/wp\/v2\/tags?post=982"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}