A practical Microsoft 365 security baseline for London SMEs in 2026: MFA, Conditional Access, device management, email security, and backups.
Microsoft 365 Security for London SMEs: A Practical Baseline for 2026
Microsoft 365 is the backbone of many London SMEs—email, files, Teams, SharePoint, and increasingly identity and device management too. The problem is: Microsoft 365 is secure when it’s configured and managed properly. If it’s left on default settings, or managed inconsistently, it can become a soft target.
This guide is a practical baseline for 2026. It’s written for business owners, ops leads, and IT managers who want clarity on what “good” looks like—without turning security into a never-ending project.
Amazing Support is a multi-award winning, Microsoft Partner and Cyber Essentials certified provider supporting SMEs across London, Greater London and Manchester. This is the baseline we typically expect to see (or implement) for growing organisations.
1) Start with identity: MFA everywhere (and enforced properly)
If you do one thing, do this: enforce MFA for all users—especially admins.
What “good” looks like:
- MFA enabled for all accounts (no exceptions for senior staff)
- Stronger MFA methods encouraged (authenticator app, passkeys where available)
- Admin accounts separated (no daily-use admin accounts)
- “Break glass” emergency access accounts configured safely
Common gaps we see:
- MFA enabled but not enforced consistently
- Legacy authentication still allowed
- Shared accounts (a big risk)
2) Use Conditional Access to reduce real-world risk
Conditional Access is where Microsoft 365 security becomes practical. It lets you control how and when users can access your systems.
Baseline policies many SMEs benefit from:
- Block sign-ins from high-risk locations (where appropriate)
- Require MFA for all cloud apps
- Require compliant devices for access to sensitive data
- Restrict admin access to trusted locations/devices
- Session controls for unmanaged devices
This is one of the biggest differences between “we have Microsoft 365” and “we run Microsoft 365 securely”.
3) Secure email properly (because phishing is still the #1 threat)
For most SMEs, email remains the main entry point for attacks—phishing, credential theft, invoice fraud.
Baseline email security should include:
- Strong spam/phishing filtering
- Safe links / attachment scanning (where available)
- DMARC, DKIM, SPF configured correctly
- Rules to reduce impersonation risk (display name spoofing)
- User reporting process (“Report Phish” button + response workflow)
Practical tip: Security tools help, but staff behaviour matters too. Combine filtering with short, regular awareness training.
4) Control devices (hybrid work makes this non-negotiable)
Hybrid work is normal in London now. That means your data is accessed from:
- office laptops
- home networks
- personal mobiles
- shared devices during travel
A strong baseline includes:
- device encryption (BitLocker/FileVault)
- endpoint protection managed centrally
- patching enforced (not optional)
- device compliance policies (minimum OS version, encryption required, etc.)
- ability to wipe lost/stolen devices
If you can’t confidently answer “Are all our devices patched and protected?” you don’t have a baseline—you have hope.
5) Protect SharePoint/OneDrive data (permissions and sprawl)
Microsoft 365 makes sharing easy. Too easy, sometimes.
Baseline controls:
- sensible sharing defaults (avoid “anyone with the link” for sensitive areas)
- regular reviews of external sharing
- permissions hygiene (avoid over-permissioned Teams/sites)
- retention policies where appropriate
This reduces accidental exposure and makes offboarding safer.
6) Backups: Microsoft 365 isn’t a backup strategy by default
A common misconception: “Our data is in Microsoft 365, so it’s backed up.”
Microsoft provides resilience, but many SMEs still need a dedicated backup strategy for:
- accidental deletion beyond retention windows
- ransomware impacting synced files
- malicious deletion by compromised accounts
- legal/compliance retention needs
Baseline approach:
- define what must be recoverable (mailboxes, SharePoint, OneDrive, Teams)
- set recovery objectives (how fast, how far back)
- test restores regularly (not just “backup is running”)
7) Logging, alerts, and “who responds?”
Security isn’t just configuration—it’s response.
Baseline operational questions:
- Who gets alerts for suspicious sign-ins?
- What’s the escalation path if an account is compromised?
- How quickly can you disable access and reset credentials?
- Do you have an incident playbook?
Even a simple documented process can massively reduce impact.
Quick checklist (for leadership)
If you want a fast sanity check, ask your IT support provider:
- Is MFA enforced for all users and admins?
- Are Conditional Access policies in place?
- Are email authentication records (SPF/DKIM/DMARC) configured?
- Are all devices encrypted, patched, and centrally protected?
- Do we have a Microsoft 365 backup solution and tested restores?
- Do we have reporting/alerts and a response plan?
If you want to know where you stand, we can review your
Microsoft 365 security posture and give you a clear, prioritised baseline plan for 2026—practical, not theoretical.
