Microsoft 365 Security Services for UK Businesses

Why Microsoft 365's Default Configuration Is Not Secure

Microsoft 365 is used by the vast majority of UK SMEs for email, file sharing, and collaboration. What most businesses do not realise is that the default tenant configuration prioritises usability over security. Microsoft ships M365 with settings that minimise friction — which means many powerful security controls are disabled or set to their least restrictive configuration by default.

Common security gaps in a default M365 tenant include:

• MFA not enforced — users can sign in with just a username and password
• Legacy authentication protocols enabled — allowing attackers to bypass MFA entirely using older connection methods
• No Conditional Access policies — any device from any location can connect without restriction
• Defender for Office 365 anti-phishing policies on default settings — not the most protective configuration
• No Data Loss Prevention policies — sensitive files can be shared externally without restriction
• Admin accounts not protected with PIM — administrators have permanent elevated privileges rather than just-in-time access
• No third-party backup — Microsoft's data retention policies are not a backup solution

Microsoft's own Secure Score tool — available free in every M365 tenant — typically shows most businesses scoring below 50% on their first assessment. AMVIA's M365 security audit identifies all gaps and provides a prioritised remediation plan.

Microsoft 365 Licence Tiers: What Security Do You Get?

Microsoft 365 comes in several licence tiers for businesses, and the security capabilities differ significantly between them. Understanding what your current licence includes is the first step to knowing what additional investment is needed.

Microsoft 365 Business Basic (£5.10/user/month)

Includes Exchange Online email, Teams, SharePoint, and OneDrive. Email security is provided by Exchange Online Protection (EOP) — basic spam and malware filtering. No Defender for Business, no advanced threat protection, no Intune MDM. Not suitable as the security baseline for most businesses.

Microsoft 365 Business Standard (£10.30/user/month)

Adds the Office desktop applications (Word, Excel, Outlook, Teams) but does not significantly upgrade the security stack. EOP remains the email security layer. No Defender for Business or Intune. At this tier, adding third-party email security (Mimecast) and MDM is strongly recommended.

Microsoft 365 Business Premium (£18.60/user/month)

This is the tier where M365 security becomes genuinely powerful. Business Premium includes:

• Microsoft Defender for Business: Endpoint detection and response for up to 300 devices
• Defender for Office 365 Plan 1: Safe Links, Safe Attachments, anti-phishing policies
• Azure Active Directory Premium P1: Conditional Access, MFA with risk-based policies
• Microsoft Intune: Mobile device management for all devices
• Azure Information Protection Plan 1: Basic DLP and sensitivity labels

For most UK SMEs, Business Premium is the right licence tier. The security capabilities included justify the additional cost over Standard — particularly Conditional Access and Defender for Business. AMVIA can assess your current licence mix and recommend the most cost-effective approach.

Conditional Access: The Most Important M365 Security Control

Conditional Access is a policy engine that evaluates sign-in requests based on multiple risk signals before granting or denying access. It is the cornerstone of a Zero Trust security approach and the most important security control available in Microsoft 365.

Conditional Access policies can:

• Require MFA for all users on all devices
• Block sign-ins from countries your business does not operate in
• Require device compliance (managed by Intune) before granting access to corporate data
• Block legacy authentication protocols that bypass MFA
• Apply different policies based on the sensitivity of the data being accessed
• Require terms of use acceptance for external users

Microsoft provides baseline Conditional Access policies (Security Defaults) that are better than nothing but do not cover all scenarios. AMVIA configures custom Conditional Access policies tailored to your business — balancing security with usability for remote and hybrid workers.

Microsoft Defender for Business vs Defender for Endpoint

Microsoft offers two versions of its enterprise endpoint protection platform:

Microsoft Defender for Business

Included with Microsoft 365 Business Premium. Supports up to 300 devices. Designed specifically for SMEs with simplified management. Includes endpoint detection and response, vulnerability management, attack surface reduction, and automated investigation and remediation. Ideal for businesses with 10–300 staff.

Microsoft Defender for Endpoint (Plan 2)

The enterprise-grade version. No device limit. Includes threat intelligence, custom detection rules, advanced hunting, and integration with Microsoft Sentinel SIEM. Required for organisations with more complex security requirements or over 300 devices.

AMVIA manages both products, configuring and monitoring them as part of our endpoint security service. For most UK SMEs, Defender for Business (included in Business Premium) is the right starting point — but it requires expert configuration to realise its full capability.

Microsoft Secure Score: Measuring and Improving Your Security Posture

Microsoft Secure Score is a free tool available in the Microsoft 365 security portal that measures your tenant's security configuration against Microsoft's recommendations. It assigns a score from 0 to a maximum based on your tenant size, with improvement actions categorised by impact and implementation complexity.

AMVIA reviews your Secure Score as part of our initial audit and establishes a baseline. We then work through improvement actions systematically — prioritising those with the highest security impact and lowest user disruption. Monthly reports track your Secure Score progress over time.

Most AMVIA clients improve their Secure Score by 20–40 percentage points within the first three months of our M365 security service.

Does Microsoft Back Up Your M365 Data?

No — and this is one of the most widely misunderstood aspects of Microsoft 365. Microsoft operates M365 on highly resilient infrastructure and provides short-term retention (30-day recycle bin, 14-day Teams retention), but this is not a backup. If data is permanently deleted, corrupted, or lost due to a ransomware attack or accidental deletion beyond the retention window, Microsoft cannot restore it.

AMVIA deploys a third-party M365 backup solution — covering Exchange Online (email), SharePoint, OneDrive, and Teams — that provides point-in-time recovery with retention periods aligned to your business requirements (typically 1–5 years). This is a critical gap in most M365 deployments and one of the first things AMVIA addresses in a new client engagement.

Common Microsoft 365 Misconfigurations

Beyond the issues covered above, AMVIA regularly finds the following misconfigurations in new client M365 tenants:

• Shared admin accounts: Multiple users sharing a single admin account, making audit trails impossible
• Legacy authentication enabled: Allows attackers to connect using older protocols that bypass MFA
• External sharing unrestricted: SharePoint and OneDrive configured to allow sharing with anyone, including unauthenticated external users
• No DMARC, DKIM, or SPF: Email authentication not configured, allowing spoofing of the company's domain
• Teams external access unrestricted: External users from any tenant can initiate contact and share files
• Audit logging disabled: Security investigations impossible without an audit log of user and admin activity