Skip to main content
iokoo
Create an account
Blog

Microsoft 365 for small businesses: settings to configure on day one.

Just signed up for Microsoft 365? These 6 essential settings secure your accounts, protect your files, and prevent the most common mistakes from the start.

Published on June 15, 2026

Microsoft 365 is an excellent foundation for small business IT: email, storage, collaboration tools, all in one place. But a poorly configured subscription leaves security gaps and creates bad habits that are costly to fix later.

Here are the 6 settings to apply on day one, explained in plain language.

How to enable two-factor authentication for all users

Two-factor authentication (MFA, Multi-Factor Authentication) requires a second verification step at login: a code received by text message or through an app like Microsoft Authenticator. Even if an attacker obtains your password, they cannot log in without that second element.

Steps to enable it:

  1. Sign in to admin.microsoft.com with the administrator account.
  2. Go to Settings > Org settings > Security and privacy.
  3. Enable Security defaults: this forces MFA for all accounts.
  4. Each user will be prompted to set up their second factor at their next login.

Budget 5 to 10 minutes per team member to guide them through this step.

How to configure OneDrive and SharePoint for team files

The distinction matters from the start:

  • OneDrive: each user’s personal space. Files are private by default.
  • SharePoint (accessible via Teams or directly): shared space for the team. Ideal for client folders, document templates, and internal procedures.

A simple rule to apply: never put a file that others need to access in your personal OneDrive. Create a shared SharePoint library on day one.

To create a SharePoint library:

  1. Sign in to sharepoint.com.
  2. Click Create site, choose Team site.
  3. Give it a name (for example “Company files”) and add your team members.

How to manage users and permissions correctly

In small businesses, everyone often gets admin access “to keep things simple.” This is a mistake: a compromised admin account gives access to everything.

Best practice:

  • One global admin account, used only for administration tasks.
  • Each team member has a standard user account.
  • SharePoint folder permissions are assigned based on actual need.

To manage accounts, go to Users > Active users in the admin center. Review the role assigned to each person and downgrade non-administrators to “No admin access.”

Which anti-spam settings to enable first

Microsoft 365 includes Microsoft Defender for email, with spam and anti-phishing filtering. It is active by default, but a few additional settings improve protection:

  1. In the security.microsoft.com portal, go to Policies and rules > Threat policies.
  2. Verify that the Anti-phishing policy is enabled and that anti-impersonation protection is configured.
  3. Enable Safe Links and Safe Attachments if your plan supports it (Microsoft 365 Business Premium).

These options scan links and attachments before your team members open them.

How to back up your mailboxes

Microsoft 365 retains emails, but if an account is accidentally deleted or a major incident occurs, recovery is limited to 30 to 93 days depending on your subscription. That is not a true backup.

For solid protection, use a dedicated third-party tool:

  • Veeam Backup for Microsoft 365: popular and reliable.
  • Barracuda Backup or Acronis Cyber Protect: alternatives well suited to small businesses.

These tools automatically back up email, calendars, and contacts to a space independent of Microsoft, recoverable at any point in time.

What file-sharing best practices to establish from the start

Sharing in Microsoft 365 is very flexible, which can become a problem without clear rules.

Simple rules to set:

  • Never share with “Everyone” except for genuinely public documents.
  • Prefer “People in your organization” links over links accessible to anyone.
  • Set an expiration date on temporary sharing links (available in SharePoint settings).
  • Review active shares quarterly: in SharePoint admin you can see which files are shared externally.

These settings take a few hours but protect your business for the long term. If you are not comfortable doing them yourself, iokoo experts can configure Microsoft 365 for you, remotely and without a site visit. Create an account to get started, check our pricing, or browse our expert pool to find the right profile.

Frequently asked questions

Is two-factor authentication (MFA) really necessary for a small business?

Yes, it is the single most important setting. Microsoft reports that MFA blocks more than 99 percent of automated account attacks. Setup takes under 5 minutes per user and costs nothing on top of your existing subscription.

What is the difference between OneDrive and SharePoint in Microsoft 365?

OneDrive is each user's personal space (their own files). SharePoint is the shared space for the whole team. In a small business, use OneDrive for individual documents and SharePoint (or Teams channels) for collaborative files.

Does Microsoft 365 automatically back up my emails?

Microsoft retains emails, but this is not a true backup. If a mailbox or account is accidentally deleted, recovery is time-limited depending on your plan. A third-party backup tool (Veeam, Acronis, or Barracuda) is recommended for full protection.

Prêt à reprendre la main sur votre informatique ?

Créer un compte Parler à un expert