Introduction
Microsoft 365 includes strong security when you turn features on. SMEs in Thailand and Singapore often buy Standard licenses but skip MFA and legacy auth — the most common gap we see after migration. This checklist covers high-impact controls without an enterprise SOC.
Level 1 — Every tenant (free or included)
Multi-factor authentication (MFA)
Require MFA for all admins and users via Microsoft Entra ID → Security → MFA. Prefer Authenticator app over SMS where possible.
Why: Stops password-spray and phishing takeovers — the #1 cause of business email compromise.
Disable legacy authentication
Block POP/IMAP and old clients that bypass MFA: Entra ID → Security → Conditional Access (Premium) or legacy auth blocking policies.
Secure admin accounts
- 2–3 Global Admins maximum; use day-to-day non-admin accounts
- Separate admin UPN (e.g.
admin@company.com) with MFA - No shared passwords in spreadsheets
Level 2 — Business Standard and above
Safe Links and Safe Attachments
Enable in Microsoft Defender portal → Email & collaboration → Policies. Standard includes baseline Defender for Office 365; tune policies for finance and HR mailboxes first.
Audit logging
Review audit log in Purview for unusual forwarding rules and new inbox rules — common after compromise.
Level 3 — Business Premium or Enterprise
Intune device compliance
Require managed devices for company email:
- Enroll Windows and mobile via Company Portal
- Block jailbroken phones from Exchange sync
- See Business Premium for Intune inclusion
Defender for Business
Endpoint antivirus and EDR on PCs — deploy from Microsoft 365 Defender console.
Conditional Access
Block sign-in from unexpected countries, require compliant device, or require MFA on risky sign-ins — needs Entra ID P1 (included in Premium / E3+).
Email hygiene habits (non-technical)
- Train staff to report phishing — use Report message in Outlook
- No payroll changes from email alone — verify by phone
- Disable automatic forwarding to external addresses unless required
PDPA and Singapore PDPA alignment
Security controls support accountability under PDPA: access control, breach detection, and retention. Microsoft 365 is not automatically compliant — you must configure retention labels, DLP, and processes. Premium / E3 unlocks tools; legal review still applies.
Plan mapping
| Control | Minimum plan |
|---|---|
| MFA, basic Defender | Business Basic+ |
| Desktop Office + Defender policies | Business Standard+ |
| Intune, Conditional Access P1, Defender for Business | Business Premium+ |
| Advanced DLP, eDiscovery | Enterprise E3/E5 |
When to upgrade plans for security alone
If you handle personal data at scale, health, or financial records, Business Premium or E3 is usually cheaper than breach recovery. Compare Premium vs Standard.