Microsoft 365 for SMEs: Are You Getting the Security Your Business Is Paying For?
Every Microsoft 365 subscription comes with a set of security tools built in. Most of them sit there unused.
It’s an easy thing to miss. You buy the licence, set up the mailboxes, the team gets going, and somewhere along the way you assume the protection came bundled in. Some of it did. Plenty of it’s still sitting there, waiting for someone to switch it on.
For SMEs running Microsoft 365 across London and the surrounding area, that gap matters. You are paying for capability you may not be using, and the unused parts are often the ones that would stop an attacker getting in.
The Security You Have Already Bought
A Microsoft 365 subscription goes beyond email and Office apps. Depending on your plan, it includes identity protection, access controls, threat policies and audit tools that many businesses never touch.
Microsoft runs a shared responsibility model, meaning they keep the platform itself patched and available while you configure what happens inside your own tenant, including who can sign in and what they can reach.
Default settings are designed for a smooth start rather than a hardened finish, so the tools you have paid for tend to stay in their out-of-the-box state. The ones most often left untouched include:
- Multi-factor authentication (MFA) that has not been enforced for every account
- Conditional access rules that could limit risky sign-ins but were never built
- External sharing and guest access left open by default
- Audit logging switched off or switched on and never reviewed
None of these draw attention to themselves, which is why the gap goes unnoticed for months.
MFA and Why It’s Still Not Universal
MFA is one of the most effective controls available to a Microsoft 365 tenant, and it’s included in every plan. But it’s still not switched on everywhere it should be.
Part of the reason is friction. Enforcing it for every user takes a deliberate decision, and there is usually one account, often an admin or a senior leader, that someone decides to leave exempt. That exemption tends to be precisely the account an attacker wants.
This matters because of how most breaches begin. The government’s Cyber Security Breaches Survey 2025/2026 found that phishing was the most common type of attack, experienced by 38% of businesses.
Phishing works by capturing a password. With MFA enforced, that stolen password on its own isn’t enough to get anyone in.
Conditional Access, Guest Permissions and Admin Accounts
Beyond MFA, a handful of areas build up risk over time without anyone deciding they should:
- Conditional access: This lets you set the conditions under which a login is allowed, such as blocking sign-ins from countries your staff never work in or requiring a managed device. The capability is there in most business plans but often goes unbuilt.
- Guest permissions: External sharing links and guest accounts accumulate as projects come and go. Few businesses can say exactly what is currently shared and with whom.
- Admin accounts: An admin account can change security settings and reach everyone’s data, which makes each one a prime target. Many tenants carry far more admins than they need.
- Dormant accounts: Logins belonging to people who have left often stay live, handing an attacker a valid account that nobody is watching.
Each of these is manageable once someone has eyes on it. The difficulty is that they rarely get reviewed once the initial setup is done.
Connecting Microsoft 365 to Dark Web and Credential Monitoring
Even a well-configured tenant has its blind spots. It only sees what goes inside it, so it has no way of knowing when one of your staff has had a password caught up in a breach elsewhere on the internet.
Reused passwords are more common than you think. When a member of staff uses the same password for a work account and a personal account that later gets breached, those stolen credentials end up traded on the dark web. From there they get tested against business logins in bulk.
Dark web and credential monitoring watches for your domain and your users’ details appearing in known breach data. Paired with Microsoft 365, it means a leaked password can be flagged and reset before it is used against you.
This is the layer that connects what Microsoft 365 protects with what is happening beyond it.
Security Set Once Does Not Stay Secure
Just because your tenant is configured well today doesn’t mean it can’t be exposed within a year. Staff join and leave, new apps get adopted, permissions get granted for a one-off task and never removed, and Microsoft changes its own features and defaults along the way.
Getting the most from Microsoft 365 depends on treating cyber security as something maintained on an ongoing basis. In practice that means the following:
- Keeping MFA and conditional access enforced as accounts change
- Reviewing admin roles and permissions so privilege stays tight
- Monitoring sign-ins for activity that looks out of place
- Keeping external sharing and guest access controlled
- Running independent backups, since Microsoft 365 does not protect your data from accidental deletion or ransomware on its own
- Watching for leaked credentials through dark web monitoring
At 4TC, we work with SMEs across London and Hertfordshire to keep Microsoft platforms secure and well managed, so the tools you are paying for stay switched on and doing their job as the business grows.
Speak to 4TC About Your Microsoft 365 Environment
Want to make sure your Microsoft 365 environment is properly configured and protected? Speak to the 4TC team today. We work with SMEs across London and Hertfordshire to keep Microsoft platforms secure and well managed.

FAQs
- Is Microsoft 365 secure by default?
Not fully. Microsoft 365 includes strong security tools, but many, including MFA and conditional access, stay switched off until someone enables them. Microsoft secures the underlying platform, while the settings inside your tenant are yours to configure. - What security features do most Microsoft 365 for UK businesses leave unused?
The most commonly unused features are enforced MFA on every account, conditional access policies, controlled external sharing, and audit logging. These come included in the licence that most Microsoft 365 for UK businesses already pay for, yet they often sit inactive. - How does dark web monitoring work with Microsoft 365?
Dark web and credential monitoring checks whether your users’ details have appeared in known data breaches. When a leaked password is found, it can be reset before an attacker uses it against your Microsoft 365 accounts, closing a gap the platform cannot see on its own. - Can a managed IT provider help with IT security in London?
Yes, a provider offering IT security in London can audit your tenant, enforce MFA and conditional access, review permissions and add monitoring, then keep everything maintained as your team changes. - Does better Microsoft 365 security mean paying for a higher licence?
Often not. Much of what protects a Microsoft 365 tenant, including MFA and basic conditional access, is already part of the business plans most SMEs hold, so the first step is activating what you have rather than upgrading. A higher tier can be worth it for advanced threat protection or compliance features, but it’s worth confirming what your current licence covers before spending more.



