MVT Systems — Managed IT, Microsoft 365 & Cybersecurity South Africa
All insights
Microsoft 365Checklist

Microsoft 365 Security Baseline Checklist for SMEs

The minimum every Microsoft 365 tenant should have in place — written for South African SMEs, with the trade-offs called out.

Microsoft 365 Security Baseline Checklist for SMEs — MVT Systems article illustration

Microsoft 365 ships with sensible defaults but loose ones. The baseline below is what we apply to every tenant we take on. None of it is exotic. All of it is the difference between a forgettable Tuesday and a board-level incident.

Identity

  • MFA enforced for every user — see why MFA alone is not enough.
  • Legacy authentication blocked at tenant level.
  • Conditional Access baseline policies in place.
  • Self-service password reset and password protection enabled.
  • Risk-based sign-in and user risk policies enabled.

Admin separation

  • Dedicated admin accounts, not used for email or browsing.
  • Global Admins reduced to a handful, ideally via PIM.
  • Phishing-resistant MFA (FIDO2 / Windows Hello) for admins.
  • Break-glass account documented, monitored and tested.

Mail flow & mailbox hygiene

  • External auto-forwarding blocked.
  • Mail flow rules audited — no attacker-created exceptions.
  • Anti-phish, anti-spam and anti-malware policies tightened from defaults.
  • SPF, DKIM and DMARC enforced.
  • Safe Links and Safe Attachments enabled for Defender for Office 365 customers.

Audit & visibility

  • Unified audit log enabled (it isn't by default in older tenants).
  • Mailbox auditing enabled per mailbox.
  • Sign-in logs and audit logs retained or shipped to Microsoft Sentinel.
  • Secure Score tracked monthly, with movement explained.

Endpoint & data

  • Defender for Endpoint deployed (or equivalent EDR).
  • Intune compliance and configuration policies enforced.
  • OneDrive Known Folder Move enabled for ransomware resilience.
  • Sensitivity labels for confidential and restricted data.
  • Microsoft 365 backup independent of the tenant.

Process

  • Joiner / mover / leaver process documented and followed.
  • Quarterly access review of privileged groups and external guests.
  • Annual tabletop exercise covering a tenant compromise scenario.

How MVT runs this

Our Microsoft 365 support practice deploys this baseline as a one-off engagement or as the starting point for ongoing managed services. Every finding is mapped to a fix, an owner and an SLA.

Book a Microsoft 365 baseline review →

Let's talk

Your business future-proofing partner.

Tell us what you're building. We'll bring the strategy, the platforms and the people to make it happen.

Email us
info@mvt-systems.co.za
Call support
+27 10 006 5530
WhatsApp support
+27 10 006 5530
Contact us / Book a security review

Tell us about your business

We'll get back to you within one business day.

By submitting this form you agree to MVT Systems contacting you about your enquiry. We handle your information in line with our privacy policy.