Securing Microsoft Business Premium: A Practical Walkthrough
A 7-day sequence to actually use the Microsoft Business Premium security stack you're already paying for: Conditional Access, Defender, Intune, labels, DMARC.
TL;DR
Microsoft 365 Business Premium is the smallest licence that includes the full security stack: Defender for Business, Intune, Conditional Access via Entra ID P1, and Sensitivity Labels. The trouble is, paying for it is not running it. This article walks the seven-day hardening sequence we run on every tenant we inherit. Day 1 turns on the basics. Day 7 leaves you with a documented, monitored baseline that scores well against the CIS Microsoft 365 Foundations Benchmark v3.
What Business Premium includes for security
The reason to choose Business Premium over Business Standard is the security stack. Standard gives you mail, Teams, SharePoint and the desktop Office apps. Premium adds five things that together cover most of what an SME needs to be defensible.
Defender for Business is endpoint protection with EDR-style telemetry, Attack Surface Reduction rules, web content filtering, and automated investigation. Roughly the same engine as Defender for Endpoint Plan 1, with a cleaner SMB-shaped console.
Microsoft Intune handles device management for Windows, macOS, iOS and Android. Configuration profiles, compliance policies that feed into Conditional Access, app protection policies for BYOD. Without Intune, the CA policy that says “require a compliant device” has nothing to evaluate.
Conditional Access via Entra ID P1 is the policy engine that decides who gets in, from where, on what, and under which conditions. P1 covers everything except risk-based policies, which need P2.
Azure Information Protection P1 (Sensitivity Labels) is the labelling, encryption and watermarking layer. Classify a document Confidential and it stays encrypted whether it’s emailed externally or saved to a USB stick.
You also get MFA, Exchange Online Protection, and Defender for Office 365 Plan 1 for Safe Links and Safe Attachments. That’s the toolkit. The work is putting it to use.
Day 1: block legacy auth, turn on MFA, create break-glass accounts
Before any of the clever Conditional Access work, four things have to be true.
Block Legacy Authentication, tenant-wide. Legacy auth (IMAP, POP, SMTP AUTH, old Exchange flows) bypasses MFA entirely. The most common “secured” tenant we inherit has MFA enforced for users but legacy auth still open at the tenant level. The attacker logs in via SMTP AUTH and the MFA prompt never fires. Block it via a Conditional Access policy targeting all users, all cloud apps, matching Exchange ActiveSync clients and Other clients, with an action of Block. Run it in report-only for 48 hours first. There is always one legacy app nobody told you about.
MFA for all users. Turn Security Defaults off. Replace it with named Conditional Access policies. Security Defaults and Conditional Access cannot run side by side.
Break-glass accounts, before you touch anything else. Create two emergency-access global admins, excluded from every CA policy, on FIDO2 hardware keys, with credentials sealed and stored physically by named directors. A CA policy with a typo’d named-locations file will lock the only global admin out at 11pm on a Friday. Break-glass is what you run to.
Day 2: Conditional Access policies that actually move the needle
CA01: Block Legacy Authentication. Live from Day 1.
CA02: Require MFA for All Users. All users, all cloud apps, break-glass excluded. Run report-only for a week. Enforce.
CA03: Require Compliant Device for Sensitive Apps. Targets Office 365. Intune defines what compliant means: encrypted disk, current OS, AV running. Without Day 3’s Intune work, this policy has nothing to grant on.
CA04: Phishing-Resistant MFA for Admins. Targets Global Administrator, Exchange Administrator, SharePoint Administrator, Conditional Access Administrator, Security Administrator. Authentication strength: phishing-resistant MFA. FIDO2 hardware keys or Windows Hello for Business. Push fatigue is how the 2024 Midnight Blizzard breach started.
CA05: Geo-Restrict Admin Sign-Ins. A named location for the countries you operate from. If your business is South Africa plus the UK and an admin logs in from Vietnam at 2am, that is either roaming (rare for an admin) or an attack (likely). Double-check the named-locations CSV: a transposed country code here is the classic 11pm lockout.
CA06: Require App Protection on BYOD Mobile. A personal phone can use Outlook for iOS to read mail, but only inside the Outlook app with PIN required, copy-paste blocked, jailbreak detection on. The phone never enrols in Intune.
Each policy ships in report-only for at least seven days before enforcement.
Day 3: Intune and device baselines
Windows enrolment. Autopilot for new hardware. For existing devices, hybrid Entra join or direct Entra ID join after a wipe.
Windows Security Baseline. Intune ships a Windows 10/11 Security Baseline. It applies hundreds of settings: BitLocker on system drive, ASR rules in audit mode, SMB v1 disabled, Credential Guard on, local admin account disabled. Deploy to a pilot ring of five devices first. Watch for the LOB app that breaks because it writes to a registry key the baseline now blocks.
iOS app protection (no enrolment). For BYOD iPhones, App Protection Policy: PIN required, copy-paste blocked, corporate data wiped after 30 days of inactivity, refuses to run on jailbroken devices.
Compliance policies. One per platform. Windows: BitLocker on, Defender sensor running, OS at current N-1. These are what CA03 evaluates against. A real failure mode: a finance user’s laptop falls out of compliance because Windows Update hasn’t pushed yet, CA03 blocks them from Outlook on payroll morning. Stage compliance enforcement after OS rollout, not in parallel.
Day 4: Defender for Business
Tamper Protection on, tenant-wide. Without it, malware running as Local System can disable Defender. Off by default on older tenants.
ASR rules in block mode. The rules that move the needle most: block executable content from email, block Office apps from creating child processes, block code injection into other processes, block Win32 API calls from macros, block credential stealing from lsass.exe, use advanced ransomware protection. Deploy in audit mode for a week first. Rolling ASR straight to block on day one is how you brick a finance team’s macro-driven workbook on quarter-end.
Auto-investigate and remediate: Full. The default is “Semi”, which means alerts pile up unread. Full is the right setting for SMEs without a dedicated SOC.
Web content filtering and network protection on. Blocks outbound connections to known-bad IPs and category-level traffic (gambling, adult, peer-to-peer, malware distribution). No extra licensing cost.
Day 5: sensitivity labels and basic DLP
Three labels. Not seven.
Public. No protection. For marketing material already on the public internet.
Internal (the default). Applied automatically to new mail and documents. No encryption, just a footer marking it Internal Use Only.
Confidential. Encrypted via Microsoft Purview, watermarked, restricted to the originating organisation’s users. A Confidential document forwarded to a personal Gmail is unreadable in Gmail.
Clients who deploy seven-label taxonomies find that users default everything to Internal because the rest is confusing. Three is enough to start. Add a fourth (Restricted, with do-not-forward and 30-day expiry) only if you have a specific requirement: board minutes, payroll, M&A activity.
Basic DLP policy. Block external send when content contains 5+ credit-card numbers, 5+ ID numbers, or anything labelled Confidential. Users learn what’s sensitive at the moment they try to send it.
Day 6: email authentication
SPF. Lists only the senders that legitimately send as your domain. M365’s spf.protection.outlook.com is the baseline. SPF has a 10-DNS-lookup limit that’s easier to hit than people think. Trim ruthlessly.
DKIM. Switch on at selector1 and selector2. M365 rotates the active selector automatically once both CNAMEs are live.
DMARC. Start at p=none with reporting turned on. After two to four weeks of monitoring, move to p=quarantine pct=10, then pct=100, then p=reject. Skipping monitoring is how legitimate mail starts bouncing the day you flip to reject.
The TamingDNS Microsoft 365 DNS audit shows your SPF, DKIM, DMARC, MX, MTA-STS and Autodiscover posture in one click.
Day 7: monitoring and documentation
Alert policies. Switch on at minimum: suspicious email forwarding activity, unusual external user file activity, user restricted from sending email, forwarding rule created, elevated admin role assigned. Route to a monitored shared mailbox. The “user just created a forwarding rule to Gmail” alert is the early warning for account compromise nine times out of ten.
Document the baseline. What’s enabled, why, what changes when, and who’s allowed to change it. CIS Microsoft 365 Foundations Benchmark v3 is the public yardstick; record your score and the date. Six months later, when someone asks “why is this policy like this,” the document answers without an archaeology session in the change log.
The 7-day sequence at a glance
| Day | // scope Work | // exit criteria Done when |
|---|---|---|
| Day 1 | Block legacy auth, enforce MFA, create two FIDO2-keyed break-glass admins | Legacy auth blocked tenant-wide, break-glass tested |
| Day 2 | CA01–CA06 in report-only, then enforce | All six policies enforced, peer-reviewed |
| Day 3 | Intune Windows baseline, iOS app protection, compliance policies | All devices reporting compliance to CA |
| Day 4 | Defender: tamper protection, ASR rules in block mode, automated remediation | Defender sensor live everywhere, ASR out of audit |
| Day 5 | Three sensitivity labels, DLP policy | Labels visible in Outlook/Word, DLP in enforce mode |
| Day 6 | SPF trimmed, DKIM on, DMARC graduating toward reject | TamingDNS audit shows green across the board |
| Day 7 | Alert policies on, baseline documented | Alerts routed to monitored mailbox, CIS v3 score recorded |
Ongoing cadence
- Monthly: Secure Score, Defender sensor health, patch posture, licence drift.
- Quarterly: Re-read every CA policy, compliance drift, break-glass account test (literally sign in with the FIDO2 key; if it fails, you don’t have break-glass).
- Semi-annually: Full CIS v3 score, written report against the previous score.
- Annually: Cyber-insurance posture review, tenant-wide privilege audit, third-party app consent review.
Get a 60-minute Business Premium hardening review
We log into your tenant read-only, score it against the CIS Microsoft 365 Foundations Benchmark v3, and produce a written scorecard with the top three gaps and the work to close them. One working day of our time. Sixty-minute walk-through meeting. Written findings. No obligation.
Email support@osh.co.za and we’ll respond with a calendar link the same business day.
