If your business runs on Microsoft 365 — and most small manufacturers in Northwest Arkansas do — you may be under the impression that Microsoft is handling your security. After all, you’re paying for a reputable platform from one of the largest technology companies in the world.
The reality is more complicated. Microsoft provides the tools; it’s up to you (or your IT partner) to configure them correctly. Out of the box, Microsoft 365 is optimized for ease of use, not security. That gap has cost manufacturers everywhere dearly — through ransomware infections, business email compromise, and compliance failures.
This post covers the most critical Microsoft 365 security settings that NWA manufacturers should address, why default configurations fall short, and how to build a more secure M365 environment without disrupting daily operations.
Why Microsoft 365 Is a Prime Target for Attackers
Microsoft 365 is the world’s most widely used business productivity platform. That ubiquity makes it an attractive target. Attackers know the platform intimately — they know which default settings are weak, which admin portals are publicly accessible, and how to exploit misconfigured accounts.
For manufacturers, the risk is compounded. You may have:
- A mix of office and plant floor users with varying levels of digital literacy
- Shared devices on the production floor where employees log in and out quickly
- Third-party vendors who need access to files or email
- Compliance obligations tied to customer contracts or industry regulations
A single compromised Microsoft 365 account can give an attacker access to email, SharePoint files, OneDrive data, Teams conversations, and more. For small manufacturers without dedicated IT staff, detection can take weeks.
What “Default” Microsoft 365 Actually Gets You
When you set up a Microsoft 365 tenant without customizing security settings, here’s what you typically have:
| Feature | Default State | Risk |
|---|---|---|
| Multi-Factor Authentication | Off for most plans | Account takeover via stolen passwords |
| Legacy Authentication Protocols | Enabled | Bypasses MFA entirely |
| Admin Role Separation | Single Global Admin | Full tenant exposure if one account is compromised |
| External File Sharing | Unrestricted | Data leakage to outside parties |
| Email Auto-Forwarding | Allowed | Business email compromise goes undetected |
| Audit Logging | Off in some plans | No visibility into who accessed what |
| Safe Links / Safe Attachments | Off | Malicious links and files reach users |
Most small manufacturers are running with most or all of these gaps. Closing them doesn’t require expensive add-ons in most cases — it requires correct configuration.
The Critical Security Settings to Address First
1. Enable Multi-Factor Authentication for Every User
This is non-negotiable. MFA prevents the vast majority of account takeover attacks, even when passwords are compromised through phishing or data breaches. Microsoft reports that MFA blocks over 99% of automated account attacks.
How to do it: Use Microsoft’s Security Defaults (free, built into all M365 plans) to enforce MFA across your tenant. For more granular control, Conditional Access policies (available in M365 Business Premium and above) let you require MFA based on location, device, or risk level.
For plant floor employees who share devices, consider Microsoft Authenticator push notifications or hardware tokens rather than SMS codes — SMS can be intercepted, and shared device environments make app-based MFA more practical.
2. Block Legacy Authentication Protocols
Legacy authentication protocols — things like basic authentication used by older email clients — don’t support MFA. An attacker who obtains a password can use these protocols to bypass your MFA requirements entirely.
Unless you have very old systems that depend on them, block legacy authentication at the tenant level. This is done through Conditional Access policies or by enabling Security Defaults. Audit your environment first to identify any legacy clients before flipping the switch.
3. Restrict External Sharing in SharePoint and OneDrive
By default, Microsoft 365 allows users to share files with anyone who has a link — no Microsoft account required. For manufacturers handling sensitive drawings, specs, pricing, or customer data, this is a significant exposure.
Recommended settings:
- Set external sharing to “Existing guests only” or “Only people in your organization” for most SharePoint sites
- Require expiration dates on shared links
- Enable sharing notifications so admins are alerted when files go external
- Create a dedicated external collaboration site with tighter monitoring if you do need to share files with vendors or customers regularly
4. Disable Auto-Forwarding of Email
Business email compromise (BEC) is one of the most financially damaging attack types targeting small businesses. A common tactic: attackers compromise a mailbox, set up an auto-forward rule to an external address, and silently monitor email for weeks — reading quotes, invoices, and payment discussions before striking.
Block auto-forwarding at the transport rule level so no user (or attacker) can set up external forwarding without admin approval. This is a quick configuration in the Exchange admin center.
5. Enable Defender for Office 365 Features
If you’re on Microsoft 365 Business Premium (or have Defender for Office 365 Plan 1 or 2), make sure these features are actively configured:
- Safe Links: Rewrites URLs in email and Teams messages to check them at click-time against Microsoft’s threat intelligence
- Safe Attachments: Detonates email attachments in a sandbox before delivering them to users
- Anti-phishing policies: Sets thresholds for detecting impersonation attacks targeting your executives or domain
These features are included in Business Premium but must be enabled and configured — they don’t protect you in their default state.
6. Audit and Restrict Admin Roles
Many small businesses have one or two people with Global Administrator access — the keys to the entire kingdom. If either account is compromised, an attacker can do anything: reset passwords, disable MFA, exfiltrate data, or lock everyone out.
Best practices:
- Create dedicated admin accounts used only for administration (not daily email/browsing)
- Apply MFA with Conditional Access to all admin accounts, with stricter requirements than regular users
- Use least-privilege roles — an Exchange admin doesn’t need SharePoint admin rights
- Enable Privileged Identity Management (PIM) in Azure AD if available, which requires just-in-time approval for elevated access
7. Turn On Unified Audit Logging
Audit logging captures who did what, when, across your Microsoft 365 environment — logins, file access, email reads, admin changes, and more. Without it, you have no visibility if something goes wrong.
Enable unified audit logging in the Microsoft Purview compliance portal. Retention periods vary by plan (90 days on standard plans, up to a year on higher tiers). If you have compliance requirements, consider extending retention through third-party log management tools.
A Practical Approach for NWA Manufacturers
Most small manufacturers don’t have a dedicated IT security team. That’s normal. Here’s a realistic approach:
Phase 1 — Quick Wins (Week 1)
- Enable Security Defaults or enforce MFA via Conditional Access
- Block legacy authentication protocols
- Disable external auto-forwarding at the transport rule level
- Enable unified audit logging
Phase 2 — Configuration Hardening (Weeks 2–4)
- Review and restrict SharePoint/OneDrive external sharing settings
- Configure Safe Links and Safe Attachments policies
- Audit admin accounts and remove unnecessary Global Admin assignments
- Create dedicated break-glass admin accounts with hardware-key MFA
Phase 3 — Ongoing Monitoring
- Set up alert policies for suspicious activity (mass file downloads, logins from unusual countries, failed MFA attempts)
- Review audit logs monthly or engage an MSP to do it for you
- Run quarterly access reviews to catch stale accounts and over-privileged users
The Business Case for Getting This Right
For NWA manufacturers, a Microsoft 365 breach can mean more than lost data. It can mean:
- Production disruption if plant floor systems or ERP integrations are affected
- Customer notification obligations if sensitive data is exposed
- Contractual liability if you handle data for defense, automotive, or aerospace customers with specific security requirements
- Insurance complications if a breach occurs and your M365 environment wasn’t reasonably hardened
Many cyber insurance policies now explicitly ask whether MFA is enforced for all users and whether legacy authentication is blocked. Answering “no” can increase premiums or void coverage.
What Microsoft 365 Business Premium Gets You
If you’re on Microsoft 365 Business Basic or Business Standard, you have some security tools but meaningful gaps — particularly around Defender for Office 365, Intune device management, and Azure AD Premium features.
Microsoft 365 Business Premium closes most of those gaps for smaller organizations and is priced for businesses under 300 users. For most NWA manufacturers, it’s the right balance of cost and capability. A qualified IT partner can help you assess whether your current plan is sufficient for your threat profile and compliance obligations.
Don’t Set It and Forget It
Microsoft 365 is a living environment. New users get added, old accounts go stale, sharing settings drift, and Microsoft itself continues to change default behaviors. Security in M365 isn’t a one-time project — it’s an ongoing discipline.
A managed IT partner who specializes in manufacturing can monitor your M365 environment continuously, respond to alerts, and keep your configuration aligned with current best practices — without pulling your internal team away from production.
Ready to lock down your Microsoft 365 environment? Get in touch.