Related topics
Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.

A critical part of running your business these days is doing so securely. Fortunately, Microsoft 365 gives you a lot of tools to help you do that and it's easy to turn them on.

Illustration of a safe and files

Click the headings below for more information 

If criminals get the username and password of you or one of your team, they'll try to sign into your system to see what they can take. Using multifactor authentication makes it much harder for them to get in, even if they do have your username and password.

Tip: Want to know more about multifactor authentication? See What is: Multifactor Authentication.

To confirm multifactor authentication is on:

  1. Go to the Microsoft 365 admin center at

  2. Select Show all to display the additional admin centers, then select Azure Active Directory.

    The admin centers menu in Microsoft 365 with the Azure Active Directory admin center highlighted.

  3. Select Azure Active Directory from the navigation on the left, then Properties.

    The properties item in the Azure Active Directory (AAD) admin center.

  4. Select Manage security defaults from the bottom of the page.

    The Azure Active Directory tenant properties screen with the Manage security defaults link highlighted.

  5. On the panel that opens to the right, turn the security defaults on, then select Save.

    The enable security defaults dialog of the Azure Active Directory properties.

The next time you sign into Microsoft 365 you'll be prompted to set up the Microsoft Authenticator app as a second factor. It should take just a couple of minutes to download and set up the app on your Android or iPhone. Once it's set up, you're all set. For more details on how to do it see Set up Security info from a sign-in page.

For regular users it should rarely ask for the second factor when they sign into the device they always sign into. For admin users it may ask a little more often due to the sensitive nature of an admin account.

Phishing messages are often cleverly disguised to look like a message from a person or organization you trust. If you do a lot of business with you're inclined to trust Alex and you might not notice if a message came in from during a busy day.

Microsoft 365 can add a safety tip to that message alerting you that this is a new sender, and that might give you a chance to pause and recognize that this message is from an imposter.

A safety tag on an email message indicating that you don't often receive email from that sender.

To turn on the first contact safety tip.

  1. In your browser sign into

  2. Select the default anti-phishing policy from the list.

  3. Select Edit actions

    The anti-phishing policy actions panel with an arrow pointing to the Edit actions link.

  4. Select the check box for Show first contact safety tip.

    The anti-phishing actions panel, with the Show first contact safety tip option highlighted.

  5. Select Save.

Microsoft 365 has a set of security features that can help protect your business and to make it easier for you to turn them on we've packaged them as a set that you can turn on together.

  1. Go to the Microsoft 365 Defender portal ( and sign in.

  2. Under Email & Collaboration go to Policies & Rules > Threat policies > Preset Security Policies in the Templated policies section.

  3. On the Preset security policies page, in the Standard card, select Manage protection settings.

    The preset security policies dialog with the Manage protection settings link under Standard protection highlighted.

  4. The Apply standard protection wizard starts in a flyout. On the Exchange Online Protection page select All recipients. You want these protections to apply to everyone in your business. Then select Next.

    The Apply standard wizard showing the screen where you select which recipients to apply Exchange Online protection to.

  5. Repeat step 4 on the Defender for Office 365 page and select Next.

  6. Next, we'll set up impersonation protection. This makes it harder for criminals to send you malware while pretending to be somebody you trust.

    Tip: Your own addresses or domains hosted in Microsoft 365 are automatically protected so you don't need to add them here.

    On the first screen you can enter the email addresses of people you communicate with regularly. Don't worry about adding all of your contacts here. You can even skip this step if you don't want to add individual contacts right now.

    The second screen is more important. This lets you specify entire domains for Microsoft 365 to watch for. Here you should enter the domain names of people or organizations you message with regularly. 

    The add domains to flag when impersonated by attackers dialog, showing domains being added to the list.

    Important: Type the domain name then select the suggested domain that appears, before clicking Add.

    The final screen of this step asks you to enter any trusted senders that you want to make sure don't get quarantined. It's often best to skip this step unless you know that a particular sender is being falsely quarantined. You can always come back and add senders or domains to this list later.

    Select Next.

  7. Leave the setting to Turn on the policy after I finish so that the settings will take effect right away and select Next.

  8. Review your settings and select Confirm to finish.

Learn more

Microsoft security help and learning

Need more help?

Expand your skills


Get new features first


Was this information helpful?

What affected your experience?

Thank you for your feedback!