SMBs are not secondary targets. According to the Guardz Cybersecurity Report, nearly 50% of U.S. small businesses have been hit by a cyberattack. The 2025 Verizon Data Breach Investigations report reinforces this reality: SMBs are targeted nearly 4 times as often as large organizations, and BEC, identity attack, and ransomware are present in 88% of SMB breaches.
Yet most SMBs operate without a dedicated security team, a CISO, or a formalized security program. The gap between the threat they face and the resources they have is not closing – it is widening.
Baseline Security Mode (BSM) is a direct response to that gap. It is not a watered-down enterprise framework or a checkbox compliance tool. It is a structured, opinionated security foundation built specifically for organizations that need protection without complexity.
This article is part of the ‘How-to guide for MSPs’ series.
The Core Problem BSM Solves for SMBs
Every Microsoft 365 tenant ships with the same defaults, and most of those defaults prioritize compatibility over security. That made sense in 2015 when Microsoft needed every legacy Outlook plugin, every ActiveX control, and every IMAP client to keep working. It doesn’t make sense in 2025.
No Slack account needed.
What Changes for SMBs Specifically
Eliminates the #1 Attack Vector – Legacy Auth
The vast majority of SMB compromises we see in ITDR data start with credential stuffing or password spray against legacy protocols (IMAP, POP3, SMTP AUTH, EWS). These protocols:
– Don’t enforce MFA password alone grants full mailbox access
– Are enabled by default on most SMB tenants
– They are rarely used because most SMB users are legitimately on Outlook/OWA (modern auth)
Prevents OAuth Consent Phishing
SMB users routinely click “Accept” on OAuth consent prompts without understanding what permissions they’re granting. Attackers exploit this by creating fake apps that request ‘Mail.Read’, ‘Files.ReadWrite.All’, etc.
Closes Document Attack Paths
SMBs don’t have endpoint security policies blocking ActiveX, DDE, or legacy file formats. BSM’s file protection settings block:
– ActiveX in Office documents (malware dropper)
– DDE in Excel (command execution without macros)
– Legacy formats that exploit memory corruption
– Microsoft Publisher (large attack surface, retiring 2026)
These are the exact vectors used in commodity phishing campaigns targeting SMBs.
Baseline Security Mode
As a Microsoft 365 admin, you can use Baseline Security Mode (BSM) settings to protect and secure your business environment against external threats.
Baseline Security Mode covers key Microsoft 365 services, including:
- Microsoft 365 apps.
- SharePoint and OneDrive.
- Microsoft Teams.
- Exchange Online.
- Entra ID.
Baseline Security Mode puts 18 critical hardening settings behind a single admin center toggle, no PowerShell, no premium licensing, no security expertise required.
The Setting Recommendations
Authentication
- Block new password credentials in apps
- Turn on restricted management user consent settings
- Block access to Exchange Web Services
- Block basic authentication prompts
- Block files from opening with insecure protocols
- Block files from opening with the FPRPC protocol
- Block legacy browser authentication connections to SharePoint
- Block IDCRL protocol connections to SharePoint
- Don’t allow new custom scripts in OneDrive and SharePoint sites
- Remove access to the Microsoft Store for SharePoint
Files
- Open ancient legacy formats in Protected View and disallow editing
- Open old legacy formats in Protected View and save as a modern format
- Block ActiveX controls in the Microsoft 365 apps
- Block OLE Graph and OrgChart objects
- Block Dynamic Data Exchange (DDE) server launch in Excel
- Block Microsoft Publisher
Room Device
- Block unmanaged devices and resource account sign-ins to Microsoft 365 apps
- Don’t allow resource accounts on Teams Rooms devices from accessing Microsoft 365 files
BSM Deployment Cycle for SMBs
A 4-Week Rollout Guide for Microsoft 365 Baseline Security Mode
Microsoft launched Baseline Security Mode (BSM) at Ignite 2025 with 18 hardening settings across Authentication, Files, and Room Devices that every Microsoft 365 tenant should enable.
You can find the dashboard at admin.cloud.microsoft > Baseline Security Mode.
Here’s a practical 4-week rollout that goes from zero-risk quick wins to settings that need a bit of planning.
———–———–———–
Week 1 – Zero-Impact File Hardening (6 Settings)
These block legacy file features that modern SMBs never use. Enable all on day one, no user disruption expected.
| Setting | What It Does | Why It’s Safe |
| Block ActiveX controls in Microsoft 365 apps | Prevents ActiveX from running in Word, Excel, and PowerPoint | ActiveX is a legacy attack vector; modern documents don’t use it |
| Block OLE Graph and OrgChart objects | Disables legacy OLE-based chart and org chart objects | Replaced by SmartArt and modern charts years ago |
| Block Dynamic Data Exchange (DDE) server launch in Excel | Stops Excel from launching external applications via DDE | DDE is a classic malware delivery mechanism with no legitimate use in SMBs |
| Block Microsoft Publisher | Blocks Publisher application from opening files | Rarely used in SMBs; Publisher files are a common phishing payload format |
| Open ancient legacy formats in Protected View and disallow editing | Forces ancient formats (Office 97 and earlier) into read-only Protected View | If someone sends you a .doc from 1997, you want to inspect it first |
| Open old legacy formats in Protected View and save as modern format | Opens older formats in Protected View and prompts save-as-modern | Nudges users toward secure, modern file formats automatically |
Tip: User communication needed: None. These are silent protections that won’t change anyone’s daily workflow.
———–———–———–
Week 2 – Legacy Protocol Lockdown (5 Settings)
Block deprecated authentication and file-access protocols. The only risk: a handful of users on very old clients or third-party apps using legacy auth.
| Setting | What It Does | Pre-Check |
| Block basic authentication prompts | Stops Office apps from showing basic auth (username/password) prompts | Verify no users rely on basic auth prompts in Office apps |
| Block files from opening with insecure protocols | Prevents Office files from being opened via insecure protocol handlers | Check for apps opening Office files via insecure protocol handlers |
| Block files from opening with FPRPC protocol | Blocks legacy FrontPage RPC protocol for file access | FPRPC is legacy FrontPage RPC extremely unlikely to be in use |
| Block legacy browser authentication connections to SharePoint | Disables legacy browser auth (RPS) to SharePoint Online | Check if anyone uses Internet Explorer or old Edge to access SharePoint |
| Block IDCRL protocol connections to SharePoint | Blocks legacy client authentication protocol to SharePoint | Legacy client auth with Office 2013 and older clients are affected |
Pre-Deployment Checklist
1. Run sign-in logs for 7 days, looking for legacy authentication client entries
2. If count is zero → enable all five immediately
3. If count is non-zero → identify those users and notify them to update their clients before enabling
Tip: User communication: Brief email, “We’re upgrading SharePoint security this week. If you’re using Office 2013 or older, please update to a current version.”
———–———–———–
Week 3 – App and Admin Controls (5 Settings)
These change admin-level behaviors. Slightly higher coordination is needed with IT or the MSP managing the tenant.
| Setting | What It Does | Impact |
| Block new password credentials in app registrations | Stops new client secrets from being created on app registrations | Existing secrets still work until expiry. Plan migration to certificates. |
| Turn on restricted management user consent settings | Users can no longer grant apps broad permissions, with admin approval required | Expect a few “I need access to this app” tickets in the first week |
| Block access to Exchange Web Services (EWS) | Disables the legacy EWS API endpoint | Breaks legacy EWS integrations (old backup tools, custom scripts). Audit connected apps first. |
| Don’t allow new custom scripts in OneDrive and SharePoint sites | Blocks Script Editor web part and custom JavaScript | Check if any SharePoint sites rely on custom scripts before enabling |
| Remove access to Microsoft Store for SharePoint | Disables third-party app installs from the SharePoint Store | Low impact for most SMBs, few use the SharePoint app marketplace |
Pre-Deployment Checklist
For blocking app secrets:
- List apps with password credentials and plan migration for each
- Existing secrets continue to work, and this only blocks new secret creation
For restricted user consent:
- Review any pending consent requests in the Entra admin center
- Set up an admin consent workflow so users can request access to new apps
For blocking EWS:
- Audit any backup tool, LOB app, or script that connects to Exchange via EWS
- Each one needs migration to the Microsoft Graph API before you enable this setting
For blocking custom scripts:
- Audit SharePoint sites that allow custom scripts
- Migrate any Script Editor web parts to modern SPFx web parts
Tip: User communication: “Starting this week, new app access requests require IT approval. If an app asks for permissions, submit a request through [your IT process].”
———–———–———–
Week 4 – Room Devices (2 Settings)
Only applies to tenants with Teams Rooms devices and resource accounts. Skip this week entirely if you don’t have conference room hardware.
| Setting | What It Does | Impact |
| Block unmanaged devices and resource account sign-ins to Microsoft 365 apps | Requires a Conditional Access policy targeting resource accounts unmanaged devices get blocked | Room devices must be enrolled in Intune and marked compliant |
| Don’t allow resource accounts on Teams Rooms devices from accessing Microsoft 365 files | Prevents room accounts from browsing SharePoint and OneDrive | Stops resource accounts from accessing files they shouldn’t need |
Pre-Deployment Checklist
- Inventory all resource accounts and Teams Rooms devices
- Ensure room devices are enrolled in Intune and marked as compliant
Tip: User communication needed: None. This only affects room and resource accounts, not end users.
Rollout Summary
| Week | Category | Settings | Risk Level | Time to Deploy |
| Week 1 | File Hardening | 6 | Zero risk silent protections | 15 minutes |
| Week 2 | Legacy Protocols | 5 | Low risk after log check | 1 hour |
| Week 3 | App & Admin Controls | 5 | Moderate needs an audit first | 2–4 hours |
| Week 4 | Room Devices | 2 | Conditional skip if no rooms | 1–2 hours + monitoring |
| 18 total | 4 weeks |
TIP: Settings that block things nobody uses go first (Week 1–2). Settings that change how people or apps interact with Microsoft 365 go last (Week 3–4), after auditing current usage.
By the end of Week 4, your tenant hits 18/18 on the BSM dashboard full compliance with Microsoft’s recommended baseline.
The MSPs Angle
ROI: What BSM Actually Saves an SMB
Security ROI is hard to quantify until something goes wrong. Here’s what BSM prevents in real dollars for a typical 50-person SMB.
Cost of a Single Incident (Industry Averages for SMBs)
| Incident Type | Average Cost | BSM Settings That Prevent It |
| Business Email Compromise (BEC) | $125,000 per incident | Block EWS, block legacy auth, restrict user consent |
| Ransomware via macro/DDE payload | $165,000 per incident | Block DDE, block ActiveX, Protected View for legacy formats |
| Credential theft via legacy protocol abuse | $50,000 per incident | Block basic auth prompts, block IDCRL, block legacy browser auth |
| Malicious OAuth app consent phishing | $75,000 per incident | Restrict user consent, block app password credentials |
| Data exfiltration via custom SharePoint script | $95,000 per incident | Block custom scripts, remove SharePoint Store access |
Direct Time Savings for MSPs
| Activity | Before BSM | After BSM | Annual Savings (per tenant) |
| Investigating legacy auth alerts | 2–3 hours/month | Near zero | 30 hours/year |
| Remediating OAuth consent abuse | 4–8 hours/incident, ~2/year | Prevented at source | 12 hours/year |
| Responding to macro/DDE malware | 6–10 hours/incident, ~3/year | Blocked by policy | 24 hours/year |
| Auditing app registrations for leaked secrets | 2 hours/quarter | No new secrets created | 8 hours/year |
| Cleaning up rogue SharePoint scripts | 1–2 hours/quarter | Blocked by policy | 6 hours/year |
| Total MSP time saved | ~80 hours/year per tenant |
At an average MSP billing rate of $150/hour, that’s $12,000/year in recovered capacity per tenant, time your team can spend on higher-value work instead of chasing preventable incidents.
The Break Even Math
| Item | Value |
| Time to deploy BSM (4 weeks, part-time) | ~8 hours total |
| Cost at $150/hour | $1,200 one-time |
| Annual time savings | 80 hours ($12,000) |
| ROI in year one | 10x return |
| Risk reduction (single BEC prevented) | $125,000 avoided loss |
The Bottom Line
BSM is arguably the single most impactful security improvement Microsoft has shipped for SMBs. It takes hardening steps that previously required security expertise and premium licensing, and delivers them as point-and-click toggles available on all M365 plans. An MSP admin can meaningfully reduce their attack surface in under an hour with zero additional cost.
The BSMAssessment tool (PowerShell-Based) will be available soon. Meanwhile, you can visit, star, and track the Security Research Labs.
