5 Microsoft 365 Settings Every Nonprofit Should Change Today
Microsoft 365 is the backbone of most nonprofit operations. Email, file sharing, Teams meetings, donor spreadsheets — it all runs through M365. And most of you are running it with the default settings Microsoft shipped.
That’s a problem.
The defaults are designed for the broadest possible audience, which means they’re optimized for convenience, not security. Not compliance. Not the specific reality of a 12-person nonprofit handling sensitive client data, donor records, and grant applications.
Here are five settings you should change today. Not next quarter. Today. Each one takes less than 15 minutes, and together they close the gaps that make nonprofits easy targets.
1. Enforce Multi-Factor Authentication (MFA)
What it is: MFA requires a second verification step — usually a code on your phone — when signing in, beyond just your password.
Why it matters: According to Microsoft’s own data, MFA blocks over 99.9% of account compromise attacks. That’s not a typo. Ninety-nine point nine percent. If your nonprofit has email accounts without MFA, you’re running with the front door unlocked.
Nonprofits are targeted more often than you’d think. You handle donor data, financial information, and you often have smaller teams without dedicated security staff. Attackers know this. A compromised email account can be used to redirect wire transfers, steal donor information, or send phishing emails to your entire contact list — from your actual email address.
What to do: Go to the Microsoft 365 admin center > Settings > Org settings > Multifactor authentication. Enable Security Defaults at minimum. If you have Azure AD P1 (included in Microsoft 365 Business Premium), set up Conditional Access policies for tighter control.
The hard truth: Your staff will push back. “It’s annoying.” “I don’t want to use my personal phone.” Get them the Microsoft Authenticator app, give them a 15-minute walkthrough, and hold the line. The inconvenience of MFA is nothing compared to the inconvenience of explaining a data breach to your board.
2. Lock Down External Sharing in SharePoint and OneDrive
What it is: By default, SharePoint and OneDrive allow users to share files and folders with anyone — including people outside your organization — via anonymous links. Anyone with the link can access the file. No sign-in required.
Why it matters: We’ve seen it happen. A staff member shares a folder with a partner org using an “Anyone with the link” setting. That link gets forwarded. Six months later, your internal budget documents are accessible to people you’ve never heard of, and nobody remembers creating the share.
Nonprofits collaborate constantly — with partner orgs, funders, contractors, volunteers. That’s exactly why you need guardrails on how files leave your environment.
What to do: Go to the SharePoint admin center > Policies > Sharing. Change the external sharing level from “Anyone” to “New and existing guests” at minimum. This means external users have to authenticate before they can access shared files. You can also set link expiration dates (30 days is a good starting point) and disable the ability to share entire site collections externally.
Pro tip: You don’t have to block external sharing entirely. That would cripple collaboration. Just require that external users sign in. It adds accountability without killing workflows.
3. Claim Your Nonprofit Pricing (You Might Be Overpaying)
What it is: Microsoft offers deeply discounted — and in some cases free — Microsoft 365 licenses to eligible nonprofits through the Microsoft Nonprofits program. Many organizations either don’t know this exists or signed up years ago and never checked if they’re on the best plan.
Why it matters: Here’s the breakdown that surprises most people:
- Microsoft 365 Business Basic: Free for up to 300 users (normally $6/user/month)
- Microsoft 365 Business Premium: $5.50/user/month for nonprofits (normally $22/user/month)
- Office 365 E1: Free for eligible nonprofits
- Office 365 E3/E5: Heavily discounted
A 15-person nonprofit paying retail for Business Premium is spending $3,960/year. With nonprofit pricing, that drops to $990. That’s nearly $3,000 back in your budget. For a small nonprofit, that’s a part-time contractor or a program expansion.
What to do: Visit nonprofit.microsoft.com and verify your eligibility. You’ll need your EIN and proof of nonprofit status. If you’re already verified, log into the Microsoft 365 admin center and check your current licenses under Billing > Licenses. Compare what you’re paying to the nonprofit rates.
Common miss: Organizations that were set up by a volunteer or a board member’s nephew five years ago often aren’t on nonprofit licensing because nobody knew to ask. It takes about 30 minutes to apply and a few days for Microsoft to verify. There’s no reason not to check.
4. Block Auto-Forwarding Rules to External Addresses
What it is: Microsoft 365 allows users to create inbox rules that automatically forward all incoming email to an external address. Attackers use this to silently siphon email data after compromising an account.
Why it matters: This is one of the sneakiest attack vectors in M365. Here’s how it works: An attacker gets into a staff member’s account (usually because MFA wasn’t enabled — see #1). They don’t send phishing emails right away. Instead, they quietly create a forwarding rule that sends a copy of every incoming email to an external Gmail or Outlook.com address. Then they log out. The staff member never notices. The attacker now receives every email — donor communications, financial reports, board discussions — for weeks or months before anyone catches it.
We’ve seen this in the wild with nonprofits. It’s not theoretical.
What to do: In the Exchange admin center, go to Mail flow > Rules. Create a transport rule that blocks auto-forwarding to external domains. The rule should apply to all users and reject messages with a notification explaining why. You can whitelist specific external addresses if you have a legitimate need for forwarding.
Alternatively, if you’re on Business Premium or E3/E5, you can configure this through outbound spam policies in Microsoft Defender for Office 365.
After setting this up: Run a one-time audit of existing forwarding rules. In Exchange admin center, go to each mailbox’s mail flow settings and check for existing forwarding rules. Remove anything that isn’t explicitly approved.
5. Set Up Retention Policies for Compliance
What it is: Retention policies control how long your organization keeps email, Teams messages, SharePoint files, and OneDrive data — and what happens when the retention period expires.
Why it matters: Nonprofits face unique compliance pressures. Grant-funded programs often require you to retain records for 3-7 years after the grant period ends. If you’re in healthcare or social services, you may have HIPAA or state-level data retention requirements. And if you ever face an audit or legal discovery, “we deleted that” is not the answer your attorney wants to give.
Without retention policies, your data lifecycle is governed by whoever happens to hit the delete key. That’s not a policy — that’s chaos.
What to do: In the Microsoft Purview compliance portal (compliance.microsoft.com), go to Data lifecycle management > Retention policies. Create policies that match your actual compliance requirements:
- Email: 7 years is a safe default for most nonprofits
- Teams chats and channels: Match your email retention or set 3 years minimum
- SharePoint/OneDrive: 7 years for financial and grant-related document libraries
- Deleted items: Set a grace period (30-90 days) before permanent deletion
Important nuance: Retention policies in M365 are “retain and then delete” or “retain only.” For most nonprofits, “retain only” for the compliance period is the safer choice. You don’t want automated deletion of records you might need for an audit.
What you need: Retention policies beyond basic require at least an Office 365 E3 license or the Microsoft 365 compliance add-on. Check your licensing before configuring — this is another reason nonprofit pricing matters (see #3).
The Bigger Picture
None of these settings are exotic. They’re not cutting-edge. They’re the digital equivalent of locking your doors, checking your smoke detectors, and making sure your insurance is current. Basic operational hygiene that most nonprofits skip because nobody told them it mattered.
At FIT, we think about this as the difference between back-office peace and frontline chaos. Your team should be focused on mission delivery — not wondering whether that shared link is still floating around the internet or whether your email is being silently forwarded to a stranger.
Back-Office Peace. Frontline Support. That’s what getting the basics right looks like.
Need a Hand?
If you’re a nonprofit running Microsoft 365 and you’re not sure where your settings stand, we’ll do a quick review at no cost. No sales pitch — just a clear picture of where you are and what to prioritize.
Contact FIT or email matt@flowerinsidertechnologies.com.