Share
Author
In this article
Microsoft 365 (also known as Microsoft Office 365) powers productivity for thousands of Australian organisations from bustling Perth start-ups to high-rise offices in Sydney. But every setting left at its default, every unused protocol still active, risks becoming an open door for cyber-attackers.
In FY 2023–24, Australians logged over 87,400 cybercrimes, about one every six minutes, via the ACSC’s ReportCyber service, and 57 percent of critical infrastructure incidents stemmed from compromised credentials.
This guide helps IT managers and business leaders to:
- Get a clear overview of the Microsoft 365’s security features
- Understand the shared responsibility model and how Secure Score keeps you on track
- Work through a 12-point checklist of essential controls
- Adopt simple, ongoing maintenance steps to maintain basic security controls
Tackle these best practices in order, then schedule quarterly cyber security reviews to stay one step ahead of emerging threats.
Microsoft 365 Security
Microsoft 365 (M365) has a suite of cloud services – Exchange, SharePoint, Teams, OneDrive – backed by:
- Azure Active Directory (Entra ID) for identity and access management.
- Microsoft Defender for Office 365 for email and collaboration threat protection.
- Microsoft Purview for data governance and compliance.
- Intune (Endpoint Manager) for device and app management.
But out-of-the-box defaults are not secure by design, which is why implementing security measures within an organisation is crucial. Without it, basic phishing or credential-theft attacks can succeed, data can leak via overshared SharePoint sites, and compromised devices can harbour threats.
Understanding Your Cyber Security Foundation
The Shared Responsibility Model
Microsoft’s role: Secure the global infrastructure, patch timely and maintain the cloud platform.
Your role: Secure identities, data, endpoints and applications within your tenant.
Think of Microsoft as the locked gates around a secure estate – your job is to lock your front door, set your alarm and safeguard your valuables inside.
Plus you need to properly manage global administrator accounts by implementing granular access control, restricting access, enabling multi-factor authentication and implementing audit logging to prevent potential security threats.
Microsoft Secure Score
Secure Score benchmarks your tenant against Microsoft’s best security practices, gives you a score and recommends high-impact controls first.
Use it as a monthly health check: prioritise actions that give you 10+ points, then track progress over time to get a higher score for better security.
12-Point Microsoft 365 Security Checklist
Do these in order and then review quarterly to prevent drift.
1. Enable Multi-Factor Authentication (MFA) for ALL Users Accounts
Requiring user accounts to authenticate with a second factor authentication app stops over 99% of automated attacks.
- How: Turn on Security Defaults in Azure AD for a one-click rollout, or craft conditional access policies requiring MFA for all sign-ins outside your corporate network.
- Tip: Prioritise Global Admins, then enforce tenant-wide within 30 days. Promote the Microsoft Authenticator app for phishing-resistant, push-based approval.
2. Disable Legacy Authentication Protocols
Older protocols (POP3, IMAP, SMTP Auth) bypass MFA and are a favourite backdoor for attackers.
- How: Use Azure AD authentication policies or conditional access to block legacy authentication at the tenant level.
- Action: Identify any essential apps still using legacy protocols and migrate them to modern OAuth flows before blocking.
3. Implement Foundational Email Security (SPF, DKIM, DMARC)
DNS-based standards that verify authorised senders, reducing spoofing and phishing.
- SPF: Publish a record listing approved mail-sending IPs.
- DKIM: Enable cryptographic signing of outbound mail.
- DMARC: Start in “quarantine” mode to analyse reports, then enforce “reject” for unauthorised messages.
These trio of protocols protect your brand and your users from phishing attacks.
4. Configure Microsoft Defender (Advanced Threat Management)
Microsoft Defender’s advanced threat management uses AI-driven tools: Safe Links, Safe Attachments and automated investigation to block malware and phishing in real time, giving you continuous, intelligent protection across your M365 environment.
- Safe Links: Rewrites and scans URLs at click time, blocking malicious redirects.
- Safe Attachments: Opens attachments in a sandbox to detect zero-day malware.
- Anti-Phishing: Enable impersonation protection for top executives and key domains.
Run quarterly Attack Simulator Training phishing campaigns; use results to tailor user training.
5. Establish Conditional Access Policies
Granular “if–then” rules ensure Zero Trust by continuously evaluating access requests based on who is accessing the content and the context.
- Examples:
- Require MFA and compliant devices for Exchange Online from external networks.
- Block access from high-risk countries.
- Process: Exclude a “break-glass” emergency account to avoid self-lockout.
6. Secure Endpoints & Mobile Device Management
Laptops aren’t the only gateway to your data, smartphones and tablets need just as much protection, especially in a BYOD world.
- Device enrolment: Get every corporate and BYOD device enrolled.
- Compliance policies: Enforce BitLocker encryption, minimum OS versions, PIN/biometric unlock.
- App protection: Apply Mobile Application Management (MAM) policies for Office apps to restrict copy-paste and data sharing.
By weaving MDM/MAM controls into your endpoint strategy, you ensure every device, big or small, meets the same security bar before touching your corporate data.
7. Least Privilege Principle
Minimise potential vulnerabilities by ensuring the right people have the right access.
- Role-based Access Control (RBAC): Use built-in Azure AD roles instead of Global Admin wherever possible.
- Privileged Identity Management (PIM): Require approval and time-bound elevation for critical roles.
- Review cadence: Review permissions quarterly; revoke stale or unused privileges.
8. Data Loss Prevention (DLP) Policies
Automatically detect and protect Australian data: TFNs, credit-card numbers, health identifiers.
- Portal: Use the Microsoft Purview Compliance portal to apply pre-built DLP templates for AU-specific data.
- Actions: Show end-user policy tips on rule matches, block external sharing of sensitive content and auto-encrypt documents or emails containing regulated information.
DLP enforces the Privacy Act and reduces data-leak risk by using sensitivity labels to classify and protect data according to its sensitivity.
9. External Sharing & Guest Access
Collaborate without risking data exfiltration.
- SharePoint/OneDrive: Restrict anonymous links to “view only,” or disable them to protect the organisation’s sensitive information.
- Teams: Limit guest invitations to approved domains; review guest accounts regularly and remove inactive or unnecessary guests.
- Monitor: Use Azure AD Access Reviews to automate periodic checks of guest user access.
10. Audit Logs & Alerts
Visibility is the first step to detection.
- Unified Audit Log (UAL): Ensure logging across Exchange, SharePoint online, Azure AD and Microsoft Teams is enabled in Security and Compliance Center to allow administrator accounts to search for actions that could be potentially malicious or violate organisational policy.
- Alert policies: Configure alerts for impossible travel, mass file downloads and suspicious mailbox activity.
- Review: Review alerts weekly; integrate with your SIEM for centralised monitoring.
11. User Security Awareness Training
The ‘human firewall‘ is your first line of defence.
- Phishing simulations: Quarterly campaigns via Attack Simulator, with immediate feedback.
- Micro-learning: Short, task-focused modules on recognising phishing, secure password creation and reporting procedures.
- Culture: Promote a clear “Report Phish” channel in Teams or your Service-Desk portal to make communicating and reporting effortless.
12. Regular Backups
Microsoft 365’s native retention can’t recover from sophisticated ransomware or insider deletion.
- Solution: Deploy a third-party backup tool that covers Exchange, SharePoint, OneDrive and Teams, so you can recover when you need to.
- Schedule: Daily full and incremental backups.
- Testing: Quarterly restore drills to test backup integrity and recovery procedures.
Maintaining a Strong Cyber Security Posture
Security isn’t a project, it’s an ongoing process. To ensure all the basics are covered and to keep up with new attack vectors and Microsoft feature updates, keep these principles front of mind:
Encrypt & Protect Your Data
Encryption underpins all data security in Microsoft 365. Use TLS for email and HTTPS for all web traffic to safeguard data in transit, and BitLocker or Azure Information Protection (AIP) for data at rest.
Store keys in Azure Key Vault so only authorised users can decrypt files. Review your encryption policies quarterly, ensure your sensitivity labels, rights management and automated encryption rules protect sensitive data and remain aligned with evolving business needs and threat trends.
Keep Software & Devices Up-to-Date
Unpatched systems are an open invitation to attackers. Automate patching via Microsoft Endpoint Manager (Intune/Config Mgr) to deploy OS and Office updates as soon as they’re released.
Disable legacy authentication method protocols (IMAP, SMTP, POP) and enforce modern authentication (OAuth + MFA) across all endpoints. Combine update automation with regular log reviews to spot any failed deployments or unusual device activity, and integrate these checks into your change-management process.
Embed & Enforce Security Best Practices
Security isn’t a one-off project—it’s built into every team and process. Schedule quarterly risk assessments and Secure Score reviews, updating your checklist for each new M365 feature release.
Conduct ongoing phishing simulations and cyber awareness training (micro-learning modules) and maintain a clear incident response plan. Enforce robust access controls (least-privilege RBAC, Conditional Access) and layer in Data Loss Prevention and guest-access reviews.
Implement Your 365 Security Action Plan
- Quarterly health checks: Re-run your Secure Score, revisit each checklist item and close any drift.
- Change management: Include security impact assessments for every major tenant change or new service rollout.
- Threat intelligence: Subscribe to the ACSC’s free Alert service and TechBrain’s monthly cyber insights.
By embedding these practices into day-to-day operations, you shift from reactive firefighting to a proactive, resilient cyber security culture.
Don’t “Set & Forget” Your Microsoft 365 Security
Microsoft pours billions into building world-class security tools, but those tools only protect you when they’re properly configured, monitored and maintained. Every missed update, every unchecked policy or drifted configuration risks turning a powerful defence into a hidden vulnerability.
For over 20 years, TechBrain has partnered with ASX-listed enterprises and Government agencies across Australia, helping them transform complex platforms into rock-solid security foundations:
Comprehensive Microsoft 365 Security Assessments
We’ll audit your tenant against industry best practices, uncover hidden gaps and deliver a clear, prioritised roadmap for remediation.
Automated Secure Score Improvement
Using infrastructure-as-code, we configure and enforce high-impact controls, then continuously monitor your Secure Score to prevent drift and demonstrate compliance.
‘Black-Box IT’ Managed Security Services
From 24/7 threat monitoring and incident response to ongoing patch management and policy reviews, with our managed security services we become your silent partner in cyber resilience so you can focus on your core business.
Ready to turn your Microsoft 365 investment into a true cyber security advantage? Talk to your local TechBrain team today and get secure, stay secure.
