Microsoft 365 Security Checklist for Australian Businesses (2025)

This is non-negotiable. MFA should be enforced for every user in your organisation — not just admins. Use Microsoft Authenticator (push notifications) as the default method, and avoid SMS-based MFA where possible as it's vulnerable to SIM-swapping attacks.

Conditional Access is Microsoft's intelligent access control — it evaluates every sign-in attempt against a set of conditions before granting access. At minimum, you should block access from high-risk sign-ins, require MFA for all cloud apps, and block legacy authentication protocols (which bypass MFA entirely).

Legacy authentication protocols (Basic Auth, IMAP, POP3, SMTP Auth) don't support MFA — meaning any attacker with a stolen password can bypass your MFA entirely using these protocols. Microsoft has been deprecating them, but they may still be enabled on older tenants. Block them via Conditional Access or Authentication policies.

Microsoft Defender for Business (included in M365 Business Premium) provides endpoint detection and response (EDR) across all your devices. It goes far beyond Windows Defender antivirus — offering behavioural analysis, automated investigation, and threat remediation. It must be actively configured; it doesn't protect you out of the box.

Microsoft Defender for Office 365 includes powerful anti-phishing capabilities that go well beyond basic spam filtering. Enable impersonation protection (which flags emails pretending to be your executives), enable mailbox intelligence, and configure Safe Links and Safe Attachments to scan all incoming email content before delivery.

SPF, DKIM, and DMARC are DNS-based email authentication standards that prevent attackers from spoofing your domain — sending emails that appear to come from your business. Many Australian businesses have SPF configured but are missing DKIM and DMARC, which leaves them vulnerable to domain spoofing attacks that target their clients and suppliers.

By default, SharePoint and OneDrive allow sharing with anyone who has a link — including external users and anonymous access. For most businesses this is far too permissive. Set external sharing to "New and existing guests only" at minimum, disable "Anyone with the link" sharing, and audit existing shared links regularly.

Intune is Microsoft's device management platform — it ensures that only compliant, managed devices can access your M365 data. With Intune, you can enforce encryption (BitLocker), require screen lock PINs, remotely wipe lost or stolen devices, and push security configurations to all devices automatically. This is essential for any business with remote workers or personal devices accessing company data.

Microsoft 365 logs a huge amount of activity — sign-ins, email access, file downloads, admin changes — but audit logging must be explicitly enabled. Without it, you have no forensic trail when something goes wrong. Enable unified audit logging and set your retention period to at least 90 days (180 days recommended for professional services firms).

Global Admin accounts have unrestricted access to your entire M365 environment. There should be no more than 2–4 Global Admin accounts in any organisation, they should never be used for day-to-day work, and they should be protected with phishing-resistant MFA (hardware security keys or certificate-based authentication). Use Privileged Identity Management (PIM) for just-in-time admin access where possible.