Microsoft 365 Security Checklist for Australian Small Business (2026)

Why this matters for Australian businesses in 2026

Microsoft 365 is how most Australian businesses operate — email, file storage, collaboration, and identity management on a single platform. That centralisation is powerful. It is also a single point of failure if security is misconfigured.

The ACSC recorded 87,400 cybercrime reports in the 2023–24 financial year. The average self-reported cost of cybercrime per report for small businesses rose 14% to $56,600. Business email compromise remains the number one attack vector, and Microsoft 365 is the primary target because it controls both email and identity.

The critical insight most businesses miss: M365 ships with security disabled by default. MFA, conditional access, audit logging, and Defender are all features that need to be deliberately enabled. Out of the box, M365 is a capable platform that can be made secure — but it is not secure as delivered.

The checklist — sorted by impact

These 10 settings are ordered by security impact. If you can only do three things today, do the first three.

1. Enforce MFA for every user — not just admins

MFA blocks over 99.9% of automated credential attacks. The majority of M365 compromises involve valid credentials — stolen through phishing, purchased from dark web marketplaces, or harvested from third-party breaches. MFA makes stolen passwords useless.

“All users” means exactly that — every account including shared mailboxes, service accounts, and the person who only logs in once a month. The account you skip is the one attackers find.

Where: Microsoft 365 Admin Centre → Users → Active Users → Multi-factor authentication. Or configure via Conditional Access for more granular control.

Essential Eight alignment: Multi-factor authentication — Maturity Level 1 requires MFA for all users accessing internet-facing services.

2. Disable legacy authentication protocols

Legacy protocols — IMAP, POP3, SMTP AUTH, and basic authentication — were built before MFA existed. They bypass Conditional Access and MFA entirely. An attacker with a stolen username and password can use these protocols to access a mailbox even with MFA configured, because legacy protocols never prompt for a second factor.

Most Australian small businesses leave these enabled by default. Unless you have specific line-of-business applications that require legacy auth (increasingly rare in 2026), disable all of them.

Where: Entra ID → Security → Conditional Access → Create a policy blocking legacy authentication clients.

3. Restrict admin accounts to 1–2 maximum

Global Admin accounts are the highest-value target for any attacker. A compromised Global Admin can access every mailbox, every file, every Teams conversation, and every connected application. Most small businesses have 3–5 accounts with Global Admin — the IT person, the owner, the office manager, and whoever set it up originally.

Reduce to 1–2 dedicated admin accounts that are only used for administration — not for daily email and Teams. Daily-use accounts should never have admin privileges.

Where: Microsoft 365 Admin Centre → Users → Active Users → filter by admin roles. Remove Global Admin from any account that uses it for daily work.

4. Configure Conditional Access policies

Conditional Access goes beyond MFA by adding contextual controls — who is accessing what, from where, on what device, at what risk level. If your team only operates in Australia, block sign-ins from unexpected countries. If you use managed devices, require device compliance before granting access.

Conditional Access requires Azure AD Premium P1, which is included in Microsoft 365 Business Premium. This is one of the most compelling reasons to upgrade from M365 Business Basic or Standard.

Essential Eight alignment: This supports restrict administrative privileges, application control, and multi-factor authentication maturity.

5. Block external email auto-forwarding

After compromising a mailbox, attackers commonly set up forwarding rules to silently copy all incoming email to an external address. The user never notices — the emails still arrive in their inbox, but a copy goes to the attacker. This is how business email compromise attacks exfiltrate sensitive information and monitor communications for months.

Block all auto-forwarding to external domains. If a legitimate business need exists for specific users, create an exception rather than leaving it open for everyone.

Where: Exchange Admin Centre → Mail Flow → Rules → create a transport rule that blocks auto-forwarding to external recipients.

6. Enable Defender for Office 365

Exchange Online Protection (included with all M365 plans) blocks basic spam and known malware. But in 2026, AI-generated spear-phishing emails and zero-day attachment exploits bypass basic protection routinely. Defender for Office 365 adds Safe Links (scans URLs at time of click), Safe Attachments (detonates attachments in a sandbox before delivery), and anti-impersonation policies that detect emails pretending to be your CEO or key staff.

These features are not enabled by default — even if you have the licence that includes them.

Where: Microsoft 365 Defender portal → Email & Collaboration → Policies & Rules → Threat policies.

7. Configure DMARC, DKIM, and SPF

These three DNS-based controls together prevent attackers from spoofing your domain to send fraudulent emails that appear to come from your business. Without them, anyone can send email that looks like it came from your domain — to your clients, your suppliers, or your staff.

SPF declares which servers can send email for your domain. DKIM adds a cryptographic signature to outgoing emails. DMARC tells receiving servers what to do when SPF or DKIM fail (quarantine or reject). All three need to be configured correctly in your DNS records.

8. Restrict external sharing in SharePoint and OneDrive

The default M365 setting allows anyone in your organisation to share any file with anyone outside the organisation — including sensitive client data, financial documents, and internal communications. Most businesses discover this only after a data incident.

Restrict external sharing to specific users or require approval. At minimum, disable anonymous sharing links (anyone with the link can access the file).

Where: SharePoint Admin Centre → Policies → Sharing → adjust external sharing settings.

9. Enable unified audit logging

Audit logging records who accessed what, when, and from where across your entire M365 environment. Without it, if your tenant is compromised, you have no visibility into what the attacker accessed, what they changed, or what data they exfiltrated. This is not enabled by default on all plans.

Where: Microsoft Purview compliance portal → Audit → verify audit logging is enabled.

10. Review and restrict third-party app permissions

Users can grant third-party applications access to their M365 data through OAuth consent. Some of these apps request broad permissions — read all email, access all files, send email on behalf of the user. Each consent is a potential data leak or attack vector.

Review what apps have been granted consent, revoke anything unnecessary, and restrict future consent to admin-approved apps only.

Where: Entra ID → Enterprise applications → review permissions. Configure user consent settings under Consent and permissions.

Aligning M365 security to the ACSC Essential Eight

For Australian businesses, the ACSC Essential Eight is the benchmark security framework. M365 hardening directly supports several of the Eight strategies: multi-factor authentication (strategies 1 above), restrict administrative privileges (strategy 3), configure Microsoft Office macro settings via group policy, application control via Defender and Conditional Access, and patch applications by keeping M365 updated (handled automatically for cloud services).

A properly hardened M365 tenant can take an Australian small business from Essential Eight Maturity Level 0 to Maturity Level 1 or 2 in several controls — using tools you already pay for.

What this costs to implement

Most of these settings can be configured in an afternoon if you know where to find them. The challenge for small businesses is knowing what to configure, in what order, and how to avoid locking out your own staff in the process.

SecureLoop offers M365 security hardening as a fixed-price engagement starting from $1,200. We configure all 10 controls listed above, document the baseline, and provide a security configuration report for your records. Delivered in 3–5 business days.

Frequently asked questions

Will MFA slow down my team?

Initial setup takes 5 minutes per user. After that, Microsoft Authenticator remembers trusted devices for 14 days (configurable). Your team taps “Approve” on their phone when signing in from a new device. The security benefit is orders of magnitude larger than the minor inconvenience.

Do I need Microsoft 365 Business Premium?

For proper Conditional Access policies and Defender for Office 365, yes — Business Premium is the minimum tier that includes the security tools that matter. The upgrade cost from Business Standard is typically $8–10 per user per month. For a 10-person business, that is $80–100/month for enterprise-grade security.

Can I do this myself or do I need a consultant?

Technically, yes — every setting in this checklist is accessible through the M365 admin portals. Practically, the risk of misconfiguring Conditional Access (and locking out your entire team) or incorrectly setting DMARC (and breaking email delivery) makes professional configuration worthwhile for most businesses.

How does this relate to the Essential Eight?

A properly hardened M365 tenant directly addresses multi-factor authentication, restrict administrative privileges, and partially addresses application control, patch applications, and configure Microsoft Office macro settings. It is not the complete Essential Eight, but it is a significant portion of it — using tools you already pay for.