How to Secure Microsoft 365 for a Small Business in Australia (2026)

Why M365 defaults leave you exposed

Microsoft 365 is the most widely used cloud platform for Australian small businesses — and the most commonly misconfigured. When your IT provider set up your tenant, they almost certainly accepted the defaults. Those defaults prioritise ease of access over security.

The specific problems: legacy authentication protocols remain enabled (allowing attackers to bypass MFA), external sharing is unrestricted, mail forwarding rules can be set by users (a classic business email compromise vector), and admin accounts are often used for day-to-day work.

The average cost of a business email compromise incident in Australia is $46,000. Most of those incidents start with a compromised M365 account that had weak authentication configured.

The M365 Secure Score — your starting point

Microsoft provides a free security dashboard called Secure Score. Go to security.microsoft.com and click Secure Score in the left navigation. It gives your tenant a score out of 100 and lists specific recommended actions in priority order.

Most small businesses score between 20–45 on first check. A well-hardened SMB tenant should be above 70. Use Secure Score as your progress tracker — note your current score, then return after each change to see the improvement.

Priority 1: Multi-factor authentication

MFA is the single most impactful security change you can make in M365. It blocks 99.9% of automated credential attacks.

1. Go to admin.microsoft.com → Users → Active Users
2. Click Multi-factor authentication in the top toolbar
3. Select all users, click Enable
4. Communicate to your team that they will need to set up the Microsoft Authenticator app on their next sign-in

Priority 2: Disable legacy authentication

Legacy authentication protocols (Basic Auth, SMTP AUTH, POP3, IMAP) bypass MFA entirely. Even if you have enabled MFA, an attacker can use these older protocols to sign in with just a username and password.

Warning: before disabling legacy auth, check whether any devices or applications in your business are using it. Older printers, scanners, and some third-party apps that send email via SMTP AUTH will stop working. Inventory these first.

Priority 3: Review and restrict admin roles

Most small businesses have too many accounts with Global Administrator privileges. Global Admin can do anything in your M365 tenant — including deleting all your data and changing security settings.

The principle is least-privilege: give people only the access they need to do their job. For most small businesses, you need one or two Global Admin accounts maximum.

Priority 4: Configure mail flow and anti-phishing rules

M365 includes Defender for Office 365 — anti-phishing, anti-malware, and safe links features that are not enabled by default in all plans. Key settings to configure in security.microsoft.com → Email and Collaboration → Policies and Rules → Threat Policies:

• Anti-phishing policy: Enable impersonation protection for your executives and domains.
• Safe Links: Enable URL scanning for all M365 apps.
• Safe Attachments: Enable dynamic delivery for email attachments.
• DMARC, DKIM, SPF: Ensure your domain has these email authentication records configured.

Priority 5: External sharing and SharePoint settings

By default, M365 SharePoint and OneDrive allow unrestricted external sharing. Recommended settings:

• Set external sharing to New and existing guests (requires sign-in) rather than Anyone (anonymous access)
• Require guests to authenticate with a one-time passcode
• Set link expiration — external sharing links should expire after 30 days

M365 licensing — what you need

For most small businesses, Microsoft 365 Business Premium at around $28/user/month covers all the security controls you need. If you are on Business Basic or Business Standard, upgrading to Premium is almost always worthwhile purely from a security perspective.