Quick Answer: Microsoft 365 is the most widely used business platform in Australia and one of the most actively targeted. The good news: M365 includes powerful built-in security tools that most businesses never configure. This guide covers the 10 most critical Microsoft 365 security settings every Australian business should implement in 2026, aligned to the ASD Essential Eight framework and current ACSC guidance.
Table of Contents
- Why M365 Security Matters for Australian Businesses
- Enable Multi-Factor Authentication — First and Non-Negotiable
- Configure Conditional Access Policies
- Block Legacy Authentication Protocols
- Harden Exchange Online and Email Security
- Restrict and Audit Admin Privileges
- Secure OneDrive and SharePoint
- Disable or Restrict Macros in Microsoft Office
- Enable Microsoft Defender for Business
- Configure Audit Logging and Alerts
- Use Microsoft Secure Score as Your Baseline
- M365 Security and the ASD Essential Eight
- FAQs
Why Microsoft 365 Security Matters for Australian Businesses {#why-it-matters}
Microsoft 365 is how most Australian businesses operate — email, file storage, collaboration, and business applications on a single platform. That centralisation is powerful. It is also a single point of failure if security is misconfigured.
The ACSC’s Annual Cyber Threat Report recorded 87,400 cybercrime reports in the 2023–24 financial year. Business Email Compromise (BEC) alone cost Australian businesses more than $84 million in 2023, with M365 accounts the primary target. Credential theft, phishing, and token theft attacks almost always begin with an M365 account.
The critical insight most Australian businesses miss: Microsoft 365 ships with security disabled by default. Multi-factor authentication, Conditional Access, audit logging, and Defender for Business all need to be deliberately enabled. Out of the box, M365 is not a secure platform — it is a capable platform that can be made secure.
Hyetech is a Microsoft Gold Certified Partner. The settings below are exactly what we configure for Australian clients as a security baseline.
1. Enable Multi-Factor Authentication — First and Non-Negotiable {#mfa}
If you do one thing from this guide, make it this. Microsoft’s own research shows that MFA blocks over 99.9% of automated account attacks. The majority of M365 compromises involve valid credentials — stolen through phishing, purchased from the dark web, or harvested in a third-party breach. MFA renders stolen credentials useless.
How to enable MFA in M365:
Go to the Microsoft 365 Admin Centre → Users → Active Users → Multi-factor authentication. You can enforce MFA per-user, but the more powerful approach is to use Security Defaults (free, available to all M365 plans) or Conditional Access policies (requires Azure AD Premium P1 or M365 Business Premium).
MFA method recommendations:
| Method | Security Level | Recommended For |
| Microsoft Authenticator app (push) | Good | All staff |
| Authenticator app with number-matching | Better | All staff — enable number-matching to prevent push bombing |
| FIDO2 hardware key (YubiKey) | Best | Admins, finance, executives |
| SMS one-time passcode | Acceptable | Low-sensitivity accounts only |
Enable number-matching on push notifications. Without it, staff can be manipulated into approving fraudulent requests (MFA fatigue attacks) — the same technique used against Uber and Cisco.
For the full implementation guide, including phased rollout and bypass attack prevention, see Multi-Factor Authentication for Australian businesses.
2. Configure Conditional Access Policies {#conditional-access}
Conditional Access is M365’s intelligent access control layer — it evaluates who is logging in, from where, on what device, and under what circumstances before granting access. The same employee logging in from their usual Melbourne office on a managed device gets smooth access; the same credentials logging in from an unrecognised device overseas at 3am get blocked or challenged.
Essential Conditional Access policies to configure:
- Require MFA for all users — the baseline policy every tenant needs
- Require MFA for admin roles — enforce stricter authentication for Global Admins and Exchange Admins
- Block access from legacy authentication protocols — prevents MFA bypass attacks (see next section)
- Block high-risk sign-ins — use Microsoft’s sign-in risk detection to block flagged logins automatically
- Require compliant or hybrid-joined devices — ensure only managed, up-to-date devices can access M365 data
- Restrict access by country — if your team operates only in Australia, block sign-ins from unexpected locations
Conditional Access requires Azure Active Directory Premium P1, included in Microsoft 365 Business Premium — one of the most compelling reasons to upgrade from M365 Business Basic or Standard.
This is a core component of Zero Trust architecture — treating every login as potentially compromised until proven otherwise.
3. Block Legacy Authentication Protocols {#legacy-auth}
This is the most commonly missed M365 security setting — and one of the most consequential. Legacy protocols including IMAP, POP3, SMTP AUTH, and basic authentication were built before MFA existed. They bypass Conditional Access and MFA entirely. An attacker with a stolen username and password can use these protocols to access an M365 mailbox even if MFA is configured, because legacy protocols never prompt for a second factor.
How to block legacy authentication:
In Azure Active Directory, create a Conditional Access policy targeting “Exchange ActiveSync clients and other clients” and set the grant control to “Block.” Also verify in the M365 Admin Centre that basic authentication is disabled across Exchange Online.
Before blocking, identify any printers or legacy applications using SMTP AUTH to send email — these will stop working and need to be updated or replaced with modern authentication equivalents first.
Blocking legacy authentication is mandated at all maturity levels of the ASD Essential Eight as part of correctly implementing MFA.
4. Harden Exchange Online and Email Security {#email-security}
Email is the #1 attack vector for Australian businesses. M365’s Exchange Online includes several security features that need to be actively configured:
Enable Microsoft Defender for Office 365
Defender for Office 365 (included in M365 Business Premium) provides:
- Safe Links — scans URLs in emails and Office documents at time-of-click, blocking malicious redirects even after delivery
- Safe Attachments — detonates attachments in a sandbox before delivery, catching zero-day malware
- Anti-phishing policies — machine-learning models that detect impersonation attacks targeting your domain and executives
These features are not enabled by default. Navigate to the Microsoft 365 Defender portal → Email & Collaboration → Policies & Rules → Threat policies to configure them.
Configure Anti-Spoofing and Email Authentication
Enable DMARC, DKIM, and SPF records for your domain. These three DNS-based controls together prevent attackers from spoofing your domain to send fraudulent emails that appear to come from your business.
- SPF — specifies which mail servers are authorised to send email for your domain
- DKIM — cryptographically signs outbound email to verify it hasn’t been tampered with
- DMARC — ties SPF and DKIM together and tells recipient servers what to do with email that fails both checks (quarantine or reject)
Without DMARC in enforcement mode (p=reject or p=quarantine), your domain can be spoofed in BEC attacks — where attackers impersonate your CEO or finance director to authorise fraudulent payments.
Understanding phishing types and prevention provides a full breakdown of the email-based attack techniques these controls directly address.
5. Restrict and Audit Admin Privileges {#admin-privileges}
Global Administrator is the most dangerous role in your M365 tenant — unrestricted access to everything. Most Australian businesses assign far too many users Global Admin rights, creating enormous unnecessary risk.
Principle of least privilege — M365 implementation:
- Reduce Global Admin accounts to 2–3 maximum — dedicated accounts never used for day-to-day work
- Use role-specific admin accounts — Exchange Admin, SharePoint Admin, Teams Admin, and User Admin roles assigned separately
- Create break-glass accounts — two emergency Global Admin accounts stored securely offline
- Require phishing-resistant MFA for all admin accounts — hardware keys (FIDO2/YubiKey)
- Never use admin accounts for email or browsing — admin accounts must be dedicated, separate from daily-use accounts
In the M365 Admin Centre, audit admin roles regularly: Admin Centre → Roles → Role assignments. Remove unfamiliar accounts or users who no longer require elevated access immediately.
A network security audit maps all administrative access points across your environment as part of a comprehensive access control review.
6. Secure OneDrive and SharePoint {#onedrive-sharepoint}
OneDrive and SharePoint are where your business data lives. Default sharing settings are often too permissive — allowing anonymous link sharing that can expose sensitive documents to anyone with a link.
Key settings to review and tighten:
- Set default sharing to “Only people in your organisation” — in the SharePoint Admin Centre, change the default link type from “Anyone” to internal only
- Disable anonymous (Anyone) link sharing — unless your business has a specific requirement, disable public sharing entirely
- Enable SharePoint Online audit logs — track who accessed, modified, or shared documents
- Set expiry on external sharing links — if external sharing is required, links should expire after 30 days
- Enable version history — set retention to at least 180 days; if ransomware encrypts cloud-synced files, version history allows restoration of previous versions
- Restrict sync to managed devices only — prevent OneDrive sync on personal, unmanaged devices
Version history is your first M365 line of defence against ransomware affecting synced content — but it does not replace offline backup. For a complete backup strategy, see cloud computing solutions.
7. Disable or Restrict Macros in Microsoft Office {#macros}
Malicious macros in Office documents — Word, Excel, PowerPoint — remain a primary ransomware delivery mechanism. A staff member opens an attachment, enables macros when prompted, and the payload executes. The ASD Essential Eight mandates macro restriction at all three maturity levels.
Using Microsoft Intune (recommended): Deploy an Intune policy that sets VBA Macro Notification Settings to “Disable all macros without notification” across all managed endpoints. This is the most robust approach as it enforces the setting centrally.
Using Group Policy: If you manage endpoints through Group Policy, configure Office macro settings under User Configuration → Administrative Templates → Microsoft Office.
Attack Surface Reduction (ASR) rules: In Microsoft Defender for Endpoint, enable ASR rule: “Block Office applications from creating executable content.” This provides an additional layer that prevents macros from spawning child processes used in malware delivery chains.
Exceptions: Where macros are genuinely required for business processes, restrict them to digitally signed macros from trusted publishers only. Document all exceptions and review them annually.
For the full picture of how this fits into your endpoint security posture, managed detection and response services monitor endpoint behaviour to catch macro-based attacks that slip through.
8. Enable Microsoft Defender for Business {#defender}
Microsoft Defender for Business is included in Microsoft 365 Business Premium and provides enterprise-grade endpoint detection and response (EDR) for SMBs. It replaces legacy antivirus with behavioural threat detection — identifying malicious activity based on what a process does, not just a known signature.
Key Defender for Business capabilities:
- Threat & Vulnerability Management — continuously scans endpoints for unpatched software and misconfigurations
- Attack Surface Reduction rules — blocks common attack techniques including macro abuse, credential dumping, and process injection
- Automated investigation and remediation — investigates and remediates threats automatically without manual analyst intervention
- Endpoint detection and response (EDR) — detects advanced threats including living-off-the-land attacks that bypass antivirus
- Device health reports — identifies devices running outdated OS versions or missing security updates
To onboard devices, go to the Microsoft 365 Defender portal → Settings → Endpoints → Onboarding. Deploy the onboarding package via Intune for automatic enrollment across managed devices.
AI-driven cyber attacks explains why signature-based antivirus is insufficient — EDR’s behavioural analysis is specifically designed to catch the living-off-the-land techniques modern ransomware uses.
9. Configure Audit Logging and Alerts {#audit-logging}
M365 generates a comprehensive audit trail of every action across your tenant — logins, file accesses, admin changes, email forwards, and permission changes. But it doesn’t alert you by default.
Enable Unified Audit Log: In the Microsoft 365 Compliance Centre → Audit, ensure audit logging is turned on. Retain logs for at least 90 days.
Key alerts to configure:
- Multiple failed MFA attempts — indicator of push bombing or credential stuffing in progress
- Impossible travel — same user credentials logging in from two distant locations within minutes
- Mass file download or deletion — potential compromised account exfiltrating data
- New inbox forwarding rules to external addresses — a classic BEC technique; attackers silently forward copies of your email
- New Global Admin assignment — any new admin role assignment should trigger an immediate alert
- External email forwarding enabled — unauthorised forwarding of mailbox contents
Configure alerts in the Microsoft 365 Defender portal → Alerts or via the Compliance Centre → Alert policies.
Monitoring M365 audit logs is a core function of SOC and SIEM services — providing the 24/7 human analyst layer that makes these alerts actionable.
10. Use Microsoft Secure Score as Your Baseline {#secure-score}
Microsoft Secure Score is a free tool built into every M365 tenant that measures your security configuration against best practices. It gives you a score and a prioritised list of improvement actions with estimated impact for each.
How to access it: Microsoft 365 Defender portal → Secure Score
Your dashboard shows your current score, how it’s changed over time, recommended actions ranked by impact and effort, and a comparison against similar organisations. Most newly configured M365 tenants score in the 20–35% range. Well-configured tenants typically reach 70–80%.
Run a Secure Score review quarterly. A significant score drop should be investigated — it may indicate security controls have been disabled or misconfigured.
For independent validation beyond Secure Score, a cyber security audit assesses your M365 configuration alongside your broader network, endpoint, and backup security posture.
M365 Security and the ASD Essential Eight {#essential-eight}
For Australian businesses, Microsoft 365 security configuration directly maps to the ASD Essential Eight framework. Here’s how:
| Essential Eight Control | M365 Implementation |
| Multi-factor authentication | Conditional Access + Microsoft Authenticator |
| Restrict admin privileges | Least privilege roles; dedicated admin accounts |
| Patch applications | M365 auto-updates + Intune update policies |
| Configure Microsoft Office macros | Macro restriction via Intune or Group Policy |
| User application hardening | Attack Surface Reduction rules in Defender |
| Application control | Defender for Business + AppLocker/WDAC policies |
| Regular backups | OneDrive version history + Microsoft 365 Backup |
| Patch operating systems | Windows Update for Business via Intune |
A correctly configured Microsoft 365 Business Premium tenant, combined with Intune-managed endpoints, can satisfy Essential Eight Maturity Level 1 requirements and most of Level 2. Level 3 requires phishing-resistant MFA (hardware keys), more aggressive patching timelines, and full application allowlisting.
The network security audit framework maps exactly how M365 configuration evidence is collected and assessed against each Essential Eight control during a formal audit.
Conclusion
Microsoft 365 is powerful — but out of the box, it is not secure. Default configuration prioritises ease of use over security. Every setting in this guide requires deliberate action: enabling MFA, configuring Conditional Access, blocking legacy protocols, hardening email, restricting admin privileges, securing SharePoint, locking down macros, deploying Defender, turning on audit logging, and tracking your Secure Score.
None of these changes are complex. Together, they transform M365 from an accessible but exposed platform into a hardened environment that satisfies the ASD Essential Eight baseline and significantly raises the cost of any attack.
Hyetech is a Microsoft Gold Certified Partner. We configure M365 security baselines for Australian businesses as part of our managed IT services and cybersecurity solutions programs ensuring your tenant is hardened, monitored, and aligned to the ASD Essential Eight.
Want to know how your current M365 configuration stacks up? Contact Hyetech for a Microsoft 365 Security Assessment tailored to your Australian business.
Frequently Asked Questions {#faqs}
Q1: Is Microsoft 365 secure by default?
No. M365 ships with settings optimised for ease of use, not security. MFA, Conditional Access, audit logging, Defender policies, and macro controls all need deliberate configuration. A default M365 tenant is a common attack target precisely because these settings are rarely enabled.
Q2: What M365 licence do I need for proper security?
Microsoft 365 Business Premium is the recommended licence for Australian SMBs serious about security. It includes Conditional Access, Defender for Business (EDR), Intune (device management), and Defender for Office 365 (Safe Links, Safe Attachments). Business Basic and Standard lack several of these features.
Q3: What is the biggest M365 security mistake Australian businesses make?
Not enabling MFA — or enabling it without blocking legacy authentication. Both must go together. MFA without legacy auth blocked provides a false sense of security; attackers simply use legacy protocols to bypass MFA entirely.
Q4: How does M365 security relate to the ASD Essential Eight?
M365 Business Premium, configured correctly with Intune-managed endpoints, satisfies the majority of Essential Eight controls at Maturity Level 1 and most of Level 2. MFA maps to Conditional Access, macro restriction to Intune policies, patching to Windows Update for Business, and backups to OneDrive version history plus M365 Backup.Q5: What is Microsoft Secure Score?
A free built-in tool that measures your M365 security configuration and provides a prioritised improvement list. Most unoptimised tenants score 20–35%; well-configured tenants reach 70–80%. Check it quarterly.
Q6: How do I prevent Business Email Compromise in M365?
Enable MFA on all accounts, configure DMARC/DKIM/SPF to prevent domain spoofing, enable Safe Links and Safe Attachments, monitor for inbox forwarding rules, and use Conditional Access to block suspicious sign-ins.
Q7: Can Microsoft 365 protect against ransomware?
Partly. OneDrive version history can recover encrypted cloud-synced files, and Defender for Business blocks many ransomware behaviours on endpoints. But M365 does not replace offline backup. A separate 3-2-1 backup strategy with immutable, offline copies is still essential.
Q8: How often should I review my M365 security settings?
Quarterly at minimum. Audit admin role assignments and external sharing settings monthly. An annual cybersecurity audit should include a full M365 configuration review.