Google Linkedin Facebook Youtube Instagram
Geeks Brisbane Logo
1300 600 004
Book Online
Geeks Brisbane Logo

Microsoft 365 security checklist for Australian SMEs: stop phishing and breaches

Service:
Digital Security Check

If your business runs on Microsoft 365, these settings close most risks fast. This Microsoft 365 security checklist gives Brisbane SMEs plain, tested steps to cut phishing, account takeover and data loss. It’s written for busy owners, office managers and IT leads in SEQ.

Key takeaways

  • Turn on phishing-resistant MFA, block legacy logins, and lock admin roles. Biggest wins, lowest cost.
  • Use Conditional Access to require MFA, restrict risky countries, and protect admin sessions.
  • Harden email: SPF, DKIM, DMARC, plus anti-phishing and safe links to stop business email scams.
  • Enable sign-in alerts and basic incident steps so you act fast on suspicious activity.
  • Back up Microsoft 365 data. Retention is not a backup, and ransomware hits cloud too.

Microsoft 365 security checklist overview

This checklist lines up the highest risk controls first: identity, MFA, Conditional Access, then email security and backups. Follow it in order, test with a pilot group, and roll out to the wider team once stable.

What it is and core concept

Definition

A Microsoft 365 security checklist is a set of practical tenant settings that reduce real-world threats like phishing, account takeover and data leaks. It covers identity (Entra ID), MFA, Conditional Access, role security, email security, auditing, and backup.

Why it matters

Most Brisbane breaches start with a fake email or a weak login. Trades, healthcare, legal, property and not‑for‑profits all see the same patterns: invoice fraud, malicious links, and password reuse. A short, staged setup blocks the common paths attackers use.

How it works and step-by-step

Process

1) Baseline the tenant: security defaults off, create break‑glass, restrict admin roles.
2) Turn on phishing-resistant MFA for all users.
3) Deploy core Conditional Access rules and block legacy protocols.
4) Harden email security and brand protection (SPF, DKIM, DMARC).
5) Enable auditing, alerts, and mailbox logging.
6) Set backups and retention by data type.
7) Pilot with 3–5 staff, then stage to all.
8) Review Secure Score monthly.

Featured answer

Start by locking identities: create two break-glass accounts, turn on MFA with number matching or passkeys, and block legacy protocols. Next, add core Conditional Access rules and harden email with SPF, DKIM and DMARC. Finish with alerts, mailbox auditing, and a proper Microsoft 365 backup.

Security baseline: tenant, identities and admin roles

Get the foundation right before any fancy tools. Keep it simple and strict.

  • Create two break‑glass accounts: cloud‑only, long random passwords, no MFA, excluded from Conditional Access, stored in a safe. Use only for outages.
  • Harden admin roles: assign least privilege, avoid Global Admin for daily use, and enable Privileged Identity Management (if licensed) for time‑bound access.
  • Limit who can consent to apps and register enterprise applications. Attackers love OAuth consent abuse.
  • Disable legacy protocols (IMAP/POP/SMTP Auth) unless required and documented. Most account takeovers happen via older protocols.
  • Review sign-in locations and risky users weekly. Save a report view for quick checks.

Turn on MFA the right way (and modern alternatives)

MFA stops most phishing. Use methods that resist push spam and SIM swap.

  • Use Microsoft Authenticator with number matching and location.
  • Prefer passwordless: FIDO2 security keys or phone sign‑in for frequent admins.
  • Avoid SMS where possible. If you must, restrict to low‑risk users and monitor.
  • Require MFA on first sign‑in and from new devices. Re‑prompt from unfamiliar locations.
  • Train staff: no MFA approvals they didn’t start. Report unexpected prompts.

Conditional Access policies for SMEs

Conditional Access (Entra ID) is your “rules of the road”. Start with a small, safe set.

  • Require MFA for all users. Exclude break‑glass accounts only.
  • Block legacy authentication globally.
  • Require compliant or hybrid joined device for admin portals and risky apps.
  • Block high‑risk sign‑ins. Allow risky sessions only with reauthentication and password change.
  • Restrict by country: allow AU/NZ if your team is local; log or challenge others.
  • Session controls: sign‑in frequency 12 hours for admins, 24 hours for users; require reauth on risk.

Pilot each policy in report‑only mode for a few days, then enforce. Keep a documented emergency bypass.

Email and phishing protections that actually work

Email is the number one attack path. Lock inbound and outbound, then prove your identity online.

  • Publish SPF for your domain and remove stale senders.
  • Enable DKIM for each accepted domain.
  • Set DMARC to quarantine, then reject once mail flow is clean.
  • Use anti-phishing, anti-spam and Safe Links/Safe Attachments. Tighten impersonation protection for exec and finance mailboxes.
  • Block auto-forwarding to external domains. Review inbox rules weekly on shared and finance mailboxes.
  • Use branded link previews and external sender tagging so staff spot fakes quickly.

If licensed for Defender for Office 365, run phishing simulations and nudge training quarterly.

Auditing, alerts and incident response basics

You can’t fix what you can’t see. Turn on logs and simple alerts so you can act within minutes, not days.

  • Enable mailbox auditing for all users and shared mailboxes.
  • Create alerts for new inbox rules, mass deletes, impossible travel, and risky sign‑ins.
  • Save an incident playbook: reset password, revoke sessions, check inbox rules, review sign‑ins, re‑enrol MFA, and notify clients if needed.
  • Snapshot evidence: export sign‑in logs and message traces before changes.
  • Review Secure Score monthly. Treat it like a checklist, not a scoreboard.

Backups and data retention for Microsoft 365

Retention is for compliance. Backup is for recovery. You need both.

  • Use a third‑party Microsoft 365 backup for Exchange, OneDrive, SharePoint and Teams.
  • Follow 3‑2‑1: three copies, two storage types, one offsite. Cloud‑to‑cloud still counts if separate vendor and region.
  • Set mailbox and SharePoint retention labels for legal hold and accidental deletion.
  • Test restores quarterly: a single file, a mailbox, and a SharePoint site.
  • Protect backups with MFA and role separation so attackers can’t wipe them.

When to escalate to a professional Digital Security Check

Call in help when time is tight, the risk is high, or the setup is messy. Common triggers:

  • Account takeover, invoice fraud, or suspicious inbox rules you can’t remove.
  • Multiple tenants, mixed licences, or legacy email still hanging around.
  • BYOD with no device control, or remote crews logging in from everywhere.
  • Board or cyber insurance asking for proof of MFA, backups and response plans.
  • Mergers, new domains, or rapid growth and you need a clean baseline fast.

Our Brisbane clients use a staged approach: audit the tenant, fix the gaps, pilot, then document. Ask about Microsoft 365 Security Hardening and Email Security and Spam Filtering as part of the rollout plan.

Common problems in Brisbane

Weather and infrastructure

  • Storm season: power blips and NBN drops cause repeated MFA prompts and failed CA checks. Use UPS on routers and enable offline access for key apps where safe.
  • Heat and humidity: ageing network gear in ceiling spaces near Rocklea or Sumner can overheat. A cheap fan or cabinet can save hours of downtime.
  • Older buildings in the CBD, Woolloongabba and Ipswich can have patchy Wi‑Fi. Bad roaming triggers reauth loops; tune AP power and band steering.
  • HFC and FTTN quirks around Logan and Redlands can break SMTP auth and IMAP clients. Move users to Outlook with modern auth and block legacy protocols.

Troubleshooting and quick checks

Short answer

If staff get surprise MFA prompts or emails are bouncing, check sign‑in logs for risky locations, confirm legacy auth is blocked, and verify SPF/DKIM/DMARC. Look for new inbox rules. If unsure, reset the password, revoke sessions, and review Conditional Access in report‑only mode.

Quick checks

• Users: is MFA registered and using number matching?
• Sign‑ins: any impossible travel or unfamiliar countries?
• Conditional Access: legacy auth blocked? Admin rules scoped?
• Mail: SPF valid, DKIM on, DMARC not set to none?
• Inboxes: no forwarding rules or weird delete/move rules?
• Backups: last successful backup and test restore date?

Safety notes and when to call a pro

Red flags

Stop and get help if finance mailboxes show inbox rules you didn’t set, clients report fake invoices, or sign‑ins appear from countries you never work in. If Conditional Access locks out admins or you can’t clear risky sign‑ins, call a specialist the same day.

Local insights and examples

Brisbane/SEQ examples

We see the same patterns across Chermside retail, Fortitude Valley agencies, North Lakes trades, and Springfield health clinics: shared inboxes, a few Macs, lots of iPhones, and some home PCs. Quick wins are MFA upgrades, blocking legacy auth, and DMARC enforcement. It cuts invoice scams fast.

For road crews from the Gold Coast to Caboolture, use Conditional Access to allow AU/NZ and require MFA on new devices. For execs travelling overseas, create a temporary policy exception with extra monitoring and a clear end date. Keep break‑glass creds offline in a safe.

FAQs

Q1: What are the minimum Conditional Access policies a small business should start with?

Start with require MFA for all users, block legacy authentication, protect admin portals with compliant or hybrid joined devices, and block high‑risk sign‑ins. Run policies in report‑only for a few days, review impact, then enforce. Keep break‑glass accounts excluded and documented.

Q2: Do I still need a Microsoft 365 backup if I use retention policies?

Yes. Retention keeps data from being deleted; it doesn’t protect against ransomware, admin mistakes, or malicious insider edits. A proper backup lets you restore a mailbox, file, or site to a point in time. Test restores quarterly and protect backup access with MFA.

Q3: Is SMS MFA good enough for Brisbane staff on mixed devices?

SMS is better than no MFA, but it’s weaker against SIM swap and phishing. Prefer Microsoft Authenticator with number matching or FIDO2 keys. If you must use SMS for a few staff, add extra Conditional Access checks and keep a plan to switch to stronger methods.

Sources and further reading

This checklist aligns with ASD Essential Eight basics for identity hardening, Microsoft Secure Score priorities, and parts of CIS controls for email and admin roles. It also follows common incident response steps and the 3‑2‑1 backup rule used across Australian SMEs.

Wrap-up and next steps

Follow this checklist in order: identity, MFA, Conditional Access, email hardening, alerts, and backups. Pilot, then roll it out. If you’d like validation, paperwork for insurance, or hands‑on help across Brisbane and SEQ, book a quick audit. Service:
Digital Security Check

Share the Post:
Google Linkedin Facebook Youtube Instagram

1300 600 004

Book Online