In This Guide
Microsoft 365 ships with most of the controls a small Australian business needs — but very few SMEs have them turned on, configured properly, or monitored. This 28-point checklist is what we apply to every Brisbane SME tenant during a hardening project. It blocks an estimated 95% of phishing and breach attempts and aligns with ACSC Essential Eight Maturity Level 1.
Tick what is done, plan what is not. Then book a chat if you are stuck — most points take 5-30 minutes apiece, but the order and dependencies matter.
Aligns your Microsoft 365 tenant to ACSC Essential Eight Maturity Level 1, satisfies most Australian cyber-insurance renewal questionnaires, and demonstrates 'reasonable steps' under the Privacy Act 1988.
Why This Checklist, Right Now
2025 was the year M365 phishing went mainstream in Australia. Attacker-in-the-middle (AITM) kits like EvilProxy and Tycoon now bypass simple SMS MFA in seconds. Brisbane SMEs in legal, accounting and health practices have been the most-targeted local sectors.
What works against AITM and modern phishing:
- Number-matching MFA + Conditional Access
- Token-protection / device compliance
- Anti-phishing & safe-links policies
- Active monitoring of risky sign-ins
Identity (8 Controls)
- 1. MFA enforced for every user (number-matching)
Microsoft Authenticator with number-matching enabled. SMS as fallback only. - 2. Block legacy authentication
Conditional Access policy: block POP, IMAP, SMTP-AUTH. - 3. Conditional Access — require compliant device
Block sign-ins from unmanaged devices. - 4. Conditional Access — geo-block
Allow only Australia (or AU+NZ). Add countries case-by-case. - 5. Hardware FIDO2 keys for admins
Yubikey or Microsoft Authenticator passkey for tenant/global admins. - 6. Just-in-time admin (Microsoft Entra PIM)
Admin role granted on demand, expires automatically. Requires Entra P2. - 7. Self-service password reset (with MFA challenge)
Reduces helpdesk load and risky password sharing. - 8. Token protection (preview/GA)
Binds session token to device; defeats AITM relay attacks.
Email & Messaging (7 Controls)
- 9. SPF, DKIM, DMARC live
DKIM enabled in Defender > Email; DMARC at p=quarantine minimum. - 10. Anti-phishing policy on (Strict preset)
Mailbox intelligence + impersonation protection for VIPs. - 11. Safe-Links on (inbound, internal, outbound)
URL detonation in email and Teams. - 12. Safe Attachments on (Block action)
Sandbox detonation for incoming attachments. - 13. Block common malicious attachment types
htm, html, iso, scr, vbs, js — block at gateway. - 14. External email banner
Visual warning on every external email. - 15. Mailbox audit logging on
Default in 2026, but verify it is on for every mailbox.
Device & Endpoint (6 Controls)
- 16. Microsoft Intune enrolled (or equivalent MDM)
Centralised policy, compliance, remote wipe. - 17. BitLocker / FileVault enforced
Required for compliance. Recovery keys backed up to Entra/Azure AD. - 18. Defender for Endpoint (or equivalent EDR)
Not just free Defender — Defender for Endpoint with cloud-delivered protection. - 19. Windows / macOS auto-patching enforced
Intune Autopatch (Win), Intune for Mac, or Jamf. - 20. Block USB / removable media (or audit)
Defender attack surface reduction rule. - 21. App-protection policies for mobile
BYOD phones can read M365 mail without enrolling — but data is sandboxed.
Data & DLP (4 Controls)
- 22. M365 cloud-to-cloud backup
Microsoft does not back up the way you think. Datto, Spanning, Veeam, Synology Active Backup. - 23. Sensitivity labels (Public / Internal / Confidential / Highly Confidential)
Auto-label TFNs, Medicare numbers, credit cards. - 24. DLP policy — block external sharing of sensitive content
Sharepoint, OneDrive, Teams, Exchange. - 25. Sharing defaults — disable anonymous link sharing
Existing-employees-only or specific-people-only by default.
Monitoring & Response (3 Controls)
- 26. Risky sign-in alerts (Entra ID Protection)
Impossible-travel, anonymous IP, unfamiliar location. - 27. Mailbox forwarding-rule alert
Most reliable single indicator of an active BEC. - 28. Documented incident response plan
Print and stick on the wall: 'who do I call?'.
Suggested Schedule
Day 1 (4-6 hr)
Identity 1-5. Email 9-15. The 80% protection set.
Week 2
Intune, BitLocker, Defender for Endpoint, Patching.
Week 3-4
DLP, sensitivity labels, sharing defaults, monitoring alerts.
Quarterly
Restore drill, phishing sim, Entra PIM review, sharing audit.
Brisbane SME Context
What we adjust for Brisbane SMEs vs national templates:
- Conditional Access trusted IP — office IP whitelisted reduces friction in CBD/Fortitude Valley offices, MFA enforced from anywhere else
- Storm-season offline backup — make sure cloud-to-cloud copy is genuinely offsite from Brisbane data centres
- Remote/hybrid workers — many Brisbane SMEs have staff in Sunshine Coast or Gold Coast — Conditional Access geo-block at country level, not city
Costs in Brisbane
| Service | Effort | Cost |
|---|---|---|
| M365 hardening (full 28-point) | 1-3 days | $1,230-$2,460 |
| MFA + Conditional Access only | 4-6hr | $615-$820 |
| Defender for Office 365 setup | 3-4hr | $410-$615 |
| M365 cloud-to-cloud backup | 2hr setup + license | $250 + $5/user/mo |
| Annual re-hardening | Half day | From $820 |
| Managed M365 security plan | Ongoing | From $99/user/month |
Pro tip: Apply Microsoft's 'Standard' or 'Strict' security presets first — that gets you 60% of these controls in 30 minutes. Then layer the remaining custom items on top.
Watch for: Sharing-defaults rolled back. Many M365 tenants have 'Anyone with the link' enabled by default in SharePoint/OneDrive. One misclicked share = a public exposure.
Want Us to Run This Across Your M365?
Brisbane local. ACSC-aligned. From $1,230. Same-week scheduling.
Book M365 Hardening — From $1,230Full 28-point checklist applied, documented, tested. Pilot user, full rollout, staff training, 30-day handover review. From $1,640 for SMEs under 25 staff.