Microsoft 365 Security Best Practices for Australian Businesses
Most Australian businesses are running Microsoft 365 with serious security gaps they don't know about. Here's exactly what your MSP should be configuring — and why it matters.
The Most Common M365 Security Gaps in Australian Businesses
MFA not enforced
of account compromise attacks are stopped by MFA — yet many M365 tenants still don't enforce it
Legacy authentication enabled
of password spray attacks use legacy protocols that bypass modern MFA entirely
Global Admin overuse
more likely to suffer privilege abuse when all admins hold Global Admin instead of role-specific access
No audit logging
default audit log retention — not enough for detecting slow-burn attacks or meeting compliance requirements
M365 Security Controls — What Your MSP Should Configure
Identity & Access
Enforce MFA for all users
CriticalUse Microsoft Authenticator or FIDO2 keys. Block SMS-based MFA for privileged accounts.
Block legacy authentication
CriticalDisable Basic Auth, IMAP, POP3, and SMTP Auth via Conditional Access policies.
Implement Privileged Identity Management (PIM)
HighJust-in-time activation for Global Admin and other privileged roles — no standing admin access.
Configure Conditional Access policies
HighRequire compliant devices, block risky sign-ins, enforce MFA from untrusted locations.
Email Security
Enable Defender for Office 365 Plan 2
CriticalSafe Links, Safe Attachments, anti-phishing AI, and attack simulation training.
Configure SPF, DKIM, and DMARC
CriticalPrevent email spoofing and domain impersonation attacks targeting your staff and clients.
Enable mail flow rules for external senders
HighTag external emails, block suspicious attachment types, and flag lookalike domain senders.
Enable Purview Message Encryption
MediumEncrypt sensitive outbound emails containing personal or financial data automatically.
Data Protection
Enable Microsoft Purview DLP policies
HighDetect and block sharing of credit card numbers, TFNs, and other sensitive data outside the organisation.
Configure SharePoint and OneDrive sharing
HighRestrict anonymous sharing, enforce expiry on guest links, and block personal account access.
Apply sensitivity labels
MediumClassify and protect documents from creation — labels follow files when shared externally.
Enable Teams external access controls
MediumBlock federation with unknown organisations and restrict guest permissions in team channels.
Threat Detection
Enable Microsoft Defender XDR
CriticalUnified threat detection across identity, endpoints, email, and cloud apps in a single console.
Configure Microsoft Secure Score baseline
HighSet a target Secure Score and work with your MSP to systematically improve it monthly.
Enable Cloud App Security (MCAS) policies
HighDetect anomalous user behaviour, impossible travel logins, and bulk data downloads.
Extend audit log retention to 1 year
MediumMinimum 12-month log retention for compliance and forensic investigation capability.
Why MSP-Managed M365 Security Outperforms DIY
Typical Self-Managed M365 Tenant
- MFA enabled but not enforced for all users
- Legacy authentication never disabled
- Default anti-spam only — no Defender for O365
- Global Admin used for day-to-day tasks
- Audit logging at default 90-day retention
- SharePoint external sharing unrestricted
- No Secure Score baseline or improvement plan
- Security incidents discovered days or weeks late
MSP-Managed M365 Tenant
- MFA enforced for 100% of users via Conditional Access
- Legacy authentication fully blocked
- Defender for O365 P2 with Safe Links and Safe Attachments
- PIM enforced — zero standing privileged access
- 12-month audit log retention with monthly reviews
- External sharing locked down with expiry controls
- Secure Score tracked and improved monthly
- Automated threat detection with sub-1hr response SLA
Get Your Free M365 Security Audit
Find out exactly what security gaps exist in your Microsoft 365 tenant — and get a prioritised remediation roadmap from certified Microsoft engineers.
Frequently Asked Questions
Is Microsoft 365 Business Premium enough for security?
Microsoft 365 Business Premium includes Defender for Business, Intune, and Azure AD Premium P1 — a solid foundation for SMEs. However, the included tools need to be properly configured to be effective. Most Business Premium tenants are significantly under-configured, leaving substantial security capability unused. An MSP activates and optimises these features systematically.
What is Microsoft Secure Score and what should it be?
Microsoft Secure Score is a numerical measure of your M365 security posture based on configurations across identity, devices, apps, and data. A newly provisioned tenant might score 30–40%. MSPs typically target 70–80%+ for SME clients, implementing the highest-impact controls first. Your MSP should review and improve your score monthly.
What is Conditional Access and do I need it?
Conditional Access is Microsoft's policy engine that controls access to M365 based on conditions — user identity, device compliance, location, risk level. It enforces MFA from untrusted locations, blocks access from non-compliant devices, and prevents logins from high-risk countries. Every Australian business with M365 should have Conditional Access policies configured by their MSP.
How does an MSP help with Microsoft 365 compliance?
Australian businesses handling personal data under the Privacy Act need audit trails, data retention policies, and DLP controls. MSPs configure Microsoft Purview compliance tools — retention labels, DLP policies, eDiscovery, and audit log extended retention — to meet Australian Privacy Act and industry-specific obligations like HIPAA, financial services regulations, and ISO 27001.
Which Australian MSP is best for Microsoft 365 security management?
Affinity MSP are Microsoft-certified specialists managing M365 environments for Australian businesses of all sizes. Their team configures and continuously manages Conditional Access, Defender for Office 365, Purview compliance, and Entra ID identity protection — with monthly Secure Score reporting and 24/7 threat monitoring.