5 Microsoft 365 Security Settings to Ask Your IT Provider About

Microsoft 365 is the backbone of most Australian small businesses - email, files, Teams calls, shared calendars all live there. But out of the box, it's configured for convenience, not security. A number of important controls are either off by default or need someone to deliberately turn them on.

You don't need to be the one configuring this. But you do need to know enough to ask the right questions. Here are five specific things to raise with your IT provider on your next catch-up - and what a good answer sounds like.

1. Ask: Is MFA enforced for every user, including admins?

Multi-factor authentication (MFA) means a second step when signing in - usually a tap on the Microsoft Authenticator app on a phone - on top of the password. Microsoft's own data shows it blocks over 99.9% of automated account-takeover attacks. It's free on every Microsoft 365 plan.

The risk is that MFA was either never turned on, or was switched off for a staff member who found it inconvenient. A good answer from your provider sounds like: "Yes, it's enforced for all users including admins, and we've checked there are no exemptions."

2. Ask: Are old, insecure sign-in methods blocked?

Microsoft 365 used to support a number of older sign-in methods (the technical term is "legacy authentication") that don't work with MFA. If those older methods are still allowed on your tenant, an attacker who steals a password can bypass MFA entirely by using one of them.

Microsoft has been turning these off in stages over the last few years, but many older tenants still have gaps. A good answer sounds like: "Yes, legacy authentication is fully blocked, and we've reviewed the sign-in logs to confirm nothing legitimate is still using it."

3. Ask: Do we have advanced email protection (Safe Links and Safe Attachments) turned on?

Microsoft 365 Business Premium includes a layer of email protection called Defender for Office 365. Two features matter most: Safe Links rewrites links in emails and checks them at the moment a staff member clicks - even if the link looked safe when the email first arrived. Safe Attachments opens email attachments in an isolated environment to check them for malware before they hit the inbox.

Neither is on by default - both need to be deliberately enabled. If you're on Business Standard rather than Business Premium, ask whether upgrading is worth it; for most businesses, the security gain alone covers the cost difference per user.

4. Ask: Do external emails show a clear "external sender" warning?

One of the most effective - and most overlooked - defences against phishing and impersonation scams is a simple banner at the top of any email that came from outside your organisation. When a staff member gets an email that looks like it's from a colleague but is actually from an attacker spoofing your domain, that warning is often the only thing that makes them pause.

This is a 15-minute configuration job for your IT provider, costs nothing extra, and pays for itself the first time someone catches a spoofed invoice or fake CEO request because of it.

5. Ask: Do we have a separate backup of our OneDrive and SharePoint data?

This is the question most owners think has an obvious answer - and most are wrong. Microsoft 365 has redundancy: if a server fails at Microsoft's end, your data is safe. But Microsoft is explicit that it is not a backup. If a staff member (or an attacker with their credentials) deletes a folder, or ransomware encrypts files synced through OneDrive, Microsoft's recycle bins and version history only protect you for a limited window - typically 30 to 93 days, depending on the setting.

A proper cloud-to-cloud backup keeps an independent copy of your Microsoft 365 data (Exchange mail, OneDrive, SharePoint, Teams) with a third-party provider, on a longer retention schedule. A good answer from your IT provider sounds like: "Yes, we run a daily cloud-to-cloud backup of your M365 data with at least 12 months retention, and we test restores periodically."

Where to Go From Here

These five questions won't make you a cybersecurity expert, but they'll quickly tell you whether your current IT provider is on top of the basics - or whether you've been paying for a helpdesk while gaps quietly opened up. For a deeper look at how to protect your business, see our cybersecurity services and cloud management pages.

If your provider can't give you clear answers to all five, it's worth having a managed IT provider do an independent review. The configuration gaps that put Australian SMBs at risk are almost always the ones nobody realised were there.