Microsoft 365 is the backbone of most Australian small businesses. Email, files, Teams calls, shared calendars — it's all in there. But out of the box, M365 is configured for convenience, not security. A number of critical security features are either disabled by default or require a deliberate action to turn on.
The good news is that if your business is on Microsoft 365 Business Standard or Business Premium, you already have access to the tools needed to significantly harden your security posture. Most of them cost nothing extra to enable. Here are five settings that every business should have configured.
1. Multi-Factor Authentication (MFA) for All Users
This is the single most impactful thing you can do to protect your Microsoft 365 tenant. MFA requires users to verify their identity with a second factor — typically the Microsoft Authenticator app — whenever they sign in from a new device or location. According to Microsoft's own data, MFA blocks over 99.9% of automated account compromise attacks.
Despite being free and available on every M365 plan, a significant number of Australian businesses still don't have MFA enforced for all users. The most common reason: it was never turned on, or it was switched off because a staff member found it inconvenient.
The right way to enforce MFA is through Security Defaults (the simplest option, available on all plans) or through Conditional Access policies (more flexible, requires Business Premium or Azure AD P1). Either way, MFA should be mandatory — not optional — for every user including administrators.
2. Disable Legacy Authentication Protocols
Legacy authentication refers to older sign-in protocols — things like Basic Auth, SMTP AUTH, POP3, and IMAP — that don't support modern security features like MFA. If legacy authentication is enabled on your tenant, an attacker who obtains a user's password can bypass MFA entirely by using these older protocols.
Microsoft has been progressively disabling legacy authentication across M365 over recent years, but many tenants still have it partially enabled, particularly for specific applications or services that haven't been updated. Review your sign-in logs for any legacy authentication activity and block it through Conditional Access or the Authentication Methods policy in Entra ID.
3. Enable Safe Links and Safe Attachments (Defender for Office 365)
Microsoft 365 Business Premium includes Defender for Office 365, which provides Safe Links and Safe Attachments protection. Safe Links rewrites URLs in emails and Office documents and checks them in real time when clicked — blocking malicious links even if they were safe when the email first arrived. Safe Attachments opens email attachments in a sandboxed environment before delivering them, catching malicious files that might evade standard antivirus.
These features are not enabled by default. They need to be configured through the Microsoft 365 Defender portal. For a business on Business Premium, enabling them is a quick configuration task that significantly reduces the risk of a staff member clicking a malicious link or opening an infected attachment.
If you're on Business Standard and don't have Defender for Office 365, this is one of the primary reasons to consider upgrading to Business Premium — the security features alone often justify the additional per-user cost.
4. Configure External Email Warning Banners
One of the most effective and underutilised defences against phishing and business email compromise is a simple banner on emails that originate from outside your organisation. When a staff member receives an email that appears to be from a colleague but is actually from an external attacker spoofing your domain, a clear "External sender" warning gives them the context to pause before clicking or taking action.
This can be configured through Exchange Online mail flow rules (transport rules) in the Exchange Admin Center. A simple rule that prepends a warning to all externally-sourced emails — particularly those claiming to be from internal senders — costs nothing and takes less than 15 minutes to set up. It's one of those controls that pays for itself the first time a staff member catches a spoofed email because of it.
5. Audit Logging and Unified Audit Log Retention
If your Microsoft 365 tenant is ever compromised, your ability to understand what happened — which accounts were accessed, what data was viewed, when the attacker first got in — depends entirely on whether audit logging was enabled. By default, audit logs are retained for 90 days on most M365 plans. Business Premium extends this to one year, and E3/E5 plans can go further.
Verify that the Unified Audit Log is enabled in your Microsoft Purview Compliance portal. Enable mailbox auditing for all users (it should be on by default for new tenants, but older tenants may have it disabled). And consider whether your current log retention period is sufficient for your incident response needs. Many cybersecurity incidents are discovered weeks or months after the initial breach — if your logs only go back 90 days, you may have a blind spot.
Going Further
These five settings are a starting point, not an endpoint. Microsoft 365 Business Premium includes a range of additional capabilities — including Microsoft Intune for device management, Entra ID Conditional Access, and Microsoft Defender for Business — that together provide a materially stronger security posture than the default configuration.
If you're a Perth or Melbourne business on Microsoft 365 and you're not sure whether these settings are correctly configured in your tenant, it's worth having a managed IT provider do a quick review. The configuration gaps that put businesses at risk are almost always the ones nobody realised were there.