Microsoft 365 security admin centre showing security configuration settings
Cybersecurity

Locking Down Microsoft 365: The Security Configuration Guide for Business Owners

PN
Peter Nelson
· · 5 min read

Microsoft 365 is powerful but not secure by default. Here is how to configure it properly to protect your business data, email, and accounts.

Microsoft 365 is the most widely used business platform in Australia — and one of the most targeted by attackers. The default configuration of a new Microsoft 365 tenant is not secure. It is functional, and some baseline protections are in place, but significant gaps exist that need to be deliberately closed.

This guide covers the security configuration steps that every Melbourne business using Microsoft 365 should implement. For each item, we include where to find the setting in the admin centre.

Priority 1: Identity Security

Enable Multi-Factor Authentication for All Users

MFA prevents credential theft from translating into account takeover. A stolen password without MFA is a complete account compromise. A stolen password with MFA is a failed attack.

How to configure: Entra admin centre (entra.microsoft.com) → Protection → Conditional Access → New Policy → Require MFA for all users, all apps.

Do not rely on per-user MFA settings (the legacy approach) — Conditional Access policies are more flexible and provide better control.

MFA methods, in order of security:

  1. FIDO2 hardware key (phishing-resistant — best for admins and finance)
  2. Windows Hello for Business (phishing-resistant — best for managed Windows devices)
  3. Microsoft Authenticator with number matching (good for standard users)
  4. TOTP authenticator app (adequate)
  5. SMS (weakest — avoid for business accounts)

Enable Number Matching in Microsoft Authenticator

Without number matching, push MFA notifications can be approved accidentally or through MFA fatigue attacks. Number matching requires users to confirm a number shown on the login screen matches a number in the app — preventing automated approval.

How to configure: Entra admin centre → Protection → Authentication methods → Microsoft Authenticator → Enable number matching.

Block Legacy Authentication

Legacy authentication protocols (basic auth) do not support MFA. Any account that can authenticate via legacy auth can be accessed with just a username and password, bypassing Conditional Access entirely.

How to configure: Entra admin centre → Protection → Conditional Access → New Policy → Condition: Client apps = “Exchange ActiveSync clients” and “Other clients” → Grant: Block access.

Configure Admin Accounts Properly

Admin accounts should:

  • Be separate from daily-use accounts (an admin should have a separate admin@company.com account used only for admin tasks)
  • Require MFA with phishing-resistant methods
  • Never be used for email, web browsing, or general tasks
  • Be enrolled in Privileged Identity Management for just-in-time access

Priority 2: Email Security

Configure DMARC, DKIM, and SPF

Email authentication prevents your domain from being spoofed in phishing attacks against your clients and staff.

SPF: DNS TXT record specifying authorised sending servers. For M365: v=spf1 include:spf.protection.outlook.com -all

DKIM: Enabled in Microsoft 365 Defender → Email & Collaboration → Policies → Email authentication settings → DKIM. Requires publishing two CNAME records in DNS.

DMARC: DNS TXT record at _dmarc.yourdomain.com.au. Start with p=none for monitoring, move to p=quarantine then p=reject.

Microsoft Defender for Office 365 (included in M365 Business Premium) provides:

  • Safe Links: Rewrites URLs in emails and checks them at click time — blocks malicious links even if the site was not malicious at delivery time
  • Safe Attachments: Detonates email attachments in a sandbox before delivery — catches zero-day malware

How to configure: Microsoft 365 Defender → Email & Collaboration → Policies & Rules → Threat policies → Safe Links and Safe Attachments.

Anti-Phishing Policies

Configure anti-impersonation protection for your senior staff and commonly impersonated domains:

How to configure: Microsoft 365 Defender → Email & Collaboration → Policies & Rules → Threat policies → Anti-phishing → Edit default policy → Add protected users (senior staff email addresses) and protected domains.

Priority 3: Endpoint Security

Deploy Microsoft Defender for Endpoint

M365 Business Premium includes Microsoft Defender for Business — a full endpoint detection and response (EDR) solution. It must be configured and deployed; it does not activate automatically.

How to configure: Microsoft 365 Defender → Settings → Endpoints → Onboarding. Deploy via Intune to all managed devices.

Enable BitLocker on All Devices

Full-disk encryption ensures that a lost or stolen laptop does not result in a data breach.

How to configure via Intune: Intune admin centre (intune.microsoft.com) → Endpoint security → Disk encryption → Create policy → Windows → BitLocker.

This policy deploys automatically to all enrolled Windows devices and stores recovery keys in Entra ID.

Priority 4: Data Protection

Enable Sensitivity Labels

Sensitivity labels (Public, Internal, Confidential, Highly Confidential) allow documents and emails to be classified and protected. Confidential labels can prevent copy-paste, printing, or external sharing.

How to configure: Microsoft Purview compliance portal → Information protection → Labels.

Configure External Sharing Policies

SharePoint and OneDrive default sharing settings are often too permissive for business use. Review and restrict:

How to configure: SharePoint admin centre → Policies → Sharing. Set external sharing to “New and existing guests” or “Only people in your organisation” depending on your collaboration requirements.

Enable Audit Logging

Audit logging captures user and admin activity — essential for incident investigation and compliance. Verify it is active.

How to configure: Microsoft Purview → Audit → Confirm auditing is turned on for your tenant.

Priority 5: Security Score Monitoring

Microsoft Secure Score provides a consolidated score of your M365 security posture with specific, prioritised recommendations.

Where to find it: Microsoft 365 Defender → Secure Score.

Aim for a score above 60% as an initial target. Review monthly and implement the highest-priority recommendations progressively.

Getting Properly Configured

Implementing all of these settings correctly requires technical knowledge and careful testing to avoid disrupting legitimate workflows. CX IT Services configures Microsoft 365 security as part of our onboarding process for all managed IT clients. Book a Right Fit Call to discuss your current M365 security configuration.

Related Articles

Free Right Fit Call

Want to Talk Through What This Means for Your Business?

Book a free 15-minute Right Fit Call. No obligation - just a straight conversation about your IT situation.

  • No lock-in contracts - ever
  • Valued at $250 - completely free
  • 4.5-star Google rated
  • Answer in 60 seconds or less

Book Your Free Right Fit Call

Takes about 2 minutes. We'll confirm if we're the right fit - or point you in the right direction.

Step 1 of 8 13%

Takes about 2 minutes · No obligation

4.5★ Google Rated
Valued at $250 - Free
No Lock-In Contracts