TL;DR: Microsoft 365 Business Premium is a powerful security platform - but only if it is configured correctly. Out of the box, it is not secure. This checklist covers the 40+ configuration settings that define a properly hardened Microsoft 365 environment for an Australian SMB.
Why Microsoft 365 Is Not Secure Out of the Box
A Microsoft 365 Business Premium tenant, newly created with default settings, has most of its security features either unconfigured or set to permissive defaults. This is a deliberate product decision by Microsoft - maximum compatibility, not maximum security, is the default.
The result is that thousands of Australian businesses pay for Microsoft 365 Business Premium - a genuinely excellent security platform when configured correctly - and operate with a fraction of the security value they are paying for.
This checklist covers what a properly configured Microsoft 365 environment looks like. It is structured around the Microsoft 365 admin centre sections.
Section 1: Identity and Access (Microsoft Entra ID)
Multi-Factor Authentication
- Conditional Access - Require MFA for all users: Enforces MFA for every user sign-in. This is the most important single setting in this checklist.
- Conditional Access - Block legacy authentication: Blocks authentication protocols (POP3, IMAP, basic auth) that do not support MFA and are used in password spray attacks.
- Conditional Access - Require compliant device (optional): Requires devices to be Intune-enrolled and compliant to access Microsoft 365 data.
- Conditional Access - Admin accounts require strong MFA: A separate policy for admin accounts requiring app-based MFA (no SMS) and optionally a compliant device.
- Emergency access account created: A “break glass” admin account excluded from Conditional Access Policies, stored offline with credentials in a secure physical location.
- Named location configured: Your office IP address(es) are configured as a Named Location - allows location-based policies (e.g., require MFA only from outside the office).
Admin Accounts
- Minimum number of Global Admins: Aim for 2–3 Global Admins maximum. Additional admin needs should use role-specific admin roles (Exchange Admin, SharePoint Admin, etc.).
- Admin accounts are separate from day-to-day accounts: Admins have dedicated accounts (admin@company.com.au) used only for administrative tasks, not for email or daily work.
- No service accounts with Global Admin: Applications and service accounts should have the minimum required permissions, not Global Admin.
- Privileged Identity Management (PIM) enabled: If available in your licence tier, PIM requires admin roles to be “activated” on demand rather than always-on.
User Accounts
- Self-Service Password Reset (SSPR) enabled: Allows users to reset their own passwords securely. Saves helpdesk time.
- Password protection enabled: Blocks common passwords and custom banned passwords (e.g., your company name as a password).
- Guest access reviewed: Review all guest accounts in Entra ID. Remove guests who no longer need access.
Section 2: Email Security (Microsoft Defender for Office 365)
Microsoft Defender for Office 365 (included in Business Premium) provides advanced email security beyond standard spam filtering. It must be configured - it is not fully active by default.
Anti-Phishing Policies
- Anti-phishing policy created with impersonation protection: Configure impersonation protection for your CEO, finance team, and other high-value targets.
- Enable mailbox intelligence: Allows the system to learn normal email patterns for each user and flag anomalies.
- First contact safety tip: Show a warning banner when a user receives an email from someone they have never emailed before.
- Enable anti-spoofing protection: Blocks emails that spoof your domain.
Safe Links
- Safe Links policy enabled for all users: Rewrites URLs in emails and Office documents, checking them against Microsoft’s threat intelligence at click time. Protects against links that are benign at delivery but become malicious later.
- Track user clicks: Enable click tracking to audit which URLs users are clicking (useful for incident response).
- “Let users click through to the original URL” - disabled: Do not allow users to bypass Safe Links warnings.
Safe Attachments
- Safe Attachments policy enabled: Scans attachments in a sandbox environment before delivery. Prevents zero-day malware from reaching inboxes.
- Dynamic Delivery: Delivers the email body immediately while the attachment is being scanned, then delivers the attachment when scanning completes. Better user experience than holding the entire email.
- Safe Attachments for SharePoint, OneDrive, and Teams: Enable this separately in the Safe Attachments settings - it extends protection to files shared via Teams and SharePoint.
Email Authentication
- SPF record configured: DNS TXT record specifying which mail servers can send on behalf of your domain.
- DKIM enabled: In Defender for Office 365 > Email Authentication, enable DKIM signing for your domain.
- DMARC record configured: At minimum
p=quarantine- blocks spoofed emails from reaching inboxes.p=rejectis ideal but requires validating all legitimate sending sources first. - DMARC reporting enabled: Add a
rua=address to your DMARC record to receive aggregate reports - shows you what sources are sending email as your domain.
Anti-Spam
- Outbound spam policy configured: Set alerts for unusually high outbound email volume - this can indicate a compromised account being used to send spam.
- Connection filter configured: Block known malicious IP ranges.
Section 3: Endpoint Security (Microsoft Defender for Business)
Microsoft Defender for Business is included in Microsoft 365 Business Premium. It provides enterprise-grade endpoint security across all company devices.
Initial Setup
- Defender for Business onboarding completed: Devices must be onboarded to Defender for Business via Intune or a local script - they are not automatically enrolled.
- All Windows devices onboarded: Check the Defender for Business portal (security.microsoft.com) for onboarding status.
- Real-time protection enabled on all devices: Verify all devices show “Healthy” status in the Defender portal.
- Behaviour-based detection enabled: Detects attack behaviours rather than just known malware signatures.
- Network protection enabled: Blocks connections to malicious domains and IP addresses.
- Attack Surface Reduction (ASR) rules enabled: ASR rules block specific behaviours commonly exploited in attacks (e.g., Office applications spawning child processes, scripts executing from downloads).
Alerts and Response
- Email alerts configured: Set up email notifications for high-severity alerts in the Defender portal.
- Review alert queue regularly: At minimum weekly, review the Defender for Business alert queue for any unresolved alerts.
- Automated investigation and remediation enabled: Allows Defender to automatically investigate and remediate low-confidence threats - reduces manual response burden.
Section 4: Device Management (Microsoft Intune)
- Intune MDM authority set: In the Intune admin centre (intune.microsoft.com), confirm MDM authority is Microsoft Intune.
- Windows Autopilot configured: Allows new Windows devices to be automatically configured and enrolled when powered on - no IT visit required.
- Compliance policies created: Define minimum security requirements for enrolled devices (encryption required, PIN required, OS version minimum).
- Configuration profiles deployed: Push security settings to all enrolled devices: BitLocker encryption, firewall settings, account protection, browser settings.
- Device encryption enforced: BitLocker enforced on all Windows devices, FileVault on Mac.
- Remote wipe capability confirmed: Test that a device can be remotely wiped from the Intune console.
- App protection policies for mobile (MAM): For iOS and Android devices - enforce app-level data protection on the Microsoft apps (Outlook, Teams, OneDrive) without requiring full device enrollment.
Section 5: Data Protection
- Microsoft Purview Information Protection labels created: Create sensitivity labels (Public, Internal, Confidential, Restricted) and configure automatic labelling for sensitive data patterns (credit card numbers, TFNs, health record patterns).
- DLP policies enabled: Data Loss Prevention policies block accidental sharing of sensitive information via email or Teams. Start with a policy for Australian personal information.
- External sharing settings reviewed in SharePoint admin: Configure SharePoint and OneDrive sharing settings - default “Anyone with a link” sharing is overly permissive for most businesses.
- Microsoft 365 audit log enabled: The unified audit log records all activity across Microsoft 365 - essential for incident response. Verify it is enabled in the Microsoft Purview compliance portal.
- Retention policies configured: Set retention policies for email and SharePoint consistent with your Data Retention Policy. The default “keep forever” is not appropriate for most businesses.
Section 6: Microsoft Secure Score
Microsoft provides a free security assessment tool in the Microsoft 365 Defender portal called Secure Score. It analyses your configuration and provides a percentage score relative to the maximum possible.
- Review Secure Score baseline: Go to
security.microsoft.com> Exposure Management > Secure Score. Note your current score. - Review recommended actions: Secure Score provides a prioritised list of improvements with estimated score improvement for each.
- Target Secure Score: For a well-configured Microsoft 365 Business Premium environment, a score above 60% is achievable. Above 70% is excellent. Most new tenants start below 30%.
Getting Help With Configuration
Properly configuring a Microsoft 365 tenant to this baseline takes approximately 8–12 hours for an experienced Microsoft 365 administrator - longer if starting from an unconfigured state.
If your Microsoft 365 tenant has not been professionally configured, this represents significant unexploited security value you are already paying for.
CX IT Services includes Microsoft 365 security baseline configuration as part of our managed IT onboarding. If you want to know how your current tenant compares to this baseline, book a Right Fit Call.
For related resources:
