Microsoft 365 is the most widely used cloud productivity platform in Australian business. It is also one of the most consistently misconfigured. Not because it lacks security capability — it has more built-in security tooling than most small businesses will ever use — but because a large proportion of that capability ships switched off.
Controls Off by Default
MFA for All Users
Microsoft does not enforce MFA for all users by default. Security defaults enable MFA for administrator accounts but many standard user accounts have no MFA requirement. This is one of the most common gaps found in M365 security reviews.
Legacy Authentication
Protocols like SMTP auth, IMAP, and POP allow access with only a username and password — bypassing MFA entirely. Many tenancies still have these enabled. Blocking legacy authentication is a prerequisite for effective MFA enforcement.
Unified Audit Logging
The M365 audit log records activity across Exchange, SharePoint, and Teams. It is essential for incident investigation but is not enabled or retained for a sufficient period in many tenancies.
Safe Links and Safe Attachments
Defender for Office 365 — included in Business Premium — scans URLs and attachments in real time. These features require deliberate configuration and are not active by default even when the licence includes them.
What a Hardened M365 Configuration Looks Like
MFA enforced for all users. Legacy authentication blocked. Conditional Access policies active. Defender for Office 365 protections enabled. Audit logging on with sufficient retention. Device management through Intune ensuring only compliant devices access corporate data.
How do I assess my current M365 security posture?
The Microsoft Secure Score in the Defender portal provides a starting point. A structured M365 security review by a qualified partner provides a more comprehensive and actionable picture, particularly covering the configuration areas Secure Score does not assess.
