is the most widely used cloud productivity platform in Australian business. It is also one of the most consistently misconfigured. Not because it lacks security capability — it has more built-in security tooling than most small businesses will ever use — but because a large proportion of that capability ships switched off.
Controls Off by Default
MFA for All Users
Microsoft does not enforce for all users by default. Security defaults enable MFA for administrator accounts but many standard user accounts have no MFA requirement. This is one of the most common gaps found in M365 security reviews.
Legacy Authentication
Protocols like SMTP auth, IMAP, and POP allow access with only a username and password — bypassing MFA entirely. Many tenancies still have these enabled. Blocking legacy authentication is a prerequisite for effective MFA enforcement.
Unified Audit Logging
The M365 audit log records activity across Exchange, , and Teams. It is essential for incident investigation but is not enabled or retained for a sufficient period in many tenancies.
Safe Links and Safe Attachments
— included in Business Premium — scans URLs and attachments in real time. These features require deliberate configuration and are not active by default even when the licence includes them.
What a Hardened M365 Configuration Looks Like
MFA enforced for all users. Legacy authentication blocked. active. Defender for Office 365 protections enabled. Audit logging on with sufficient retention. Device management through ensuring only compliant devices access corporate data.
How do I assess my current M365 security posture?
The in the Defender portal provides a starting point. A structured M365 security review by a qualified partner provides a more comprehensive and actionable picture, particularly covering the configuration areas Secure Score does not assess.



