Microsoft 365 Security — The 8 Settings Every Melbourne Business Must Turn On

Microsoft 365 comes with powerful security features built in that protect against phishing, business email compromise, and account takeover. The problem is that most of these features are not turned on by default and require deliberate configuration by an administrator. Many small businesses are running Microsoft 365 with significant security gaps that could be closed in a few hours.

1. Multi-Factor Authentication for All Users

This is the single most important change you can make. In the Microsoft 365 Admin Centre, navigate to Users — Active users — Multi-factor authentication. Enable it for every user without exception, including administrators. Better still, implement Conditional Access policies (requires Microsoft Entra ID P1) to enforce MFA and block access from high-risk locations.

2. Enable Security Defaults

Microsoft's Security Defaults automatically enforce several security baseline settings across your tenant, including requiring MFA for all users, blocking legacy authentication protocols, and protecting privileged administrator actions. If you have not configured granular conditional access policies, enable Security Defaults as a minimum baseline — it is one switch that implements multiple important protections.

3. Configure Anti-Phishing Policies

In the Microsoft Defender portal, configure anti-phishing policies with impersonation protection enabled for your key executives and domains. Enable intelligence-based impersonation protection, which uses machine learning to detect emails impersonating people in your organisation. Set the action for detected impersonation attempts to quarantine rather than just flag.

4. Enable Safe Links and Safe Attachments

Safe Links rewrites URLs in emails and Teams messages to scan them for malicious content in real time before you click. Safe Attachments opens email attachments in a sandboxed environment to detect malware before delivery. These features are included in Microsoft 365 Business Premium and represent a significant additional layer of protection against phishing and malware delivery.

5. Set Up DMARC, DKIM, and SPF

These email authentication protocols prevent criminals from spoofing your domain to attack your clients and partners. SPF and DKIM are configured in your DNS records. DMARC builds on both and tells receiving mail servers what to do with emails that fail authentication. Configuration requires access to your domain's DNS settings — typically in Cloudflare, GoDaddy, or your hosting provider's control panel.

6. Enable Audit Logging and Alert Policies

In the Microsoft Purview Compliance portal, ensure unified audit logging is enabled. Set up alert policies for high-risk activities including suspicious email forwarding rules, mass file deletion, and unusual login patterns. Audit logging is required for incident investigation and is increasingly required by cyber insurers as a condition of coverage.

7. Review Admin Role Assignments

Review who has global administrator access in your Microsoft 365 tenant. Global admin accounts should use dedicated credentials separate from daily-use accounts, and should have the strongest available MFA. Consider using Privileged Identity Management if available in your plan to require justification and time-limit admin access. IntrusionX can audit and configure your Microsoft 365 security settings — contact us for a free assessment of your current configuration.

External Sharing and Data Loss Prevention

For businesses that handle sensitive client data, Microsoft 365 includes data loss prevention policies that can detect and block emails containing specific sensitive information — credit card numbers, tax file numbers, health information — from being sent externally without authorisation. These policies are available in Microsoft 365 Business Premium and higher plans. Configuring them is a significant step toward compliance with the Privacy Act's requirement to protect sensitive information, and can prevent accidental data leaks as well as deliberate exfiltration. Review your external sharing settings in SharePoint and Teams — many businesses have these set to allow sharing with anyone, which creates unnecessary exposure.

Regular Security Review

Microsoft 365 security configuration is not a set-and-forget task. New features are added regularly, threat landscapes change, and staff roles and access requirements evolve. Schedule a quarterly review of your Microsoft Secure Score — available in the Microsoft 365 Defender portal — which tracks your security posture against Microsoft's recommendations and highlights the highest-impact improvements available for your specific configuration. IntrusionX provides Microsoft 365 security configuration and ongoing management for Melbourne small businesses — contact us for a free assessment of your current configuration and Secure Score.