Most businesses run Microsoft 365. Most businesses also leave it on the default settings it shipped with. That is a problem.
Out of the box, Microsoft 365 is configured for ease of use, not security. Legacy authentication protocols are often still enabled. Admin accounts double as everyday email accounts. Phishing emails land in inboxes with no warning tags. Every one of these gaps is something an attacker can walk through, and they do, regularly.
The fixes are straightforward. You do not need a six-figure security budget. You need someone to turn on the settings Microsoft already provides but leaves switched off. This post walks through the five changes that make the biggest difference.
Turn on multi-factor authentication for every account
MFA (multi-factor authentication) means requiring a second step to log in, beyond just a password. Usually that is a code from a phone app or a push notification.
Without MFA, a stolen password is all an attacker needs. With MFA, a stolen password is useless on its own. Microsoft’s own data shows that MFA blocks more than 99 per cent of account compromise attacks.
The mistake most businesses make is enabling MFA for some accounts but not all. Every account needs it, not just the boss’s. Attackers do not care about job titles. They care about which account lets them in.
If your Microsoft 365 tenant still has legacy authentication enabled, every email account is a doorway. Legacy authentication protocols do not support MFA at all, which means they bypass it entirely. Disabling legacy authentication is one of the first things we handle for every client.
Learn more about our Microsoft 365 security hardening.
Set up Conditional Access policies
Conditional Access is a set of rules that control when and how people can log in. Think of it as a security gatekeeper that checks conditions before granting access.
For example, you can set a rule that says: if someone tries to log in from outside Australia, block them. Or: if someone tries to access your data from a device that is not company-managed, require extra verification.
Without Conditional Access, your Microsoft 365 environment treats every login attempt the same, whether it comes from your office in Parramatta or a compromised device in another country. That is not a reasonable default for a business that stores client data, financial records, or HR files in the cloud.
Conditional Access is available on Microsoft 365 Business Premium and above. If you are on a lower tier, this is worth the upgrade conversation alone.
Enable Safe Links and Safe Attachments
Phishing is the most common way attackers get into business email. Someone clicks a link, enters their credentials on a fake login page, and the attacker is in.
Safe Links is a Microsoft Defender feature that checks every link in an email at the time of click, not just at delivery. If the link has turned malicious between when the email arrived and when the user clicks it, Safe Links catches it.
Safe Attachments does the same thing for files. It opens attachments in a sandbox (an isolated environment) before delivering them to the inbox. If the file behaves like malware, it gets quarantined.
Neither feature is enabled by default on most plans. Both are straightforward to turn on and significantly reduce the risk of a phishing attack landing.
For a broader look at how we approach email and endpoint security, see our cybersecurity services for Sydney businesses.
Tag external emails so staff can spot fakes
This one takes about two minutes to set up and is one of the most effective changes you can make. External email tagging adds a visible banner to any email that comes from outside your organisation.
Why does this matter? Because a common phishing technique is to impersonate someone inside the business. An email that looks like it comes from the CEO asking for a bank transfer. An email that looks like it comes from HR asking staff to update their credentials.
When every external email is clearly tagged, your staff can see immediately that the email did not come from inside the business. It does not prevent all phishing. But it removes one of the easiest tricks attackers rely on.
Separate your admin accounts from daily-use accounts
If the person who manages your Microsoft 365 environment is also using that same account to check email, open attachments, and browse the web, your admin account is exposed to every threat that hits a normal inbox.
Admin accounts should be separate, dedicated accounts used only for administration. They should not receive email or be used for daily work. They need their own MFA and their own Conditional Access rules.
This is basic hygiene, but most small businesses skip it because nobody told them it mattered. It matters. If an attacker compromises an admin account, they control your entire environment: email, files, user accounts, everything.
We cover admin separation and access control as part of our Microsoft 365 and cloud services work for every managed IT client.
The defaults are not good enough
Microsoft 365 is a solid platform. But its default configuration is designed for the broadest possible audience, which means it ships with security settings turned down to avoid friction.
For a business that holds client data, financial records, or anything covered by Australian privacy law, those defaults are not adequate. The five changes above (MFA everywhere, Conditional Access, Safe Links, Safe Attachments, external tagging, and admin separation) cover the highest-risk gaps and can all be implemented quickly.
If you are not sure what your current Microsoft 365 configuration looks like, that is exactly what our IT Audit covers. We review your environment, document the gaps, and give you a plain-English report on what needs to change and why.
Ready to find out what your Microsoft 365 setup is actually exposing? Our $990 IT Audit covers your full environment: Microsoft 365 configuration, security controls, backup, and more. You get a clear report and a prioritised action plan.
