Microsoft 365 Security Checklist for Australian SMBs

If your business runs on Microsoft 365, it already has one of the most important systems in your company sitting on the internet. Email, files, Teams, user identities, calendars, and often a large slice of your operational history all live there.

That is why Microsoft 365 is such a common attack surface.

Most Australian SMBs are not being targeted because they are famous. They get targeted because they are reachable, under-protected, and busy. A compromised mailbox can lead to invoice fraud, internal phishing, data exposure, and a very ugly clean-up job. If your business is a health service provider, has annual turnover above $3 million, or otherwise falls under the Privacy Act, it can also create obligations under the Notifiable Data Breaches scheme.

The good news is that most tenants do not need a giant enterprise project first. They need the basics locked down properly.

This checklist is built for Australian SMBs that want practical risk reduction. It also lines up, where relevant, with the spirit of Essential Eight Maturity Level 1. Microsoft 365 is not the whole Essential Eight. But many of the day to day identity, admin, and email controls below support the same goal: make common attacks harder to pull off.

What this checklist is designed to do

This is not a compliance theatre checklist. It is meant to help you:

• reduce account takeover risk
• reduce phishing and business email compromise exposure
• tighten admin access
• improve visibility into risky sign in activity
• improve recovery readiness
• build toward Essential Eight Maturity Level 1 style control maturity where relevant

If Essential Eight is new to you, start with our Essential Eight compliance guide or the Essential Eight for SMBs walkthrough.

If you only take one thing from this article, let it be this: MFA alone is not enough. It matters, but it is only one layer.

Start with your licence tier

This part matters because too much Microsoft 365 advice assumes features many SMBs do not actually own.

If you are on Business Basic or Business Standard

Most tenants on Business Basic or Business Standard do not have Entra ID P1. That means they generally cannot use Conditional Access.

Your free baseline is Security Defaults.

Security Defaults is not perfect, but it is far better than leaving the tenant loosely configured because someone read advice meant for a higher licence tier. If you are on Basic or Standard, the right move is to enable the strongest baseline available to you now, then clean up users, mailboxes, protocols, and admin roles.

If you are on Business Premium

Business Premium is where Conditional Access becomes available and the tenant can move from baseline protection into more targeted access control.

That means you can do things like:

• require MFA with more control
• block risky legacy patterns more precisely
• apply location or device based rules where appropriate
• separate stronger controls for admins and high risk users

The point is simple: the checklist should work for the licence tier you actually have, not the one an enterprise consultant assumes you have.

1. Turn on MFA for every user

This is still the most important first step.

If a password is stolen and there is no second factor, the account is often gone in seconds. For most SMBs, the biggest real world risk in Microsoft 365 is still email account compromise.

At a minimum:

• every user should have MFA enforced
• admin accounts should never be exempt
• break glass or emergency access accounts should be tightly controlled and documented
• old service or shared accounts should be reviewed and either modernised or removed

If you are on a lower licence tier, Security Defaults may be the simplest path to raising the floor quickly. If you are on Business Premium, Conditional Access gives you more control, but the outcome is the same: every real user should be protected by MFA.

Essential Eight alignment: This supports stronger identity controls and reduces the likelihood of common credential based compromise. It does not by itself satisfy the full framework, but it is part of a sensible Maturity Level 1 baseline.

2. Use Security Defaults or Conditional Access, depending on your licence

This is where a lot of stale advice needs correcting.

Older Microsoft 365 guidance used to fixate on Basic Auth as a broad concept. In practice, in 2026 the real issue is not whether someone read an old headline from 2022. The issue is whether your tenant still has specific weak paths or exceptions hanging around.

For Basic and Standard tenants

If you do not have Conditional Access, Security Defaults is the free baseline to use. It gives you a stronger default posture without requiring a premium identity licence.

That is the right answer for a lot of SMBs. Not because it is perfect, but because it is available now and better than doing nothing.

For Business Premium tenants

If you have Business Premium, use Conditional Access to go further. Prioritise:

• requiring MFA for all users
• applying stronger controls to admin accounts
• reducing unnecessary sign in exposure
• tightening access to sensitive apps and admin surfaces

Do not over-complicate this. A few sensible policies are better than an over-engineered set that nobody understands or maintains.

Essential Eight alignment: This supports access control maturity and reduces exposure from weak identity pathways. It fits the spirit of Maturity Level 1 by lifting the baseline against common attacks.

3. Review mailbox protocol exposure and legacy exceptions

This is the section that gets mishandled most often.

Exchange Online Basic Auth being disabled by default years ago did not magically clean every tenant. In 2026, what still matters is the leftover exposure inside the environment.

Check for these issues:

SMTP AUTH still enabled on mailboxes that do not need it

Many tenants still have SMTP AUTH enabled on specific mailboxes because of old multifunction devices, line of business apps, or one-off exceptions from previous admins.

If a mailbox does not need SMTP AUTH, turn it off.

If a device or workflow still depends on it, document it clearly and assess whether there is a safer replacement path.

Lingering POP and IMAP usage

If POP or IMAP is still in use, find out where and why. Sometimes it is a forgotten mail client. Sometimes it is a legacy integration no one has reviewed in years.

If the protocol is not needed, disable it. If it is needed for a defined business reason, ring-fence it as much as possible and make it part of a remediation plan.

Legacy device and app clients still hitting Entra ID

Old phones, desktops, printers, scanners, and mail apps can keep attempting outdated sign in patterns even after the business thinks it has moved on.

Review sign in logs. Look for:

• old clients still authenticating
• repeated failed sign ins from outdated apps
• stale devices attached to departed users
• odd patterns around service or shared accounts

Tenant level exceptions left behind by previous admins

This is more common than people think. One admin creates an exception to keep a problem quiet. Two years later no one remembers it exists.

Review:

• authentication related exceptions
• mailbox protocol settings
• old admin changes made for convenience
• accounts that were excluded from stronger controls

This is the difference between checking a dashboard and actually understanding your exposure.

Essential Eight alignment: This supports application control and hardening goals in a practical cloud context. It also helps reduce easy exploitation paths that should not still be open in a Maturity Level 1 style environment.

4. Reduce Global Admins and clean up privileged access

Too many SMBs have too many powerful accounts.

This is a recurring problem. Three people have Global Admin because it was convenient. A former IT provider still has access. An office manager has admin rights left over from a migration years ago. Nobody has reviewed it since.

Start here:

• count how many Global Admins exist
• reduce the number to the smallest practical set
• review all privileged roles, not just the obvious top one
• remove admin access from former staff and old providers
• separate admin accounts from day to day user accounts where practical

Privileged access should be deliberate, documented, and reviewed. Convenience is not a good reason for broad admin rights.

Essential Eight alignment: Restricting administrative privileges is one of the clearest links to Essential Eight Maturity Level 1. This is not optional hardening. It is core security hygiene.

5. Harden email protections, sharing, and alerting

For many SMBs, Microsoft 365 risk is really email risk plus identity risk.

That is why mailbox and messaging controls matter so much.

Review and tighten:

• anti phishing protections
• impersonation protections
• malicious attachment and link handling
• mailbox forwarding rules, especially external forwarding
• shared mailbox permissions
• guest access and external sharing settings
• alerting for suspicious admin or mailbox changes

Business email compromise often starts with one compromised account and one believable message. The less freedom that account has to impersonate, auto-forward, or quietly share data out, the better.

External sharing needs the same discipline. Many SMBs have sharing turned on broadly because it helps collaboration. That is fine, but broad sharing without review is not the same as controlled sharing.

Essential Eight alignment: This supports user application hardening, access control, and the broader goal of reducing common attack paths.

What most SMBs miss

Even businesses that turn on MFA often miss the basics below.

Shared accounts and shared mailboxes

Shared accounts are messy. No personal accountability, weak password discipline, and no clean offboarding trail. Where possible, replace shared logins with proper shared mailbox or delegated access models.

Then review who still has access.

Former staff with lingering access

Leavers are one of the easiest places for security debt to hide. Old accounts, stale devices, forgotten mailbox permissions, and admin roles that never got removed all create unnecessary risk.

No sign in log review

A tenant can be noisy for months before someone checks what is happening. Even a simple recurring review of sign in activity can surface:

• password spray attempts
• suspicious locations
• repeated sign in failures from old clients
• stubborn legacy workflows that need fixing

Weak external sharing controls

File and collaboration sharing often expands quietly over time. Review what can be shared, with whom, and under what conditions.

Assuming Microsoft 365 means full backup and recovery

This assumption is where SMBs lose data.

Microsoft 365 gives resilience features, but that is not the same as having a complete, tested backup and recovery strategy for your business needs. You still need to ask:

• can we recover deleted or maliciously altered data fast enough
• do we have the retention we actually need
• have we tested recovery, not just assumed it works
• do we have mailbox, file, and collaboration recovery coverage that matches our risk

That question matters a lot for SMBs handling client records, HR files, finance data, and sensitive personal information.

Practical checklist by priority

Today

• Turn on MFA for all users.
• Enable Security Defaults if you are on Business Basic or Business Standard and do not have Conditional Access.
• Review all Global Admin accounts.
• Remove former staff and stale provider access.
• Review mailbox level SMTP AUTH settings.
• Check whether POP or IMAP is still in use anywhere.

Essential Eight relevance: MFA, privilege restriction, and reduction of unnecessary exposure all support a practical Maturity Level 1 baseline.

This week

• If you are on Business Premium, configure baseline Conditional Access policies.
• Review sign in logs for legacy devices, repeated failures, and unusual locations.
• Review shared accounts and shared mailbox access.
• Disable unnecessary external forwarding.
• Tighten anti phishing and impersonation protections.
• Review external sharing and guest access settings.

Essential Eight relevance: This supports hardening, access control, and reduced likelihood of common user targeted attacks.

This month

• Review privileged role assignments more deeply.
• Separate admin and user access where practical.
• Validate logging, alerting, and response visibility.
• Review recovery and retention assumptions for mail, files, and Teams data.
• Document any remaining legacy dependencies that cannot yet be removed.
• Create a remediation plan for anything still relying on old protocols or broad exceptions.

Essential Eight relevance: This is where the environment shifts from ad hoc hardening into supportable control maturity.

Want this reviewed against your tenant?

Reading a checklist is not the same as knowing how your Microsoft 365 environment actually scores against it. Ozzie Geeks can run a practical tenant review across MFA, admin access, mailbox protocols, sharing, and recovery assumptions, then give you a prioritised remediation list in plain English.

Request a Microsoft 365 tenant review →

When to get outside help

Some tenants can be cleaned up internally. Others need a proper review.

You should get help if:

• nobody is fully sure which identity and email controls are active
• there are too many admins and no one wants to touch them
• old devices or apps are still forcing awkward authentication exceptions
• your business is covered by the Privacy Act and a compromise would create Notifiable Data Breaches exposure
• you have already had suspicious email activity, invoice fraud attempts, or account compromise
• recovery capability has never been tested
• the business is buying cyber insurance or renewing it and needs a cleaner security baseline

If something is happening right now, work through our first 60 minutes of a cyber incident guide before anything else.

This matters even more if an incident escalates into ransomware or extortion. Under the Cyber Security Act 2024, mandatory ransomware and cyber extortion payment reporting commenced on 30 May 2025. The obligation applies to businesses with annual turnover above $3 million and to entities responsible for critical infrastructure assets. If you sit below that threshold today, the obligation does not currently apply, but voluntary reporting through the Australian Signals Directorate is still encouraged and the threshold is worth tracking as the business grows. You do not want to be figuring out your tenant security posture for the first time in the middle of that kind of event.

If your business is covered by the Privacy Act and personal information is involved, the Notifiable Data Breaches scheme may also come into play. Health service providers are covered regardless of size, and most other private sector entities are covered once annual turnover passes $3 million. That turns a technical incident into a legal and operational problem very quickly.

A practical Microsoft 365 security assessment should cover:

• licence aware baseline controls
• MFA posture
• Security Defaults or Conditional Access design
• privileged role review
• mailbox protocol exposure
• sign in log review
• external sharing posture
• backup and recovery assumptions
• high risk remediation priorities in plain English

Do not aim for perfect first. Aim for safer.

A lot of SMBs stall because they think security improvements have to arrive as one big transformation.

They do not.

A better path is to tighten the highest risk gaps first, make the tenant easier to support, and keep building from there. For most Microsoft 365 environments, that means identity, admin access, email exposure, sharing, and recovery assumptions.

That is practical security. It is also the kind that usually prevents the worst outcomes.

If your team needs help, Ozzie Geeks can review your Microsoft 365 tenant, identify the highest risk gaps, and help remediate them in a way that fits how your business actually works. Learn more about our cybersecurity services or our Managed IT offering.

Author Bio

Heinrich Lombard is a Consultant at Ozzie Geeks, a cybersecurity and managed IT consultancy serving health practices, schools, and professional services across Australia and New Zealand. He holds a Post Graduate in Cybersecurity and a Bachelor of Information Technology.

He has more than 20 years of experience in service management and security across global-scale enterprise systems for government, business, and education.