Microsoft 365 is the backbone of productivity for over 300,000 Australian businesses, yet the default configuration leaves significant security gaps that attackers actively exploit. Out of the box, Microsoft 365 prioritises usability over security — and this is by design. Microsoft expects organisations to harden their tenants based on their specific risk profile. The problem is that most businesses never do.
According to Microsoft's own Digital Defense Report 2024, over 99.9% of compromised accounts did not have multi-factor authentication enabled. The ACSC has repeatedly identified Microsoft 365 misconfiguration as a leading cause of business email compromise in Australia, with losses exceeding AUD $98 million in 2023 from email-related cybercrime alone (ACSC Annual Cyber Threat Report).
Key Takeaway
The default Microsoft 365 configuration is not secure enough for any business handling sensitive data. Hardening your M365 tenant is one of the highest-impact, lowest-cost security improvements you can make — and it directly supports Essential 8 compliance.
Why Default Microsoft 365 Settings Are Not Enough
When you provision a Microsoft 365 tenant, several critical security features are either disabled or set to permissive defaults:
- MFA is not enforced — Security defaults provide basic MFA, but Conditional Access (which provides risk-based, contextual MFA) requires manual configuration
- Legacy authentication is enabled — Protocols like POP3, IMAP, and SMTP Basic Auth bypass MFA entirely
- External sharing is open — SharePoint and OneDrive allow sharing with anyone by default
- Email forwarding rules are unrestricted — Users can create forwarding rules to external addresses, a common data exfiltration technique
- Audit logging has limited retention — Default audit log retention is 180 days (90 days for some plans), which may be insufficient for compliance investigations
- Phishing protections are basic — Advanced anti-phishing, Safe Links, and Safe Attachments require explicit configuration
Step-by-Step Microsoft 365 Security Hardening
Step 1: Enforce Multi-Factor Authentication with Conditional Access
MFA is the single most effective control against account compromise. However, simply enabling MFA is not enough — you need Conditional Access policies that apply MFA intelligently based on context.
Recommended Conditional Access policies:
- Require MFA for all users — No exceptions. Every account, including service accounts where possible, should require MFA.
- Block legacy authentication — Create a policy that blocks POP3, IMAP, SMTP Basic Auth, and other legacy protocols. These protocols cannot use MFA and are the primary vector for password spray attacks.
- Require compliant devices — For organisations using Intune, require that devices meet compliance policies (encryption enabled, OS up to date, antivirus active) before granting access.
- Geo-blocking — Block sign-ins from countries where you have no business operations. Most Australian businesses can safely block sign-ins from high-risk regions.
- Risk-based policies — Using Entra ID Protection, automatically require MFA or block access when Microsoft detects anomalous sign-in behaviour (unfamiliar locations, impossible travel, leaked credentials).
- Session controls — Limit session duration for sensitive applications and enforce re-authentication for privileged actions.
MFA methods to enforce (in order of security):
- FIDO2 security keys — Phishing-resistant, hardware-based authentication (strongest)
- Windows Hello for Business — Biometric or PIN-based authentication tied to the device
- Microsoft Authenticator — Push notification with number matching (recommended minimum)
- SMS/Voice — Should be avoided where possible due to SIM-swapping vulnerabilities
Key Takeaway
Blocking legacy authentication typically eliminates over 80% of password spray attacks immediately. This single change, combined with MFA enforcement, addresses the most common attack vector against Microsoft 365 tenants.
Step 2: Harden Email Security with Defender for Office 365
Email remains the primary attack vector for Australian businesses. Configure these protections:
Anti-Phishing Policies:
- Enable impersonation protection for executives, finance staff, and IT administrators
- Configure mailbox intelligence to detect anomalous email patterns
- Set the advanced phishing threshold to level 3 or 4 (most aggressive filtering)
- Enable first contact safety tip — alerts users when they receive email from a new sender
Safe Links:
- Enable URL rewriting for all users across email, Teams, and Office applications
- Enable real-time URL scanning — checks URLs at time of click, not just at delivery
- Block users from clicking through to malicious URLs (do not allow override)
Safe Attachments:
- Enable Dynamic Delivery — delivers the email body immediately while attachments are scanned in a sandbox
- Enable Safe Attachments for SharePoint, OneDrive, and Teams — not just email
- Configure automated zero-hour auto purge (ZAP) to remove malicious emails discovered after delivery
Additional email security measures:
- Configure SPF, DKIM, and DMARC records to prevent domain spoofing. Set DMARC policy to
p=rejectafter monitoring. - Disable automatic email forwarding to external domains using an outbound anti-spam policy
- Enable mailbox audit logging for all users (enabled by default but verify it has not been disabled)
Step 3: Secure SharePoint, OneDrive, and Teams
Collaboration tools are powerful but can easily become data leakage channels without proper controls:
- External sharing: Restrict SharePoint external sharing to "Existing guests" or "New and existing guests with verification." Disable anonymous sharing links.
- Guest access in Teams: Limit guest access to specific teams, enforce MFA for guests, and set automatic guest expiry (e.g., 90 days).
- Data Loss Prevention (DLP): Create DLP policies that detect and block sharing of sensitive information types — ABN/TFN numbers, credit card numbers, health identifiers, and personal information.
- Sensitivity labels: Deploy Microsoft Purview Information Protection labels to classify documents. Apply encryption and access restrictions automatically based on content sensitivity.
- Teams meeting security: Require meeting lobby for external participants, disable anonymous join, restrict recording permissions.
Step 4: Implement Privileged Access Controls
Administrative accounts are the highest-value targets in any Microsoft 365 environment:
- Separate admin accounts: Administrators should use dedicated admin accounts that are distinct from their daily-use accounts. Admin accounts should not have email or Teams access.
- Privileged Identity Management (PIM): Implement just-in-time access for all administrative roles. Admins must request and justify elevated access, which is granted for a limited time window.
- Emergency access accounts: Create two break-glass accounts with Global Administrator rights, protected by FIDO2 keys, excluded from Conditional Access, and monitored with alerts on any sign-in activity.
- Regular access reviews: Conduct monthly reviews of administrative role assignments. Remove any unnecessary admin access immediately.
Step 5: Configure Monitoring and Alerting
Visibility is essential for detecting and responding to security incidents:
- Unified Audit Log: Ensure the unified audit log is enabled and configure retention beyond the default period. Microsoft 365 E5 provides 10-year audit log retention.
- Microsoft Sentinel integration: For organisations with advanced security requirements, integrate M365 audit logs with Microsoft Sentinel for SIEM capabilities, automated threat detection, and incident response playbooks.
- Alert policies: Configure alerts for suspicious activities including: unusual mail forwarding rules, mass file downloads, impossible travel detections, admin role changes, and DLP policy violations.
- Microsoft Secure Score: Regularly review and act on Microsoft Secure Score recommendations. Aim for a score above 80% as a baseline.
Key Takeaway
Microsoft Secure Score provides a quantifiable measure of your M365 security posture. According to Microsoft, organisations that actively work to improve their Secure Score experience 30 times fewer breaches than those that do not. Check your score today in the Microsoft 365 Defender portal.
Step 6: Endpoint and Device Management
For organisations using Microsoft Intune for device management:
- Device compliance policies: Require BitLocker encryption, minimum OS version, active antivirus, and screen lock on all managed devices.
- App protection policies: For BYOD scenarios, protect corporate data within managed applications without requiring full device enrollment.
- Windows Autopilot: Standardise device provisioning with security baselines applied from first boot.
- Endpoint Defender policies: Deploy Microsoft Defender for Endpoint configurations including attack surface reduction rules, network protection, and controlled folder access.
Essential 8 Alignment
Microsoft 365 hardening directly supports several Essential 8 strategies:
| Essential 8 Strategy | M365 Hardening Control |
|---|---|
| Multi-Factor Authentication | Conditional Access + phishing-resistant MFA |
| Restrict Administrative Privileges | PIM + separate admin accounts + access reviews |
| Patch Applications | Intune application deployment and update policies |
| Patch Operating Systems | Windows Update for Business via Intune |
| Application Control | Defender Application Control + Intune policies |
| Configure Office Macros | Group Policy / Intune macro restriction policies |
| User Application Hardening | Edge security baselines + attack surface reduction |
| Regular Backups | SkyKick M365 Backup or Azure Backup integration |
Implementation Priority Order
If you cannot do everything at once, prioritise in this order for maximum security impact:
- Block legacy authentication (immediate, high impact)
- Enforce MFA via Conditional Access (week 1)
- Configure anti-phishing and Safe Links/Attachments (week 1-2)
- Disable external email forwarding (week 1)
- Restrict external sharing in SharePoint/OneDrive (week 2)
- Implement privileged access controls (week 2-3)
- Deploy DLP policies (week 3-4)
- Configure monitoring and alerting (week 4)
- Deploy Intune device compliance (week 4-6)
- Implement sensitivity labels (week 6-8)
How Precision IT Hardens Microsoft 365
As a Microsoft Solutions Partner with advanced security specialisation, Precision IT has hardened hundreds of Microsoft 365 tenants for Australian businesses. Our M365 security hardening service includes:
- Security posture assessment — Comprehensive review of your current M365 configuration against best practices and Essential 8 requirements
- Conditional Access deployment — Tailored policies based on your risk profile, industry, and compliance requirements
- Email security configuration — Full Defender for Office 365 setup including anti-phishing, Safe Links, Safe Attachments, and DMARC
- Collaboration security — SharePoint, OneDrive, and Teams hardening with DLP and sensitivity labels
- Ongoing monitoring — 24/7 security monitoring through our Australian Security Operations Centre
- Quarterly reviews — Regular security posture reviews to address new threats and Microsoft feature updates
Every hardening engagement includes comprehensive documentation and staff training, ensuring your team understands the changes and can maintain the security posture going forward.
Is your Microsoft 365 tenant secure? Book a free M365 security assessment and we will provide a detailed report of your current security posture with prioritised recommendations. Most assessments are completed within 48 hours.