Comprehensive Guide — Last updated February 2026
Microsoft 365 is the operating system of most Perth businesses. Email, files, Teams calls, client data, financial records — it all lives inside your M365 tenant. That makes it the single highest-value target for anyone trying to breach your organisation. And the uncomfortable truth is that most M365 environments are running with default settings that Microsoft itself warns are insufficient.
As a Microsoft Solutions Partner, we manage M365 security across hundreds of tenants for Perth businesses. This guide covers the security controls that actually matter, in the order you should implement them, written for business owners and decision-makers — not just IT administrators.
Most businesses assume that because they pay Microsoft for M365, Microsoft handles security. That is not how it works.
Microsoft operates on a shared responsibility model. They secure the physical infrastructure — the data centres, the network, the platform itself. You are responsible for everything inside your tenant: your data, your identities, your access policies, your device management, and your security configuration.
Think of it this way. Microsoft builds the bank vault. They hire the guards and install the alarms. But you are responsible for who gets a key, what goes in the vault, and whether you actually lock the door when you leave. Most businesses are leaving the door wide open.
A 2025 Verizon report found that 82 percent of breaches involve compromised identities. Nearly 60 percent of enterprises lack basic identity hygiene like enforced MFA. The attacks that hit Perth SMBs are not sophisticated zero-day exploits. They are credential stuffing, phishing, and business email compromise — all preventable with proper M365 configuration.
If you implement only one thing from this guide, make it this. Multi-factor authentication is the single most effective control you can deploy to prevent account takeover. Microsoft’s own data shows that MFA blocks over 99.9 percent of account compromise attacks.
MFA requires users to verify their identity with a second factor — typically a push notification on their phone — in addition to their password. Even if an attacker has stolen a user’s password through phishing, they cannot log in without that second factor.
Here is what a proper MFA deployment looks like:
Enforce MFA for every account. No exceptions. Every user, every admin, every service account that supports it. The most common mistake we see is businesses that enable MFA for admins but leave regular users unprotected. Attackers do not care about your org chart — they will compromise any account that gets them in.
Use phishing-resistant methods. Not all MFA is equal. SMS codes are better than nothing but can be intercepted. The strongest options in order: FIDO2 security keys (like YubiKey), passkeys using Windows Hello or FaceID, and the Microsoft Authenticator app with number matching. Push notifications without number matching are vulnerable to MFA fatigue attacks where the attacker hammers the user with requests until they accidentally approve one.
Block legacy authentication. Older email protocols like POP3, IMAP, and SMTP do not support MFA. If legacy authentication is enabled on your tenant, attackers can bypass MFA entirely. Disable it. If you have legacy apps that require these protocols, they need to be replaced or isolated.
This is not optional. If your access management does not include enforced MFA across all accounts, you have an open front door.
MFA answers the question “is this person who they say they are?” Conditional Access answers a broader question: “should this person have access to this resource, right now, from this device, in this location?”
Conditional Access is the engine of Zero Trust in Microsoft 365. It evaluates every access request against a set of conditions and makes a real-time decision about whether to allow, block, or require additional verification. This is where M365 security moves from basic to intelligent.
The policies every Perth business should have in place:
Require MFA for all users on all cloud apps. This is your baseline. No conditions, no exceptions.
Block access from countries where you do not operate. If your business only operates in Australia, there is no reason to allow sign-ins from Eastern Europe, West Africa, or Southeast Asia. Geo-blocking will not stop a determined attacker using a VPN, but it eliminates the vast majority of opportunistic credential attacks.
Require compliant devices. If a device is not managed, not updated, or not running your security baseline, it should not be accessing company data. This requires Intune (covered below) but is one of the most powerful controls available.
Block risky sign-ins. Microsoft Entra ID Protection (included in M365 Business Premium and E5) evaluates sign-in risk in real time. Impossible travel, sign-ins from known malicious infrastructure, password spray patterns — all of these can trigger automatic blocking or step-up MFA.
Restrict access to company apps from personal devices. At minimum, enforce app protection policies that prevent users from downloading company data to unmanaged personal devices or forwarding company email to personal accounts.
Email is how most attacks start. Phishing, business email compromise, malicious attachments, credential harvesting links — your email security configuration determines whether these attacks reach your users or get stopped at the gate.
Microsoft Defender for Office 365 provides layered email protection that goes well beyond basic spam filtering. Here is what should be configured:
Safe Attachments. Every email attachment is detonated in a sandboxed virtual environment before delivery. If it behaves like malware, it is quarantined. This catches zero-day threats that signature-based antivirus would miss. Enable this in blocking mode for all users.
Safe Links. Every URL in every email is rewritten and checked against a continuously updated threat intelligence feed at the moment of click — not just at delivery. URLs that are clean when the email arrives but turn malicious hours later are still caught.
Anti-phishing policies. Configure impersonation protection for your executives and key staff. Attackers commonly spoof the CEO’s name to request wire transfers or sensitive data from finance staff. Defender can detect these impersonation attempts based on display name similarity and mailbox intelligence.
DMARC, DKIM, and SPF. These email authentication protocols prevent attackers from sending emails that appear to come from your domain. SPF specifies which servers can send on your behalf. DKIM adds a cryptographic signature. DMARC ties them together and tells receiving servers what to do with failures. If you have not configured all three, your domain can be spoofed to attack your clients and partners.
If your organisation handles sensitive information — legal files, financial data, health records — your email security should be reviewed against the Essential Eight framework, which mandates specific email filtering and macro execution controls.
Data Loss Prevention (DLP) policies prevent sensitive information from leaving your organisation through email, Teams, SharePoint, or OneDrive. This is about protecting your business from both malicious insiders and accidental data exposure.
Microsoft Purview DLP can detect and block the sharing of sensitive content based on patterns and classifiers:
Financial data. Credit card numbers, bank account details, ABN and TFN numbers — DLP can detect these patterns in emails, chat messages, and shared files, and either block the sharing or flag it for review.
Personal information. Medicare numbers, driver’s licence numbers, passport numbers. Under the Australian Privacy Act, your organisation has legal obligations to protect this data. DLP is how you enforce those obligations at a technical level.
Client confidential information. For law firms and financial services businesses, preventing the accidental sharing of client files with the wrong recipient is not just a risk — it is a regulatory obligation.
Start with DLP in test mode. Monitor what it catches for two to four weeks before enabling enforcement. This avoids disrupting legitimate workflows while giving you visibility into where sensitive data is moving across your organisation.
Your M365 security is only as strong as the devices accessing it. If an employee logs into Outlook from an unpatched Windows laptop with no antivirus, your Conditional Access policies, your MFA, and your email security are all undermined.
Microsoft Intune (included in M365 Business Premium) gives you centralised management of every device that accesses company data:
Compliance policies. Define what a “compliant” device looks like — minimum OS version, encryption enabled, screen lock required, antivirus running — and enforce it through Conditional Access. Non-compliant devices are blocked from accessing company resources until they are remediated.
Configuration profiles. Push security baselines, Wi-Fi profiles, VPN settings, and application configurations to all managed devices automatically. This eliminates the inconsistency that comes from manual configuration and ensures every device meets your security standard.
Application protection policies. For personal devices (BYOD), Intune can create a managed container for company apps and data. Users can access email and files on their personal phone, but the company data is encrypted, cannot be copied to personal apps, and can be remotely wiped if the employee leaves — without touching their personal photos or messages.
Remote wipe. If a device is lost or stolen, Intune allows you to remotely wipe company data immediately. For a fully managed device, you can perform a full factory reset. For BYOD, you can selectively wipe only company data.
Intune pairs directly with your endpoint detection and response platform to provide a unified view of device health and security posture.
Admin accounts are the keys to the kingdom. A compromised Global Admin account gives an attacker full control of your entire M365 tenant — every mailbox, every file, every setting. This is not hypothetical. Organisations with excessive admin privileges are nearly four times more likely to experience account compromise.
Minimise Global Admin accounts. You should have no more than two to four Global Admin accounts, and they should be dedicated accounts that are not used for daily email or Teams. Every admin task that does not require Global Admin should use a more limited role — Exchange Admin, SharePoint Admin, Security Admin, and so on.
Enable Privileged Identity Management (PIM). PIM provides just-in-time admin access. Instead of permanent Global Admin rights, an admin activates the role when needed, for a defined time window, with mandatory MFA and an approval workflow. When the window expires, the elevated access is automatically revoked.
Review application permissions. Over half of organisations have more than 250 applications with dangerous read-write permissions in their Entra ID environment. Every one of those is a potential access point. Audit your app registrations quarterly, revoke unused permissions, and enforce consent workflows so new apps require admin approval.
Enable the Unified Audit Log. M365 generates detailed logs of every sign-in, admin action, file access, and policy change. Without the Unified Audit Log enabled, you are flying blind. If a breach occurs, these logs are the only way to determine what happened, when, and what was accessed. Log retention should be configured to at least 180 days.
Microsoft Secure Score is a built-in tool that gives your M365 tenant a numerical rating based on your security configuration against Microsoft’s recommendations. Think of it as a health check for your tenant.
Secure Score measures your current posture against the maximum possible score and provides specific, actionable recommendations to improve. Each recommendation shows the points you will gain, the effort required, and the user impact.
Most unconfigured tenants score below 30 percent. A well-configured Perth SMB environment should be targeting 70 percent or higher. Reaching 100 percent is neither practical nor necessary — some recommendations involve trade-offs between security and usability that may not suit your business.
Check your Secure Score monthly. Use it to prioritise your security improvements and track progress. If your managed IT provider is not reporting on your Secure Score as part of their regular reviews, ask them why.
Check your MFA status today. Log into the Microsoft 365 admin centre and verify that MFA is enforced for every account — not just enabled, but enforced. If you are using Security Defaults, consider migrating to Conditional Access policies for more granular control. If you have legacy authentication protocols still enabled, disable them this week.
Review your Secure Score. Navigate to security.microsoft.com and check your current Secure Score. The recommendations are ranked by impact. Focus on the high-impact, low-effort items first. You can often gain 15 to 20 points in a single session just by toggling the right settings.
Get a professional security review. M365 security configuration is nuanced and licensing-dependent. A misconfigured Conditional Access policy can lock out your entire organisation. A missed DLP rule can expose client data. Our Perth-based team runs comprehensive M365 security reviews that benchmark your tenant against best practice and provide a prioritised remediation plan. Book a free assessment and find out where your gaps are before an attacker does.
Our Perth-based cybersecurity team can audit your M365 tenant, identify gaps, and implement best-practice security controls. Contact us on 1300 EPIC IT for a free Microsoft 365 security review.
At Epic IT, our specialists focus on long-term solutions for your business.
Our 90-day guarantee is simple: if you’re not satisfied, we’ll refund your onboarding fee and give you $5K. Contact us today!
Call Us
1300 EPIC IT
Email Us
info@epicit.com.au
Perth HQ
HQ – Unit 2, 62 Angove Street North Perth WA
Queensland Office
12 The Cct, Brisbane Airport QLD
Sydney Office
Unit 3, 104 Anglesea Street, Bondi NSW
Want to know more? Find our Privacy Policy and Terms of Use.
