Microsoft 365 runs most Australian small businesses. The problem is that its default settings were built for convenience, not security. If you activated your licenses and started working without reviewing the security center, your email and data are more exposed than you probably realise.
These are five settings to fix today. Your IT provider can action all of them.
1. Enforce Multi-Factor Authentication (MFA) globally
Passwords alone are not enough. Attackers buy stolen credentials in bulk, and a password without MFA is an open door. Enforce MFA for every user in the organisation, especially administrators. Microsoft’s free "Security Defaults" handles this with a few clicks. If you have a premium license, Conditional Access policies give you more control over who can access what and from where.
2. Disable legacy authentication protocols
Old email protocols like POP3 and IMAP do not support MFA. Attackers scan for accounts that still have these enabled because they bypass your MFA entirely. Head to the Microsoft 365 admin center and disable legacy authentication across the whole tenant.
3. Block auto-forwarding rules to external addresses
When an attacker gets into a staff email account, setting up a silent forwarding rule is usually the first thing they do. Every email your staff receives goes straight to them so they can read invoices, monitor deals, and wait for the right moment to intercept a payment. Turn off the ability for users to auto-forward emails to external domains.
4. Turn on Unified Audit Logging
If you suffer a breach, you need to know what the attacker accessed and when. Microsoft keeps some logs by default, but Unified Audit Logging has to be explicitly enabled in the compliance center. Without it, investigators are working blind.
5. Enable Advanced Threat Protection (Safe Links and Safe Attachments)
Basic spam filtering will not stop a well-crafted phishing email. If you have Business Premium or Defender for Office 365, turn on Safe Links, which checks every link at the moment of click, and Safe Attachments, which tests files in a sandbox before they reach your inbox. Set both to block rather than alert.
Don’t leave your cloud unlocked
A half-hour with your IT provider to go through all five of these is worth it. Business email compromise is still one of the most common and costly attacks hitting Australian SMEs, and most of it is preventable.
For the latest on what has changed in M365, see the March 2026 Microsoft 365 security reset.
While you are locking down cloud accounts, make sure your team is also managing passwords properly. Compromised credentials are still how most attackers get in.
Not sure if your IT provider has actually configured any of this? Get a security assessment and we will audit your M365 tenant and give you a plain-English picture of where you stand.