Home / Help Center / Microsoft 365 Security Checklist
By · Published 12 May 2026 · Updated 15 May 2026 · Microsoft 365 · Cyber Security

Microsoft 365 Security Checklist for Small Business

Most Townsville small businesses run their email, files, and team collaboration in Microsoft 365 — but use it with the default security settings, which were designed to be permissive and unobtrusive, not secure. This checklist covers the controls every small business should have enabled, organised by impact and effort. It's aligned with the ACSC Essential 8 and based on the cleanup work we do for new Townsville clients.

How to use this: Print or copy this page. Work through "This Week" first — those are the highest-impact items. Don't try to do everything in one go; staff will revolt and you'll skip the harder items. Steady progress over a month beats heroic one-day rollouts.

This Week — Highest Impact, Lowest Effort

  • Multi-Factor Authentication on every accountEnable MFA via the Microsoft Authenticator app for every user — not just admins. This single change blocks 99%+ of credential attacks. Communicate clearly before turning it on.
  • Audit ex-staff accountsGo to Microsoft 365 Admin Centre → Active users. Block sign-in and convert to shared mailbox (or archive) every former employee. A surprisingly common finding when we audit Townsville clients.
  • Reset shared / generic passwords"office@", "reception@", "info@" type shared accounts often have weak or shared passwords with no MFA. Either secure them with MFA-protected access, or shift to email aliases routed to individuals.
  • Block legacy authenticationOld email protocols (POP, IMAP, SMTP basic auth) bypass MFA. In Microsoft 365 Admin Centre → Settings → Org settings → Modern authentication, ensure modern auth is required.
  • Enable Security Defaults (if you don't have Conditional Access yet)Microsoft Entra → Properties → Manage security defaults. Free, enables baseline MFA and blocks legacy protocols. Stop-gap until you set up proper Conditional Access policies.

This Month — Important Controls

  • Conditional Access Policies (Business Premium+)Require MFA for all users, block sign-ins from countries you don't operate in, require compliant devices for sensitive data access. Replaces Security Defaults with finer-grained control.
  • Anti-Phishing and Anti-ImpersonationIn Microsoft Defender, turn on Anti-Phishing policy. Configure impersonation protection for the director and finance team (the most-spoofed identities). Set the mailbox intelligence threshold to "Aggressive" for high-risk accounts.
  • Safe Links and Safe AttachmentsDefender for Office 365 rewrites URLs in email so they're checked at click-time, and detonates attachments in a sandbox before delivery. Both should be on, with policies covering all users.
  • Review external sharing settingsSharePoint Admin Centre → Sharing. Set the most permissive level to "Existing guests" or "New and existing guests" — never "Anyone". Require sign-in for shared links. Set link expiry (e.g. 30 days default).
  • Disable auto-forwarding to external addressesMicrosoft Defender → Email & collaboration → Policies → Anti-spam → Outbound spam policy. Block automatic external forwarding. Attackers love to set up forwarding to siphon mail — block it at the tenant level.
  • Mobile Device Management (Intune)Enrol phones and laptops in Intune. Enforce encryption, screen lock, and remote wipe. For BYOD, use app protection policies so business data is isolated from personal use.
  • Train staff on phishingUse Microsoft Defender's Attack Simulator to run a simulated phishing campaign. Use the results to identify staff who need more training. Repeat quarterly.

This Quarter — Maturity & Compliance

  • Extend audit log retentionDefault is 90-180 days depending on licence. Extend to 1 year (or more if compliance requires it). You need this history if you ever investigate an incident.
  • Apply sensitivity labels (Purview)Tag files as Public, Internal, Confidential, etc. Enforce rules — for example, Confidential files can't be shared externally. Especially important for medical, NDIS, accounting, and legal businesses.
  • Third-party Microsoft 365 backupMicrosoft's retention is short and not designed for true backup. Add Veeam, Datto, AvePoint, or similar to get long retention, immutable copies, and tested restores. Required by most cyber insurance policies now.
  • Review Secure ScoreMicrosoft Defender → Secure Score. Aim for at least 60% for a small business. Higher targets if you're in regulated industries. Track progress monthly.
  • Document admin accessWho has Global Admin? Reduce that list to one or two named people. Use Privileged Identity Management (P1) so admin rights are time-limited and auditable rather than always-on.
  • SharePoint & OneDrive cleanupAudit external guests, revoke stale shares, retire dead sites. See our SharePoint Permissions Guide for the full process.
  • Test your incident responseRun a simple tabletop exercise: "Our bookkeeper's mailbox is compromised — who do we call, what do we do first?" If nobody has an answer, you have an incident response gap.

What Each Item Actually Protects Against

This isn't security for its own sake. Each control on this list addresses a specific real-world attack:

  • MFA + Conditional Access → Stops 99%+ of password-based attacks (credential stuffing, phishing, BEC)
  • Anti-Phishing + Safe Links → Stops most phishing and impersonation email at the perimeter
  • Sensitivity Labels + External Sharing Restrictions → Stops accidental data leaks via SharePoint and email
  • Intune Device Management → Stops a lost or stolen device from becoming a breach
  • Third-Party Backup → Recovery from ransomware, accidental deletion, malicious insider activity
  • Extended Audit Logs → Investigability after an incident

Common Mistakes Townsville Businesses Make

"We've got Microsoft 365 Business Standard — that should be enough"

It isn't. Business Standard includes the apps but not Defender for Office 365, Intune, or Information Protection. For proper security, you need Business Premium (~$32/user/month). The cost difference is usually less than the cost of one cyber incident.

"We've got MFA on the admin account so we're fine"

MFA only on admins leaves every regular staff account vulnerable. Attackers don't need admin to steal data, send fake invoices, or read your email. MFA needs to be on every account — admin or not.

"We don't have anything worth hacking"

You have email (used to send fake invoices to your clients), bank login (siphoned via BEC), client data (sold or leveraged for further attacks), and your reputation (damaged by any successful incident). Every Townsville business has something worth protecting.

"We've got cyber insurance, so we're covered"

Increasingly, cyber insurers require MFA, EDR, backups, and patching as conditions of coverage. Without those, claims can be denied. Insurance is the last line of defence, not the first.

Want Help Working Through This List?

We run free Microsoft 365 security reviews for Townsville businesses — we'll work through this checklist for your environment and give you a prioritised report. No obligation, no pressure.

Frequently Asked Questions

What Microsoft 365 licence do I need for proper security?

For most small Townsville businesses, Microsoft 365 Business Premium is the right choice. It includes Defender for Office 365, Intune device management, Conditional Access, and Information Protection — everything in this checklist. Business Standard lacks the security features; Business Basic doesn't include the apps. Premium is roughly $32 per user per month and pays for itself the first time it stops an incident.

How long does it take to implement this checklist?

For a typical 10-30 user Townsville business, the full checklist takes 2-3 weeks to implement properly — including communicating changes to staff so MFA rollout doesn't catch them off-guard. The highest-impact items (MFA, password reset, ex-staff cleanup) can be done in an afternoon.

Will MFA disrupt my staff?

Done properly, no. Use the Microsoft Authenticator app rather than SMS, communicate clearly before turning it on, and run a short training session. Most users adapt within a day or two. Done badly (no comms, no training, SMS only), MFA causes weeks of friction — which is why we don't enable it that way.

Do I still need third-party backup if I'm in Microsoft 365?

Yes. Microsoft's default retention is short (30-93 days depending on the data type) and is designed for accidental deletion, not for true backup or compliance. Third-party Microsoft 365 backup provides long-term retention, immutable copies, and tested restores — essential for serious data protection and most cyber insurance requirements.

Can I do this myself or do I need an IT provider?

The "This Week" items are manageable for most owners or office managers comfortable in admin centres. "This Month" and "This Quarter" items typically benefit from someone who's done it before. We can do the full implementation as a one-off project, or roll it into ongoing managed IT.