MICROSOFT 365 SECURITY
Is your Microsoft 365 tenant actually secure?
Most Sydney businesses assume that moving to Microsoft 365 means their security is handled. It is not. Here is what your IT provider should already be doing, and what to check if they are not.
Microsoft takes care of the infrastructure - the data centres, the uptime, the platform-level threats. But the tenant-level security - the settings that control who can log in, what data they can access, and how you recover if something goes wrong - that is your responsibility. And for most small and medium businesses, those settings are either left on defaults or never properly configured in the first place.
If your IT support provider set up your M365 tenant and handed you the keys without a security conversation, you are probably running with significant gaps.
COMMON GAPS
The default M365 tenant is a security minefield
Out of the box, a Microsoft 365 Business Premium tenant comes with capable security tools. But many need to be explicitly configured. The defaults favour ease of use over protection.
MFA not enforced
Multi-factor authentication may be enabled per-user but not enforced via Conditional Access policies. Users can still legacy-authenticate without MFA, which is the primary attack vector for credential stuffing and phishing.
No Conditional Access
The rules that determine who can sign in from where, on what device, and under what conditions are often left blank. Without them, a compromised password from a phishing email works from anywhere in the world.
Admin accounts doing daily work
Admin accounts are frequently used for daily work. If an admin account has no MFA or is used to browse email, one wrong click can give an attacker full tenant control.
Open sharing defaults
SharePoint and OneDrive sharing defaults allow anonymous links. Sensitive files can be shared externally with no expiry, no tracking, and no authentication required to view them.
ZERO TRUST
Conditional Access and the policy layer that stops breaches
Conditional Access is the single most important security control in M365. Microsoft recommends a baseline set of policies as part of its Zero Trust framework, aligning with the Essential Eight published by the Australian Cyber Security Centre.
- Require MFA for all users on every sign-in, no exceptions
- Block legacy authentication protocols (IMAP, POP, SMTP) that bypass MFA entirely
- Require compliant devices for access to company data, preventing unmanaged device access
- Block sign-ins from unexpected countries where you have no business presence
- Force password changes when risky sign-in behaviour is detected by Microsoft Defender
For Sydney businesses handling client data - legal firms, financial services, healthcare practices - this is not optional. Your professional obligations and cyber insurance requirements both demand it.
EMAIL SECURITY
Email security gaps your provider should have closed
Email remains the primary attack vector for Australian businesses. The ACSC consistently identifies phishing and email compromise as a leading cause of cyber incidents. The built-in Exchange Online Protection catches known threats but misses sophisticated phishing and domain impersonation.
Advanced anti-phishing
Detecting impersonation of your executives, trusted domains, and internal staff. Without this, a convincing spoof of your CEO can redirect payments or request sensitive data.
Safe Links and Safe Attachments
Real-time URL scanning and sandbox detonation for email attachments. These catch zero-day threats that signature-based tools miss entirely.
Mail flow rules
Flagging or blocking external emails that display as internal, preventing BEC (business email compromise) - one of the costliest attack types for Australian businesses.
DMARC, DKIM, and SPF
Email authentication records that prevent your domain from being spoofed. Without these, anyone can send emails that appear to come from your business.
If your IT support provider has not configured these, your business is relying on your staff to spot phishing emails manually. That is a strategy with a known failure rate.
BACKUP REALITY CHECK
The backup assumption that catches businesses out
Many businesses think Microsoft 365 backs up their data automatically. Microsoft provides geo-redundancy and short-term retention. But their Service Agreement explicitly states that they are not responsible for data loss caused by user error, malicious deletion, or misconfiguration. That is on you.
A proper M365 backup solution should do all of the following:
- Back up Exchange, OneDrive, SharePoint, and Teams data independently of Microsoft
- Provide point-in-time recovery (not just snapshot-based restores)
- Retain data for at least 12 months, ideally longer for compliance
- Store backups in Australian data centres for data sovereignty
- Allow granular recovery (single email, single file) without full tenant restores
For businesses subject to the Notifiable Data Breach scheme or preparing for cyber insurance, backup verification is often an audit requirement. If your IT provider cannot show you a recent test restore, ask why.
HOW WE HELP
How Milnsbridge manages M365 security for Sydney businesses
As a SMB1001 Gold-certified IT support provider based in Sydney, we include Microsoft 365 security management as part of our standard managed IT service.
Conditional Access from day one
Policies configured and aligned with the Essential Eight Maturity Model Level 2 from the start, not bolted on later.
Advanced email protection
Anti-phishing, safe links, and safe attachments enabled and tuned for your business. Not left on default settings.
Australian-hosted backup
Point-in-time recovery with monthly test restores. Your data stays in Australia and we can prove it works.
Proactive monitoring
Microsoft 365 Defender portal with automated alerting for high-risk events. Security posture reviews included in your service, not billed as extras.
Industry expertise
We work with Sydney businesses across legal, financial services, healthcare, and professional services where email security and compliance are operational requirements.
FREE SECURITY CHECK
Check your M365 security now
Not sure where your tenant stands? Most businesses we audit find at least 3 to 5 significant configuration gaps. We offer a free Microsoft 365 security assessment for Sydney businesses.
What the assessment covers
- Conditional Access policy review
- Email security configuration audit
- Backup and recovery verification
- Admin account security check
- Microsoft Secure Score benchmarking
Get started
Based in Sydney CBD or Western Sydney? We have offices in both locations and support businesses across the greater Sydney region.
EXPLORE MORE
Related Microsoft 365 and cyber security resources
Learn more about M365 security, compliance, and how Milnsbridge protects Sydney businesses.
Essential Eight
Learn how Milnsbridge helps Sydney businesses implement and maintain the Australian government's recommended cyber security baseline.
Explore Essential Eight
Microsoft 365 Services
From deployment to ongoing management, see how Milnsbridge handles Microsoft 365 for Sydney businesses.
Explore M365 Services
Cyber Security Services
See how Milnsbridge protects Sydney businesses across identity, endpoint, email, backup, and incident response.
Explore Cyber Security
About the Author
Adrian Weir
Adrian Weir is the Managing Director and founder of Milnsbridge Managed IT Services, with over 30 years of global IT experience spanning Telstra, Citibank, Unilever, and hundreds of Sydney SMBs. A Microsoft Partner since 2002, Adrian leads a team of IT specialists delivering responsive, business-focused managed IT support across Greater Sydney.
Meet the Milnsbridge Team
