Microsoft 365 Security for Sydney Businesses: What the Default Configuration Misses

Microsoft 365 security defaults are convenient, but they are not a complete protection strategy for Sydney businesses. Gaps often appear in conditional access, mailbox protections, legacy authentication, and alert tuning. Which default settings are leaving your environment exposed right now?

Why Microsoft 365 Is a High-Value Target

Microsoft 365 is attractive to attackers for straightforward reasons: it contains email (including sensitive communications, invoices, and credential reset links), documents (financial records, client data, contracts), identity credentials (an M365 account is often the gateway to dozens of connected business systems), and sometimes direct access to cloud storage and collaboration tools used across the whole organisation.

A compromised M365 account gives an attacker the ability to read and send email impersonating the account owner, access files stored in OneDrive and SharePoint, participate in Teams conversations, and potentially pivot to other cloud services using single sign-on. Business email compromise (BEC) — where attackers use access to email to redirect payments, request sensitive information, or impersonate executives — is one of the most financially damaging forms of cyber crime targeting Australian businesses.

What Default Microsoft 365 Security Misses

Microsoft 365 ships with a default security configuration that is better than nothing but significantly weaker than what most businesses need. The defaults are designed for broad compatibility, not maximum protection. Key gaps in default M365 configuration include:

MFA not enforced by default. Multi-factor authentication is the single most effective control against credential theft and account takeover. It is not enforced by default across all M365 tenants. Businesses that have not explicitly enabled and enforced MFA are relying on passwords alone — and passwords are regularly compromised through phishing, credential stuffing, and data breaches.

Legacy authentication protocols not blocked. Older authentication protocols (Basic Auth, IMAP, POP3, SMTP Auth in legacy clients) do not support MFA and provide a bypass path for attackers even when MFA is configured. Microsoft has disabled Basic Auth by default in new tenants but it must be explicitly verified and blocked in existing ones.

Audit logging not always enabled. Microsoft 365 audit logs record user activity across the platform — logins, file access, email forwarding rules, admin changes. These logs are essential for detecting and investigating incidents. Depending on your licence tier, audit logging may not be enabled by default and has a limited retention period if not configured.

Email forwarding rules not monitored. Attackers who gain access to an M365 email account frequently create auto-forwarding rules that silently copy all incoming email to an external address. These rules can run undetected for months if no one is monitoring for them. Default M365 configuration does not alert on suspicious forwarding rule creation.

Admin accounts without dedicated protection. Global Administrator accounts in M365 have unrestricted access to the entire tenancy. Using a GA account for day-to-day work — or having GA accounts without separate, protected credentials — creates significant risk if those credentials are compromised.

The Microsoft 365 Security Baseline

A properly configured M365 environment should include:

• MFA enforced on all accounts — ideally using Conditional Access policies that enforce MFA based on user, location, device state, and application risk level, not just a blanket prompt
• Legacy authentication blocked — verified and enforced across all users and protocols
• Dedicated Global Admin accounts — separate from day-to-day user accounts, with MFA and Privileged Identity Management (PIM) for just-in-time access
• Audit logging enabled and retained — minimum 90 days, preferably 180 days for incident investigation purposes
• Defender for Office 365 — Safe Links (scanning URLs in email and documents at click time) and Safe Attachments (sandboxing email attachments before delivery) significantly reduce phishing success rates
• Anti-spoofing controls — SPF, DKIM, and DMARC configured correctly to prevent your domain being used to send phishing emails to your own clients
• External forwarding rules blocked — transport rules preventing users from creating auto-forwarding rules to external addresses
• Intune device compliance — Conditional Access policies requiring that only enrolled, compliant devices can access M365, preventing access from unmanaged personal devices

M365 Licensing and Security Features

Microsoft 365 security capabilities vary significantly by licence tier. Microsoft 365 Business Basic and Business Standard include the core apps but have limited security features compared to Business Premium. Business Premium includes Microsoft Defender for Business, Intune device management, Defender for Office 365 Plan 1, Azure AD Premium P1, and Azure Information Protection — the full security stack for SMB environments.

Most Sydney businesses that are not on Business Premium or an equivalent enterprise licence are missing significant security capabilities that Microsoft includes at the Business Premium price point. The upgrade cost is often modest relative to the security improvement.

Microsoft 365 Backup: What Microsoft Does Not Cover

A persistent misconception among Sydney businesses is that Microsoft backs up their M365 data. Microsoft does not provide backup in the traditional sense. Microsoft’s infrastructure is highly resilient — data centres replicated across regions, hardware failures handled transparently — but this protects against Microsoft infrastructure failure, not against accidental deletion, ransomware, malicious insider activity, or retention policy misconfiguration.

Microsoft’s standard retention for deleted items is 30 days in most cases. After that, deleted emails, files, and Teams messages are not recoverable through the standard Microsoft interface. Ransomware that encrypts files in SharePoint or OneDrive can propagate through synchronised devices and, once the 180-day version history is exhausted, leave files unrecoverable without a third-party backup.

Third-party M365 backup — covering Exchange Online, SharePoint, OneDrive, and Teams — provides genuine point-in-time recovery capability that Microsoft’s native tools do not. For businesses with compliance obligations (legal hold, financial records retention, healthcare data), third-party backup also provides the documentation trail that M365’s native retention policies cannot always satisfy.

Signs Your M365 Environment May Have Been Compromised

Indicators that warrant immediate investigation:

• Staff receiving password reset or MFA change emails they did not initiate
• Clients reporting emails from your domain that you did not send
• Email forwarding rules appearing that no one created
• Unusual login activity in the M365 admin centre — logins from unfamiliar countries or at unusual times
• Files in OneDrive or SharePoint appearing as modified by users who were not working at that time
• Unusual new inbox rules redirecting or deleting incoming email

If you see any of these, the priority is immediate: change the affected account’s password, revoke all active sessions, review and remove any suspicious forwarding rules or inbox rules, and engage your managed IT provider to assess the extent of any access. Speed matters — attackers with email access can do significant damage in a short time if the compromise is not contained quickly.

How Milnsbridge Manages Microsoft 365 Security

Microsoft 365 management is included in all Milnsbridge plans. At the Growth level ($99 per seat per month), M365 management covers user provisioning and deprovisioning, licence management, security configuration, MFA enforcement, and monitoring of the M365 environment alongside all other managed devices.

Email security — including cloud-hosted filtering, anti-phishing, and anti-spoofing — is included across all plans. DNS filtering (DNSFilter) blocks access to malicious sites at the network level, providing a layer of protection beyond what M365 itself delivers. Duo MFA enforcement across all accounts and applications is available as a separately quoted add-on for businesses requiring granular MFA policy control beyond what native M365 Conditional Access provides.

For businesses handling sensitive data or with compliance obligations, we conduct M365 security configuration reviews against the CIS Microsoft 365 Benchmark and ACSC guidance — identifying gaps in the current configuration and providing a prioritised remediation plan.

Milnsbridge holds a 4.9-star Google rating across 99 reviews. We operate on straightforward 12-month agreements with a 10-seat minimum, serving organisations from 10 to 200 seats. Adrian Weir founded Milnsbridge in 2002 after three decades in senior IT roles at Telstra, Citibank, and Unilever.

To discuss Microsoft 365 security configuration for your Sydney business, contact Milnsbridge. Review our per-seat pricing, explore our managed IT services, or see our full cyber security services.