Short answer: Secure a small Microsoft 365 tenant by working through six areas in order — enforce MFA on everyone (admins first), add conditional access and block legacy authentication, keep admin roles to the fewest people possible, remove risky mail forwarding rules, lock down external guest and sharing access, and turn on audit logging so you can investigate later. Most of these are available on Business Basic and Standard, not just Premium. Use the checklist below and tackle the "core" items first.
This is a working checklist, not a theory lesson. Each item says what to change and why it matters. Items tagged Core are the ones to do first; Next items raise the bar further, often needing Business Premium.
1. Identity & sign-in
- Enforce MFA for every user CoreNo exceptions, and administrators first. Prefer an authenticator app or passkey over SMS. See the MFA how-to for the exact steps.
- Block legacy authentication CoreOlder protocols (POP, IMAP, basic-auth SMTP) bypass MFA entirely. Block them so an attacker can't dodge your MFA policy.
- Enable security defaults or conditional access CoreSecurity defaults give free baseline protection on any tenant. If you have Business Premium, use conditional access instead for finer control (locations, device compliance, admin-only rules).
- Require sign-in from managed or compliant devices NextWith conditional access, limit access to devices you manage or that meet a compliance baseline.
- Set up self-service password reset NextReduces help-desk load and lets users recover accounts without weakening controls.
2. Administrator hygiene
- Minimise Global Administrators CoreKeep the number of Global Admins as small as practical — ideally a small handful. Every extra admin is an extra high-value target.
- Use separate accounts for admin work CoreAdmins should not read email or browse the web signed in with a privileged account. Use a dedicated admin account for admin tasks only.
- Assign least-privilege roles NextGive people the narrowest role that does the job (e.g. Helpdesk Admin, Exchange Admin) instead of Global Admin by default.
- Keep a break-glass account NextOne emergency-access account, excluded from conditional access, with a long stored password, in case you're ever locked out of your own tenant.
3. Email & mailbox settings
- Disable or restrict automatic external forwarding CoreAttackers who compromise a mailbox quietly forward mail to an outside address to keep reading it. Block auto-forwarding to external domains, and review existing rules.
- Publish SPF, DKIM and DMARC CoreAuthenticate your domain so attackers can't spoof it. Full walkthrough in the phishing & BEC guide.
- Turn on anti-phishing and impersonation protection NextWith Defender for Office 365, apply the Standard preset and protect your finance and executive users from impersonation.
- Add an external-sender banner CoreA visible "external" tag on inbound mail from outside your org gives staff a moment's pause on supplier and payment requests.
4. Sharing & guest access
- Review external sharing in SharePoint & OneDrive CoreSet the default to the least-open option your business can work with, and prefer "specific people" links over "anyone with the link".
- Audit guest accounts CoreList every guest in your directory, confirm each is still needed, and remove the rest. Guests accumulate silently.
- Control who can invite guests NextRestrict guest invitations to admins or specific roles rather than every user.
- Review third-party app consents (OAuth) NextCheck which external apps users have granted access to your data, and remove any that are unknown or unnecessary.
5. Logging & monitoring
- Turn on unified audit logging CoreWithout it you can't reconstruct what happened during an incident. Confirm it's enabled — it's the difference between "we think" and "we know".
- Set up alert policies NextAlert on suspicious activity such as new inbox forwarding rules, unusual sign-in locations, or a spike in deleted mail.
- Track your Microsoft Secure Score NextUse it as a running scoreboard of improvements — but treat it as a guide, not gospel; some recommendations won't suit every business.
6. Devices & backup
- Keep devices patched and encrypted CoreAutomatic updates and disk encryption on every device that touches company email.
- Enrol devices in management NextBusiness Premium includes Intune; enrolling devices lets you enforce compliance and wipe a lost device.
- Understand your recovery options NextMicrosoft 365 retains data, but retention isn't the same as backup. Know your recycle-bin and retention windows, and consider third-party backup if your risk warrants it.
Do the core items first. If you work through only the Core rows — MFA, block legacy auth, security defaults, minimise admins, kill external forwarding, tighten sharing, audit guests, and turn on audit logging — you'll have closed the paths behind the large majority of small-business tenant compromises.
Frequently asked questions
What's the single most important Microsoft 365 security setting?
Multi-factor authentication on every account, administrators first. A stolen or reused password is the most common way a small tenant is compromised, and MFA is the control that stops a leaked password from becoming a hijacked account.
Do I need Business Premium to secure my tenant?
No. Many of the highest-value controls — MFA, blocking legacy auth, removing risky forwarding, restricting guest access, tightening admin roles and audit logging — are available on Basic and Standard. Premium adds conditional access, Defender for Office 365 and device management, which raise the ceiling further.
How often should I review these settings?
Review admin roles, guest access and forwarding rules at least quarterly, and whenever someone joins or leaves. Check your Secure Score periodically, and revisit the whole checklist after any major change such as a new integration.
Want your Microsoft 365 security checked and locked down properly?
That's what SG1 Consulting does — a full audit against this checklist, then the settings put right for you, for Australian businesses.
Talk to SG1 →