Most security incidents we see at small and medium Australian businesses come down to the same handful of issues: a stolen password, an unmanaged device, a forwarded inbox rule. A solid Microsoft 365 baseline addresses all three without needing an enterprise budget.
This article is a starting point, not a complete framework. If you would like a tailored review for your environment, please book a consultation.
What “baseline” really means
A baseline is the set of controls every tenant should have in place by default. It is not the most you can do; it is the minimum that responsible operators should expect. We try to align ours to the Australian Cyber Security Centre’s Essential Eight, while staying realistic for businesses without a dedicated security team.
Identity first
The single biggest leverage is making identity strong.
- Enforce phishing-resistant multi-factor authentication for every user, including service accounts where possible. Authenticator app number-matching is a sensible minimum; passkeys are better.
- Use Conditional Access to require compliant or hybrid-joined devices for sensitive apps.
- Block legacy authentication. Modern clients only.
- Configure break-glass accounts properly, with strong unique passwords stored in a vault and excluded from your standard Conditional Access policies.
- Move admin permissions into Privileged Identity Management with just-in-time activation. Standing global admin is a needless risk.
Email hygiene
Email remains the most common entry point.
- Enforce SPF, DKIM and DMARC, and move your DMARC policy to
quarantinethenrejectonce you have monitored reports for a few weeks. - Turn on Microsoft Defender for Office 365 anti-phishing and Safe Links if your licensing allows.
- Audit inbox rules regularly. Auto-forward to external addresses is the classic attacker tell; block it at the tenant level.
- Use a dedicated address for finance approvals and treat any change in payment details as needing voice confirmation.
Devices that are actually managed
If a laptop is not enrolled, it is not managed.
- Enrol Windows, macOS, iOS and Android devices into Microsoft Intune.
- Apply a baseline configuration for disk encryption, screen lock, OS update rings and a sensible app inventory.
- Define a compliance policy and reference it from Conditional Access, so non-compliant devices cannot reach Microsoft 365 data.
- For Windows, deploy Microsoft Defender for Endpoint and tune the noisy alerts.
SaaS and data
Microsoft 365 is more than email.
- Set up retention policies for Exchange, SharePoint, OneDrive and Teams. Match your record-keeping obligations rather than guessing.
- Use sensitivity labels for the small set of documents that genuinely need them, like client contracts.
- Restrict external sharing of OneDrive and SharePoint to specific domains where practical, or at minimum require a guest account.
Backups, even for cloud workloads
Microsoft 365 has high availability, not backups in the traditional sense. If you accidentally delete a SharePoint site or get hit with ransomware that encrypts user files synced to OneDrive, native retention will not always save you. Consider a third-party backup product with a documented restore process.
What to do this quarter
If you only have time for three things, do these:
- Enforce phishing-resistant MFA for every account, including admin and service accounts.
- Move all standing admin permissions into PIM with approval workflows.
- Deploy Intune and a compliance policy, and tie it to Conditional Access.
This is roughly what insurers and clients are starting to ask about, and it is what stops most real attacks.
A closing note on Essential Eight
The Essential Eight is a useful checklist, but it is a starting point for SMEs, not the destination. Do not let perfect be the enemy of good. A working baseline this quarter beats a comprehensive plan you will not implement.
If you want a second pair of eyes on your tenant, request a security review.