Security
Microsoft 365 security checklist
A practical checklist for Entra ID, Exchange Online, SharePoint and Teams — the settings Melbourne admins most often miss.
Need help with this? Talk to our Microsoft 365 team
Identity and access
Enforce MFA for all users, block legacy authentication, use Conditional Access to require compliant devices for company data, and limit Global Administrator accounts to named break-glass identities with phishing-resistant methods where possible.
Email and collaboration
Enable DKIM signing, align SPF and DMARC, turn on anti-phishing and safe attachments/links policies, and review mail forwarding rules regularly. Disable automatic external forwarding unless a documented business need exists.
Data and sharing
Default SharePoint and OneDrive sharing to authenticated users only, label sensitive data where regulations require it, and audit guest access quarterly. DLP policies can wait until basics are solid — open sharing causes more day-to-day pain for SMEs.
Monitoring and recovery
Turn on unified audit logging, forward high-severity alerts to a monitored inbox or SIEM, and test restore from Microsoft 365 backup or third-party backup at least twice a year. Document offboarding: disable accounts, revoke sessions, and reassign OneDrive within 24 hours.
Related service
This is part of our Microsoft 365 service for Melbourne businesses.
Try it now
Run the related tools
Need a hand?
Run the tools. Then talk to us.
Use our free diagnostics to see what is wrong, then get Melbourne IT support for the fix.
Keep reading
More guides

Cyber insurance requirements for Australian SMBs
What Australian small businesses are typically asked before cyber insurance is approved — MFA, backups, email security — and how to prepare without panic.
- Why insurers ask technical questions
- Controls insurers commonly expect

Website security headers explained
HSTS, CSP and the headers that improve trust, SEO and protection against common attacks.
- Start with the basics
- Check what you already have