Is Your Microsoft 365 Tenant Actually Secure? Here's How to Check

Home
/ Insights
/ Is Your Microsoft 365 Tenant Actually Secure? Here's How to Check

On this page

InnovateX Solutions helps Brisbane businesses find out what’s actually going on inside their Microsoft 365 tenants, before someone else does. Most organisations on Microsoft 365 Business Standard are running with default settings that leave significant security gaps. Here’s what to ask your IT provider about, and what “good” actually looks like when measured against Australian and international security standards.

If you’re running a business in Brisbane or the Moreton Bay region with 10 or more staff on Microsoft 365, there’s a decent chance your tenant isn’t configured the way it should be. Not because anyone’s done the wrong thing, but because the default settings Microsoft ships with are designed for ease of use, not security. And that gap between “working” and “secure” is exactly where attackers operate.

Your Microsoft Secure Score Is a Starting Point, Not the Finish Line

Microsoft Secure Score is built into every Microsoft 365 tenant, and it’s a reasonable place to start. It gives you a percentage-based score that reflects how your security settings stack up against Microsoft’s own recommendations. You can find it in the Microsoft Defender portal, and it covers identity, devices, apps, and data.

Secure Score only measures what Microsoft thinks you should be doing with Microsoft products. It doesn’t account for your specific industry requirements, Australian regulatory obligations, or how your staff actually use the platform day-to-day. A tenant can score well on Secure Score and still have serious gaps when measured against frameworks like the Australian Signals Directorate’s (ASD) Blueprint for Secure Cloud, the CIS Microsoft 365 Foundations Benchmark, or the Essential Eight.

Most mid-market businesses sit somewhere between 40% and 60% on Secure Score. If yours is in that range, you’re not alone, but you’re also not where you need to be. And if you don’t know your score at all, that’s the first conversation to have with your IT provider.

The Five Areas That Matter Most

When we assess a Microsoft 365 tenant, we look at five core areas. These align with the CIS Microsoft 365 Foundations Benchmark, ASD’s Blueprint for Secure Cloud, and the Essential Eight, and they’re the areas where we see the most risk in Brisbane businesses running Business Standard licences.

1. Identity and Access Management

This is the front door to your entire business. If someone compromises an identity in your Microsoft 365 tenant, they potentially have access to your email, your files, your Teams conversations, and your client data.

What to ask your IT provider

Is multi-factor authentication (MFA) enforced for every single user, not just enabled, but actually enforced through Conditional Access policies? Security Defaults alone aren’t enough for a business environment. Both the CIS Benchmark and ASD’s Blueprint recommend Conditional Access-based MFA enforcement.
How many Global Administrator accounts exist in your tenant? The CIS Benchmark recommends between two and four. Enough for redundancy, few enough to manage. Every one of those accounts should have phishing-resistant MFA like passkeys or FIDO2 security keys.
Do you have emergency access (“break glass”) accounts configured? These are critical for disaster recovery scenarios, and they need to be monitored for any sign-in activity.
Is legacy authentication blocked? Older authentication protocols don’t support MFA at all, making them a favourite target for attackers. ASD’s Blueprint and the CIS Benchmark both recommend blocking legacy authentication entirely.
Are administrative roles scoped appropriately? A user who manages Exchange Online shouldn’t need Global Admin rights. The principle of least privilege isn’t just good practice. It’s a core requirement across SMB1001, ISO 27001, and the Essential Eight.

The licensing reality: Conditional Access policies (essential for proper MFA enforcement, location-based access controls, and device compliance checks) require Microsoft Entra ID P1 licensing. This comes included with Microsoft 365 Business Premium, E3, and E5, but not with Business Standard. If you’re on Business Standard, you’re limited to Security Defaults, which is a basic on/off switch rather than the granular control your business needs.

Multi-factor authentication enforcement through Conditional Access policies in Microsoft 365

2. Email Security

Email remains the most common attack vector for Australian businesses. Phishing, business email compromise, and invoice fraud all start in the inbox.

What to ask your IT provider

Are Safe Links and Safe Attachments configured? These features scan URLs and attachments in real-time before they reach your users. They’re part of Microsoft Defender for Office 365, which is included in Business Premium and E5 but not in Business Standard.
Is your domain protected with SPF, DKIM, and DMARC? These email authentication protocols help prevent attackers from sending emails that look like they came from your domain. ASD’s Blueprint for Secure Cloud includes specific guidance on configuring all three, and the CIS Benchmark treats DMARC configuration as a Level 1 recommendation.
Are mail transport rules reviewed regularly? Attackers who gain access to a mailbox often create forwarding rules that silently copy emails to an external address. Your IT provider should be auditing these regularly.
Is automatic email forwarding to external addresses disabled? Both the CIS Benchmark and ASD’s Blueprint recommend blocking external auto-forwarding at the tenant level. This single setting prevents a significant amount of data exfiltration.

The licensing reality: Basic Exchange Online Protection comes with all Microsoft 365 plans, but Defender for Office 365 (Safe Links, Safe Attachments, advanced anti-phishing) requires Business Premium, E3 with Defender add-on, or E5. Without it, you’re relying on basic filtering that sophisticated phishing attacks routinely bypass.

Email security protection including Safe Links, Safe Attachments, and DMARC configuration for business email

How your data is shared, both internally and externally, is one of the areas where default Microsoft 365 settings are most permissive, and most risky.

What to ask your IT provider

Who can share files and folders externally from SharePoint and OneDrive? By default, Microsoft 365 allows broad external sharing. The CIS Benchmark recommends restricting this so that only authorised users can share externally, and that external recipients must authenticate.
Are Data Loss Prevention (DLP) policies configured? DLP policies can detect and prevent sensitive information (like credit card numbers, tax file numbers, or client account details) from being shared outside your organisation. Both the CIS Benchmark and ASD’s Blueprint recommend DLP as a baseline control.
Is sensitivity labelling in use? Microsoft Purview sensitivity labels let you classify and protect documents based on their content. This is particularly important for legal firms handling privileged communications, accounting practices managing financial data, and healthcare providers dealing with patient records.
Can users create shared links that work for “anyone with the link”? This is one of the riskiest default settings in SharePoint Online. If a staff member creates an anonymous sharing link to a sensitive document, anyone who gets that link can access it. No authentication required.

The licensing reality: Basic DLP is available in Business Standard for Exchange Online, but full DLP coverage across SharePoint, OneDrive, and Teams (plus sensitivity labelling and Microsoft Purview) requires Business Premium, E3, or E5 licensing. This is one of the strongest arguments for upgrading from Business Standard if you handle sensitive client data.

This is the first in a series of posts about securing your Microsoft 365 environment. The next post covers data classification and information protection: how to categorise your business data and apply the right level of protection to each type. If you’re handling client data, financial records, or personal information, you’ll want to read that one.

Data protection and sharing controls in Microsoft 365 including DLP policies and sensitivity labels for Brisbane businesses

4. Device and Endpoint Management

Every device that connects to your Microsoft 365 tenant is a potential entry point. If your staff are logging into Outlook or Teams from unmanaged personal devices, you’ve got a significant blind spot.

What to ask your IT provider

Are devices enrolled in Microsoft Intune (or another endpoint management platform)? Intune lets you enforce security policies on devices that access your company data, requiring encryption, up-to-date operating systems, and compliant security settings.
Is there a Conditional Access policy that checks device compliance before granting access? This means a device that doesn’t meet your security requirements (an unencrypted laptop or a phone without a passcode, say) gets blocked from accessing company data. The CIS Benchmark recommends marking devices without a compliance policy as “not compliant” by default.
Are personally owned devices managed, or at least subject to app protection policies? If staff access work email on their personal phones, you need at minimum a Mobile Application Management (MAM) policy that prevents company data from being copied to personal apps.
Is application control implemented on company-managed devices? This is one of the Essential Eight mitigation strategies and prevents unauthorised applications from running. ASD’s Blueprint includes detailed guidance on configuring this through Intune.

The licensing reality: Microsoft Intune is included in Business Premium, E3, and E5. Business Standard doesn’t include device management capabilities. Without Intune, you can’t enforce device compliance policies through Conditional Access, which means you can’t verify that devices accessing your data meet your security requirements.

Compliant managed device accessing Microsoft 365 data versus unmanaged personal device being blocked by security policy

5. Administration and Audit Logging

If something goes wrong (and in cyber security, “if” is really “when”) you need to know what happened, when, and who was involved. Audit logging and proper administration practices are your safety net.

What to ask your IT provider

Is unified audit logging enabled? This should be on by default in most tenants, but it’s worth confirming. Audit logs capture user and admin activity across Exchange Online, SharePoint, OneDrive, and Teams. Both the CIS Benchmark and ASD’s Blueprint treat this as a fundamental requirement.
How long are audit logs retained? The default retention period in standard licences is 180 days. For compliance-heavy industries like legal and healthcare, you may need longer retention, which requires E5 or an add-on licence.
Is there alerting on suspicious admin activity? At minimum, you should receive alerts when Global Admin roles are assigned, when Conditional Access policies are modified, or when bulk mailbox forwarding rules are created.
Are admin accounts separate from daily-use accounts? Administrators should have a dedicated admin account that’s only used for administrative tasks, never for reading email or browsing the web. This is a core recommendation across the CIS Benchmark, ASD’s Blueprint, ISO 27001, and SMB1001.

Administration controls and audit logging in Microsoft 365 showing activity monitoring and alert notifications

The Licensing Gap Most Businesses Don’t Know About

Most IT providers don’t explain this clearly enough: Microsoft 365 Business Standard doesn’t include the security features most businesses actually need.

Business Standard is a solid productivity platform. You get Exchange Online, SharePoint, OneDrive, Teams, and the desktop Office apps. But it doesn’t include Conditional Access, Microsoft Intune, Defender for Office 365, or Microsoft Purview, all of which are essential for meeting the security requirements outlined in the CIS Benchmark, ASD’s Blueprint for Secure Cloud, and the Essential Eight.

Microsoft 365 Business Premium, E3, or E5 (depending on your organisation’s size and needs) include these security features. The cost difference between Business Standard and Business Premium is roughly the price of a coffee per user per day, and given what’s at stake, it’s one of the most cost-effective security investments you can make.

Your IT provider should be having this conversation with you. If they haven’t, that’s worth noting.

Comparison of Microsoft 365 Business Standard versus Business Premium security features for Australian businesses

Why This Matters for Your Industry

The risks aren’t theoretical. Every day, Australian businesses face email compromise attacks, ransomware, and data breaches that start with poorly configured Microsoft 365 tenants.

For legal firms, a compromised email account could expose privileged client communications and trust account details. The Queensland Law Society expects firms to maintain appropriate data security, and the Privacy Act imposes notification obligations for eligible data breaches.

For accounting practices, access to your Microsoft 365 tenant means access to client financial data, BAS information, and tax records. Professional standards and the Privacy Act both require you to protect this information appropriately.

For healthcare providers, patient records and clinical data are among the most sensitive information any organisation holds. The Privacy Act, health records legislation, and AHPRA standards all set expectations around digital security.

For early learning centres, you’re holding children’s personal information, family details, and potentially sensitive photos. The privacy obligations around minors’ data are significant, and parents rightly expect strong protection.

In each of these cases, the security controls we’ve described aren’t optional extras. They’re the minimum baseline for protecting the people and organisations that trust you with their data.

What “Good” Looks Like

A properly secured Microsoft 365 tenant for a Brisbane business should, at minimum, have the following in place. This aligns with the CIS Microsoft 365 Foundations Benchmark (currently version 6.0.0), ASD’s Blueprint for Secure Cloud, Essential Eight Maturity Level 2, and the SMB1001 framework:

MFA enforced on all accounts through Conditional Access policies, with phishing-resistant methods for administrators
Legacy authentication blocked across all protocols
Conditional Access policies controlling access based on user, device, location, and risk level
Safe Links and Safe Attachments enabled for email protection
SPF, DKIM, and DMARC properly configured on all domains
External sharing restricted and controlled through policy
DLP policies detecting and preventing sensitive data exposure
Devices managed through Intune with compliance policies enforced
Admin accounts separated from daily-use accounts with appropriate role scoping
Audit logging enabled with alerting on high-risk activities
Automatic external email forwarding disabled at the tenant level

If you’re not sure whether your tenant meets these standards, that’s a great reason to have a chat. We’ll walk through where things stand against the CIS Benchmark, ASD’s Blueprint, and the Essential Eight.

Frequently asked questions

Microsoft 365 is a secure platform, but the default configuration settings prioritise ease of use over security. Out of the box, Microsoft 365 Business Standard doesn’t enforce MFA through Conditional Access, doesn’t include advanced email threat protection, and allows broad external file sharing. Securing your tenant requires deliberate configuration aligned with frameworks like the CIS Benchmark and ASD’s Blueprint for Secure Cloud.

Security Defaults is a basic set of security settings that Microsoft provides for free with all Microsoft 365 plans. It enforces MFA for all users and blocks legacy authentication. Conditional Access, available with Business Premium, E3, and E5 licences, gives you granular control. You can create policies based on user role, device compliance, location, risk level, and the application being accessed. For any business handling sensitive data, Conditional Access is the appropriate approach.

Pricing varies and changes regularly, so we’d recommend checking Microsoft’s current pricing or asking your IT provider for a quote specific to your organisation. The important thing is to understand the security capabilities you’re gaining (Conditional Access, Intune device management, Defender for Office 365, and Microsoft Purview) and weigh that against the risk of operating without them.

Alternatively, as a Microsoft Reseller, we can provide you a quote.

The Essential Eight is mandatory for Australian Government entities and strongly recommended for all Australian organisations. If your business works with government clients, holds government contracts, or handles government data, Essential Eight compliance is likely a contractual requirement. Even if it’s not mandatory for your organisation, the Essential Eight represents sound baseline security practice that frameworks like SMB1001 align with.

Security configurations should be reviewed at least quarterly, with continuous monitoring for drift between reviews. Microsoft regularly updates its platform, which can introduce new features, change default settings, or deprecate existing controls. The CIS Benchmark is updated regularly (version 6.0.0 was released in October 2025), and your configuration should keep pace with these updates.

Yes. The best place to start is a free MSP Discovery Call where we get to understand your business, your current IT setup, and what’s actually keeping you up at night. From there, if a detailed Microsoft 365 security assessment makes sense, we can scope that out, assessing your tenant against the CIS Microsoft 365 Foundations Benchmark, ASD’s Blueprint for Secure Cloud, Essential Eight requirements, and SMB1001 framework. A conversation about where you stand and what to do about it.

Let's have a chat about your IT

Not sure where your tenant sits?

If you've read through this and you're not sure where your tenant sits, or you're starting to wonder whether your current IT provider has these things covered, the best next step is a conversation.

InnovateX Solutions is SMB1001 Gold certified, on the Queensland Government ICT Professional Services panel, and our team brings over 20 years of enterprise and government architecture experience. A discovery call is a low-pressure chat about your business, your IT setup, and what's actually working. We'll show you where things stand, whether that means working with us or not.

Book a Free MSP Discovery Call

Is Your Microsoft 365 Tenant Actually Secure? Here's How to Check

Your Microsoft Secure Score Is a Starting Point, Not the Finish Line

The Five Areas That Matter Most

1. Identity and Access Management

2. Email Security

3. Data Protection and Sharing

4. Device and Endpoint Management

5. Administration and Audit Logging

The Licensing Gap Most Businesses Don’t Know About

Why This Matters for Your Industry

What “Good” Looks Like

Frequently asked questions

Isn't Microsoft 365 secure by default?

What's the difference between Security Defaults and Conditional Access?

How much does it cost to upgrade from Business Standard to Business Premium?

Does my Microsoft 365 tenant need to comply with the Essential Eight?

How often should my Microsoft 365 security settings be reviewed?

Can InnovateX Solutions help secure my Microsoft 365 tenant?

Microsoft 365 Copilot Readiness

How to Classify and Protect Your Business Data in Microsoft 365

Who Can Access What? Getting Microsoft 365 Permissions Right

Is Your Microsoft 365 Tenant Ready for AI? A Pre-Copilot Checklist

Not sure where your tenant sits?