The Microsoft 365 security hardening checklist for Australian SMEs
By the Aegentra Security Team — NV1-cleared Microsoft 365 security engineers · Updated July 2026
Most Australian SMEs on Microsoft 365 Business Premium already own the tooling to shut down the attacks that actually hit them — credential theft, business email compromise and ransomware — they just have not turned it on. This checklist gives the exact settings, the risk each closes, and how each maps to the ASD Essential Eight.
Microsoft 365 security hardening for an Australian SME means turning on the identity, email, data, endpoint and logging controls already included in your licence — enforce MFA and block legacy authentication in Entra ID, run Defender for Office 365 preset policies, apply Purview DLP and sensitivity labels, push Intune compliance with BitLocker and ASR rules, and confirm the unified audit log is on — each mapped to the ASD Essential Eight so the spend you already have does the mitigating.
Identity — Entra ID, Conditional Access, MFA and PIM
Require MFA for all users (Conditional Access) — Require MFA for all users and cloud apps, preferring phishing-resistant methods (Microsoft Authenticator number-matching, passkeys / FIDO2) over SMS.
Require a compliant or hybrid-joined device — Require an Intune-compliant or Entra hybrid-joined device before granting access to email and SharePoint.
Privileged Identity Management (PIM) for admin roles — Make privileged roles eligible-only via PIM with just-in-time activation, approval and MFA (Entra ID P2).
Separate break-glass and admin accounts — Keep two excluded emergency-access accounts and separate cloud-only admin identities.
SSPR and Entra Password Protection — Turn on self-service password reset and a custom banned-password list.
Email & collaboration — Defender for Office 365
Apply Defender preset security policies (Standard or Strict) — Enable the Standard or Strict preset so anti-spam, anti-malware, anti-phishing, Safe Links and Safe Attachments use Microsoft’s recommended baseline.
Anti-phishing policy with impersonation and mailbox intelligence — Protect key people (owner, finance, payroll) and domains against business email compromise and CEO-fraud invoice scams.
Safe Attachments for email, SharePoint, OneDrive and Teams — Detonate unknown attachments in a sandbox before delivery to stop malicious macro documents and ransomware droppers.
Safe Links for email, Teams and Office apps — Rewrite and re-check URLs at time-of-click to neutralise delayed-weaponisation phishing.
External sender tagging and first-contact safety tip — Visibly flag mail from outside the tenant to cut the phishing click-through rate.
SPF, DKIM and DMARC; block external auto-forwarding — Stop domain spoofing and stop a compromised mailbox exfiltrating mail via a forwarding rule.
Data protection — Purview DLP, sensitivity labels and sharing
Purview DLP for Australian sensitive data — Use built-in Australian sensitive information types (TFN, Medicare, bank account, passport) across Exchange, SharePoint, OneDrive and Teams to prevent PII leakage that would trigger a Notifiable Data Breach.
Purview sensitivity labels with encryption — Publish Public / Internal / Confidential labels, with Confidential applying encryption that travels with the file.
Restrict SharePoint and OneDrive external sharing — Set external sharing to the least-open setting your business can work with, not “Anyone”.
Disable or expire anonymous “Anyone” links — Turn off Anyone links or force short expiry and view-only defaults.
Govern Teams guest and external access — Restrict who can invite guests and run periodic guest access reviews.
Endpoint — Intune, BitLocker, ASR rules and Defender
Intune device compliance policies — Require encryption, Defender running, minimum OS build and firewall, paired with the Conditional Access device requirement.
Enforce BitLocker via Intune with key escrow — Silently enable BitLocker (XTS-AES 256) and escrow recovery keys to Entra ID.
Attack Surface Reduction (ASR) rules in Block mode — Block Office child-process creation, macro-launched executables and content from email / webmail.
Block untrusted and internet-sourced Office macros — Block macros from the internet and only allow signed macros — the classic Essential Eight macro control.
Onboard to Defender for Endpoint with EDR in block mode — Enable EDR in block mode, tamper protection, network protection and controlled folder access on all Windows endpoints.
Windows Update rings / Autopatch and app patching — Enforce OS updates on a schedule and drive application patching with Defender Vulnerability Management.
Logging & monitoring — audit log, alerts and retention
Confirm the unified audit log is enabled — Verify tenant-wide audit logging and mailbox auditing are on so you have a record of who accessed, forwarded or deleted what.
Configure alert policies for high-risk activity — Alert on mass download, mailbox forwarding-rule creation, unusual admin activity and eDiscovery changes.
Enable Entra ID Protection risk detections — Surface impossible-travel and leaked-credential sign-ins, and trigger step-up MFA (risk-based Conditional Access needs Entra ID P2).
Extend sign-in and audit log retention — Stream Entra logs to Log Analytics or Microsoft Sentinel to retain evidence beyond the default 30 days.
Assign owners and review alerts on a schedule — Nominate who reviews alerts and the Microsoft Secure Score weekly, and record what was actioned.
How Microsoft 365 covers the ASD Essential Eight
Essential Eight mitigation
Coverage
Microsoft 365 capability
Multi-factor authentication
Full
Entra ID MFA enforced through Conditional Access, phishing-resistant methods, legacy auth blocked.
Restrict administrative privileges
Strong
Entra ID Privileged Identity Management (P2), just-in-time activation, separate admin accounts and access reviews.
Patch operating systems
Strong
Intune Update Rings / Windows Autopatch enforcing OS updates on a defined schedule.
Configure Microsoft Office macro settings
Strong
Intune ADMX policy blocking internet-sourced / unsigned macros, backed by ASR macro rules in Block mode.
User application hardening
Strong
ASR rules, Defender for Endpoint network protection, and Edge / Office hardening via Intune.
Patch applications
Partial
Intune app deployment plus Defender Vulnerability Management to find and prioritise unpatched apps.
Application control
Partial
App Control for Business (formerly WDAC) and AppLocker via Intune, with Defender for Endpoint visibility.
Regular backups
Partial
Microsoft 365 Backup (a separate pay-as-you-go add-on) plus native retention — validate the restore and keep an independent copy.
Frequently asked questions
Do I need Microsoft 365 E5 to harden properly?
No. Microsoft 365 Business Premium covers the large majority of this checklist — Entra ID P1 (Conditional Access), Intune, Defender for Office 365 Plan 1, Defender for Business, and core Purview DLP and labels. The main gaps are Privileged Identity Management and risk-based Conditional Access (Entra ID P2, an add-on) plus advanced DLP and insider-risk in E5. Most SMEs reach a strong position on Business Premium alone.
How does this map to the Essential Eight maturity levels?
Turning these settings on generally gets a Microsoft 365 SME to Maturity Level One across most of the eight, and towards Level Two on MFA, macros and patching. The Essential Eight also requires disciplined patching timeframes and tested backups — technology enables it, but process and evidence move you up the maturity levels.
Is Microsoft 365’s built-in retention the same as a backup?
No. Retention policies and the recycle bin protect against accidental deletion for a window, but they are not a point-in-time backup you control. For the Essential Eight backup mitigation, use Microsoft 365 Backup (a separate pay-as-you-go add-on, not part of Business Premium), confirm you can restore, and keep an independent copy. Always test the restore.
Will enforcing MFA and Conditional Access lock my staff out?
Not if you stage it. Roll policies out in report-only mode first, exclude two break-glass emergency accounts, communicate the change, and register everyone in Microsoft Authenticator before enforcing.
We already use an IT provider — do we still need this?
Yes, as your assurance baseline. Many providers manage devices without hardening the tenant. Use this checklist to ask which controls are configured, in Block versus Audit mode, and who reviews the alerts. If they cannot show you the Conditional Access policies and Secure Score, the controls probably are not on.
Is the Essential Eight mandatory for an SME?
It is mandatory for non-corporate Commonwealth entities, not for private SMEs directly. But it is the accepted Australian baseline and increasingly appears in enterprise supply-chain questionnaires, government tenders and cyber-insurance applications — so for a growing SME it is effectively a commercial requirement.
Want it run for you? Aegentra provides Microsoft 365 hardening for Australian SMEs in 4–6 weeks, moving every control to Block with an ASD Essential Eight evidence pack. More field notes are on the Aegentra Insights hub.