Microsoft 365 security checklist
A practical checklist for Entra ID, Exchange Online, SharePoint and Teams — the settings Melbourne admins most often miss.
Identity and access
Enforce MFA for all users, block legacy authentication, use Conditional Access to require compliant devices for company data, and limit Global Administrator accounts to named break-glass identities with phishing-resistant methods where possible.
Email and collaboration
Enable DKIM signing, align SPF and DMARC, turn on anti-phishing and safe attachments/links policies, and review mail forwarding rules regularly. Disable automatic external forwarding unless a documented business need exists.
Data and sharing
Default SharePoint and OneDrive sharing to authenticated users only, label sensitive data where regulations require it, and audit guest access quarterly. DLP policies can wait until basics are solid — open sharing causes more day-to-day pain for SMEs.
Monitoring and recovery
Turn on unified audit logging, forward high-severity alerts to a monitored inbox or SIEM, and test restore from Microsoft 365 backup or third-party backup at least twice a year. Document offboarding: disable accounts, revoke sessions, and reassign OneDrive within 24 hours.
Try it now
Run the related tools
Need a hand?
Run the tools. Then talk to us.
Use our free diagnostics to see what is wrong, then get Melbourne IT support for the fix.
Keep reading
More guides
Website security headers explained
HSTS, CSP and the headers that improve trust, SEO and protection against common attacks.
- Start with the basics
- Check what you already have
MFA for business teams
Why every account needs a second factor — and how to roll it out without locking staff out on Monday morning.
- Passwords are not enough
- Choose the right methods