(02) 9127 3688 Book a call
  1. Home
  2. Insights
  3. A practical Microsoft 365 security checklist

A practical Microsoft 365 security checklist

Microsoft 365May 20266 min readBy Techist

Ten settings that materially reduce risk in Microsoft 365 — drawn from what Techist hardens on every tenant we manage.

Why default Microsoft 365 isn't secure Microsoft 365

Microsoft 365 is a secure platform — but a brand-new tenant is configured for compatibility, not protection. Most of the controls below exist in your subscription already; they just need to be turned on and tuned. Here are ten we check first on every tenant Techist takes over.

The checklist

  • 1. Enforce MFA for every account. Including admins, service accounts and shared mailboxes. No exceptions — exceptions are exactly what attackers look for.
  • 2. Set up Conditional Access. Control where, when and from what devices people can sign in. Block legacy authentication entirely.
  • 3. Separate admin accounts. Global admins shouldn't read email with the same account that holds the keys. Dedicated admin identities, protected harder.
  • 4. Apply least privilege. Use built-in roles sparingly and review who holds what quarterly. Most "temporary" admin grants are permanent until audited.
  • 5. Enable mailbox auditing and alerts. Know when forwarding rules appear, when sign-ins look impossible, when permissions change.
  • 6. Harden email flow. SPF, DKIM and DMARC configured properly — protecting both your inbound trust and your domain's reputation.
  • 7. Control external sharing. SharePoint and OneDrive sharing scoped deliberately, not left at the permissive defaults.
  • 8. Manage the user lifecycle. Leavers offboarded same-day: sessions revoked, credentials disabled, data preserved. Dormant accounts are open doors.
  • 9. Back up your tenant independently. Microsoft's retention is not a backup. Independent backup of mail, SharePoint, OneDrive and Teams protects against deletion and ransomware.
  • 10. Review it on a schedule. Secure Score, new sign-in risk reports, new features — M365 security is a practice, not a project.

How to use this list

Work top to bottom — the items are roughly ordered by risk reduction per hour of effort. If your IT provider can't show you evidence for the first five, that's a conversation worth having this week.

Want help putting this into practice?

Talk to Techist — we do this for Australian businesses every day.

Book a call