Home › Microsoft 365 security checklist

The Microsoft 365 security checklist for small business

Guide 02 · Email & M365 security for Australian SMBs

Short answer: Secure a small Microsoft 365 tenant by working through six areas in order — enforce MFA on everyone (admins first), add conditional access and block legacy authentication, keep admin roles to the fewest people possible, remove risky mail forwarding rules, lock down external guest and sharing access, and turn on audit logging so you can investigate later. Most of these are available on Business Basic and Standard, not just Premium. Use the checklist below and tackle the "core" items first.

This is a working checklist, not a theory lesson. Each item says what to change and why it matters. Items tagged Core are the ones to do first; Next items raise the bar further, often needing Business Premium.

1. Identity & sign-in

2. Administrator hygiene

3. Email & mailbox settings

4. Sharing & guest access

5. Logging & monitoring

6. Devices & backup

Do the core items first. If you work through only the Core rows — MFA, block legacy auth, security defaults, minimise admins, kill external forwarding, tighten sharing, audit guests, and turn on audit logging — you'll have closed the paths behind the large majority of small-business tenant compromises.

Frequently asked questions

What's the single most important Microsoft 365 security setting?

Multi-factor authentication on every account, administrators first. A stolen or reused password is the most common way a small tenant is compromised, and MFA is the control that stops a leaked password from becoming a hijacked account.

Do I need Business Premium to secure my tenant?

No. Many of the highest-value controls — MFA, blocking legacy auth, removing risky forwarding, restricting guest access, tightening admin roles and audit logging — are available on Basic and Standard. Premium adds conditional access, Defender for Office 365 and device management, which raise the ceiling further.

How often should I review these settings?

Review admin roles, guest access and forwarding rules at least quarterly, and whenever someone joins or leaves. Check your Secure Score periodically, and revisit the whole checklist after any major change such as a new integration.

Want your Microsoft 365 security checked and locked down properly?

That's what SG1 Consulting does — a full audit against this checklist, then the settings put right for you, for Australian businesses.

Talk to SG1 →