Skip to main content
Blog

Microsoft 365 Security Checklist for Sydney Small Businesses

A practical Microsoft 365 security checklist for Sydney small businesses covering MFA, admin accounts, email protection, backups, device access, and staff handover.

Published
Published | Updated
Reading time
5 min read
Author
Written by Everyday Computing technical support team | Reviewed by Everyday Computing service operations

Sydney-based support technicians who work across remote support, onsite visits, home networks, computer repairs, Microsoft 365, backups, and small business IT.

Reviewed for service accuracy, pricing consistency, support triage, and alignment with Everyday Computing's current Sydney service model.

Business laptop being configured for Microsoft 365 security in a Sydney office

Key takeaways

  • Turn on MFA for every account, protect administrator accounts first, and avoid sharing one admin login across the business.
  • Microsoft 365 retention and recycle bin features are useful, but they are not the same as a tested business backup and restore plan.
  • Good security setup is mostly operational: ownership, recovery access, staff offboarding, device controls, and regular checks.

Microsoft 365 is usually the centre of a small business: email, files, calendars, Teams, invoices, client documents, and staff accounts. That makes it one of the first places to harden before a phishing email, lost laptop, staff departure, or accidental deletion turns into a business interruption.

For a Sydney small business, the goal is not enterprise complexity. The goal is a clean baseline that protects accounts, keeps admin access recoverable, reduces email risk, and makes it clear who owns each decision.

Security areaMinimum practical setupWhen to go further
MFARequire MFA for all users and especially administratorsUse Conditional Access, phishing-resistant methods, or location/device rules
Admin accountsSeparate admin accounts from day-to-day emailBreak-glass emergency account, audited admin roles, no shared passwords
Email securityCheck forwarding rules, mailbox permissions, spam/phishing settingsDefender policies, domain authentication review, user reporting workflow
Files and sharingReview external sharing, link defaults, and owner accessSensitivity labels, retention labels, structured SharePoint permissions
BackupsKnow what Microsoft retains and test restore for critical dataDedicated Microsoft 365 backup for Exchange, SharePoint, and OneDrive
DevicesRequire screen lock, supported OS, updates, and encryptionIntune management, compliance policies, remote wipe, app protection
Staff changesSame-day offboarding checklistAutomated onboarding/offboarding and periodic access reviews

1. Secure sign-in before anything else

Start with MFA. The Australian Cyber Security Centre describes MFA as an extra layer that helps prove the person logging in is really the account owner. In Microsoft 365, security defaults can provide a baseline for many small tenants, while larger or more complex businesses may need Conditional Access policies.

Do not stop at the owner account. Protect every mailbox, bookkeeper account, shared admin role, and contractor account. Attackers rarely care whose mailbox they use if it can send invoices, reset passwords, or access files.

For most Sydney small businesses, a sensible first pass is:

  • MFA enabled for all users
  • Administrator accounts checked first
  • No shared admin password in a notebook or browser profile
  • At least two trusted people able to recover access
  • Clear instructions for replacing a lost phone or authenticator app

2. Separate admin work from everyday email

An owner who reads email, opens attachments, approves invoices, and also holds the only global admin account is carrying too much risk in one login. Create named accounts and use admin permissions only when needed.

Avoid generic accounts such as admin@ or accounts@ as full-time global administrators. If a shared mailbox is needed, keep it as a mailbox, not as the main security control for the tenant.

3. Check for mailbox forwarding and hidden access

After a phishing scare, many businesses change a password and move on. That can miss the actual persistence. Review inbox rules, mailbox forwarding, delegate access, shared mailbox membership, OAuth app consent, and recent sign-in activity.

This matters for professional services, trades, clinics, agencies, and retail businesses that send invoices from Microsoft 365. A compromised mailbox can quietly watch supplier invoices, change payment details, or reply inside an existing conversation.

4. Use file sharing deliberately

SharePoint and OneDrive are powerful, but link settings can become messy over time. Review whether links default to "anyone with the link", whether former staff still own key files, and whether client folders are separated from internal files.

A simple working rule is to make every shared area answer three questions:

  • Who owns this folder or site?
  • Who should have access today?
  • What happens when a staff member leaves?

5. Understand retention, backup, and restore

Microsoft 365 includes recycle bins, retention options, and platform resiliency, but those features do not automatically equal a business backup strategy. Retention policies are designed to retain or delete content according to rules. Backup is about recovering known data after deletion, ransomware, corruption, or a user mistake.

If a business relies on Exchange Online, SharePoint, OneDrive, or Teams for active work, test recovery before a real incident. Choose a sample mailbox item, SharePoint document, and OneDrive folder, then confirm who can restore it and how long it takes.

6. Put devices in the security plan

Microsoft 365 security is weaker if staff use unmanaged laptops with no screen lock, unsupported operating systems, local malware, or personal browser profiles full of saved passwords.

At minimum, business devices should have updates enabled, disk encryption where supported, screen lock, separate user accounts, trusted security software, and a documented handover when a device changes owner. Businesses with several staff should consider device management so lost laptops and departing staff can be handled consistently.

7. Make offboarding same-day work

Staff departures are one of the most common access-control gaps. The checklist should be short enough to run immediately:

  • Block sign-in or reset password at the right time
  • Remove MFA methods and active sessions where appropriate
  • Transfer mailbox, OneDrive, and file ownership
  • Remove admin roles and shared mailbox access
  • Recover business devices and keys
  • Check forwarding rules and external sharing

For casual staff, contractors, and part-time admin help, write down who approves offboarding. The risk is often not malice; it is forgotten access.

8. Keep a one-page Microsoft 365 handover

Every small business should have a secure handover note that records the tenant owner, domain registrar, DNS host, licence type, admin contacts, backup provider, device management approach, and recovery process. Store it somewhere the business can access during an outage, not only inside the Microsoft 365 tenant it describes.

Sydney businesses also need practical continuity details: who can approve urgent support, where devices are located, whether onsite access is needed, and which systems are critical before the next business day.

A practical first-hour checklist

If you only have one hour, do this first:

  1. Confirm who owns global admin access.
  2. Turn on MFA for administrators and high-risk users.
  3. Check for unknown forwarding rules and delegated mailbox access.
  4. Review external sharing on the most sensitive SharePoint or OneDrive locations.
  5. Confirm how email and files would be restored after accidental deletion.
  6. Document the tenant owner, domain/DNS owner, and emergency contacts.

Everyday Computing can help Sydney small businesses review Microsoft 365 security, clean up account access, configure MFA, check backup and recovery, and support staff remotely or onsite when the setup needs hands-on device work.

Common questions

Is Microsoft 365 security defaults enough for a small business?

Security defaults are a useful baseline for many small tenants because they turn on important protections such as MFA prompts. Businesses with higher risk, complex access needs, or compliance requirements may need Conditional Access and more detailed policies.

Do I still need backup if files are in OneDrive or SharePoint?

Often, yes. Microsoft 365 has retention and recovery features, but a business should still confirm its restore requirements, retention settings, and whether a dedicated Microsoft 365 backup is needed for email, SharePoint, OneDrive, and Teams data.

Which Microsoft 365 account should be secured first?

Start with global administrators, owners, finance mailboxes, and anyone who can approve payments, reset passwords, or access sensitive client data. Then complete MFA and access review for every user.

Can this be fixed remotely?

Most Microsoft 365 account, MFA, email, and sharing work can be handled remotely. Onsite support is useful when the job includes staff devices, office Wi-Fi, printers, or several computers that need setup at the same time.

Sources and further reading