Microsoft 365 is usually the centre of a small business: email, files, calendars, Teams, invoices, client documents, and staff accounts. That makes it one of the first places to harden before a phishing email, lost laptop, staff departure, or accidental deletion turns into a business interruption.
For a Sydney small business, the goal is not enterprise complexity. The goal is a clean baseline that protects accounts, keeps admin access recoverable, reduces email risk, and makes it clear who owns each decision.
| Security area | Minimum practical setup | When to go further |
|---|---|---|
| MFA | Require MFA for all users and especially administrators | Use Conditional Access, phishing-resistant methods, or location/device rules |
| Admin accounts | Separate admin accounts from day-to-day email | Break-glass emergency account, audited admin roles, no shared passwords |
| Email security | Check forwarding rules, mailbox permissions, spam/phishing settings | Defender policies, domain authentication review, user reporting workflow |
| Files and sharing | Review external sharing, link defaults, and owner access | Sensitivity labels, retention labels, structured SharePoint permissions |
| Backups | Know what Microsoft retains and test restore for critical data | Dedicated Microsoft 365 backup for Exchange, SharePoint, and OneDrive |
| Devices | Require screen lock, supported OS, updates, and encryption | Intune management, compliance policies, remote wipe, app protection |
| Staff changes | Same-day offboarding checklist | Automated onboarding/offboarding and periodic access reviews |
1. Secure sign-in before anything else
Start with MFA. The Australian Cyber Security Centre describes MFA as an extra layer that helps prove the person logging in is really the account owner. In Microsoft 365, security defaults can provide a baseline for many small tenants, while larger or more complex businesses may need Conditional Access policies.
Do not stop at the owner account. Protect every mailbox, bookkeeper account, shared admin role, and contractor account. Attackers rarely care whose mailbox they use if it can send invoices, reset passwords, or access files.
For most Sydney small businesses, a sensible first pass is:
- MFA enabled for all users
- Administrator accounts checked first
- No shared admin password in a notebook or browser profile
- At least two trusted people able to recover access
- Clear instructions for replacing a lost phone or authenticator app
2. Separate admin work from everyday email
An owner who reads email, opens attachments, approves invoices, and also holds the only global admin account is carrying too much risk in one login. Create named accounts and use admin permissions only when needed.
Avoid generic accounts such as admin@ or accounts@ as full-time global administrators. If a shared mailbox is needed, keep it as a mailbox, not as the main security control for the tenant.
3. Check for mailbox forwarding and hidden access
After a phishing scare, many businesses change a password and move on. That can miss the actual persistence. Review inbox rules, mailbox forwarding, delegate access, shared mailbox membership, OAuth app consent, and recent sign-in activity.
This matters for professional services, trades, clinics, agencies, and retail businesses that send invoices from Microsoft 365. A compromised mailbox can quietly watch supplier invoices, change payment details, or reply inside an existing conversation.
4. Use file sharing deliberately
SharePoint and OneDrive are powerful, but link settings can become messy over time. Review whether links default to "anyone with the link", whether former staff still own key files, and whether client folders are separated from internal files.
A simple working rule is to make every shared area answer three questions:
- Who owns this folder or site?
- Who should have access today?
- What happens when a staff member leaves?
5. Understand retention, backup, and restore
Microsoft 365 includes recycle bins, retention options, and platform resiliency, but those features do not automatically equal a business backup strategy. Retention policies are designed to retain or delete content according to rules. Backup is about recovering known data after deletion, ransomware, corruption, or a user mistake.
If a business relies on Exchange Online, SharePoint, OneDrive, or Teams for active work, test recovery before a real incident. Choose a sample mailbox item, SharePoint document, and OneDrive folder, then confirm who can restore it and how long it takes.
6. Put devices in the security plan
Microsoft 365 security is weaker if staff use unmanaged laptops with no screen lock, unsupported operating systems, local malware, or personal browser profiles full of saved passwords.
At minimum, business devices should have updates enabled, disk encryption where supported, screen lock, separate user accounts, trusted security software, and a documented handover when a device changes owner. Businesses with several staff should consider device management so lost laptops and departing staff can be handled consistently.
7. Make offboarding same-day work
Staff departures are one of the most common access-control gaps. The checklist should be short enough to run immediately:
- Block sign-in or reset password at the right time
- Remove MFA methods and active sessions where appropriate
- Transfer mailbox, OneDrive, and file ownership
- Remove admin roles and shared mailbox access
- Recover business devices and keys
- Check forwarding rules and external sharing
For casual staff, contractors, and part-time admin help, write down who approves offboarding. The risk is often not malice; it is forgotten access.
8. Keep a one-page Microsoft 365 handover
Every small business should have a secure handover note that records the tenant owner, domain registrar, DNS host, licence type, admin contacts, backup provider, device management approach, and recovery process. Store it somewhere the business can access during an outage, not only inside the Microsoft 365 tenant it describes.
Sydney businesses also need practical continuity details: who can approve urgent support, where devices are located, whether onsite access is needed, and which systems are critical before the next business day.
A practical first-hour checklist
If you only have one hour, do this first:
- Confirm who owns global admin access.
- Turn on MFA for administrators and high-risk users.
- Check for unknown forwarding rules and delegated mailbox access.
- Review external sharing on the most sensitive SharePoint or OneDrive locations.
- Confirm how email and files would be restored after accidental deletion.
- Document the tenant owner, domain/DNS owner, and emergency contacts.
Everyday Computing can help Sydney small businesses review Microsoft 365 security, clean up account access, configure MFA, check backup and recovery, and support staff remotely or onsite when the setup needs hands-on device work.
