Microsoft 365 Security Hardening for Perth Businesses
Lock down your M365 tenant against phishing, token theft, and data leaks. Fixed-scope project, Perth-based, no offshoring.
The default M365 tenant isn't secure
Microsoft ships tenants with productivity enabled and security mostly off. Unless someone has explicitly hardened yours, these gaps are almost certainly open right now.
- Legacy authentication still allowed — bypasses MFA entirely
- No Conditional Access policies enforcing MFA or device compliance
- Shared mailboxes signing in interactively with no MFA protection
- External sharing wide open on SharePoint and OneDrive by default
- No Defender for Office 365 policies — Safe Links and Safe Attachments unset
- No DLP policies preventing TFN, credit card or client data leaving the tenant
- OAuth consent unrestricted — any user can grant third-party apps full mailbox access
- Break-glass account unprotected — no alerting if it's used, often weak password
These gaps are what cyber insurance questionnaires, AFSL audits, and post-incident forensics consistently find. The good news: every one of them is closable in a defined project, without disrupting your users.
Our hardening checklist
25 controls across six pillars. Every item is scoped, documented, and verified before handover — you receive the full checklist as part of your report.
Identity
Entra ID & access
- Conditional Access baseline (MFA, device compliance, risk)
- Block legacy authentication protocols
- MFA enforced on all users including shared mailboxes
- PIM for privileged admin roles
- Break-glass account with alerting & FIDO2 key
Device
Intune compliance
- Intune device compliance baselines (Windows & macOS)
- BitLocker / FileVault enforced & key escrow
- Mobile app protection policies (iOS & Android)
- Compliant-device-only sign-in for sensitive apps
EOP & Defender for O365
- Anti-phishing, anti-spam & anti-malware policies tuned
- Defender for Office 365 Safe Links & Safe Attachments
- SPF, DKIM & DMARC (p=reject) configured & monitored
- Impersonation protection for VIPs & trusted domains
Data
SharePoint & OneDrive
- External sharing locked down (by site, not tenant-wide)
- Sensitivity labels for client, financial & PII data
- DLP policies — TFN, credit card, bank account, PII
- Guest access lifecycle & access reviews
Threat
Defender for Business
- Defender for Business onboarded on all endpoints
- Attack Surface Reduction (ASR) rules in block mode
- Web content filtering & network protection
- OAuth app governance & risky consent blocking
Governance
Audit & alerting
- Unified audit log enabled with extended retention
- Alert policies for risky sign-ins, admin actions, mailbox rules
- Admin role review & least-privilege remediation
- Secure Score baseline & 90-day uplift target
Typical engagement
A defined, phased project — not a rolling consulting arrangement. You know exactly what happens, when, and what it costs before we touch your tenant.
Discovery call
20-minute scoping call. We confirm user count, licensing, compliance drivers and timeline.
Day 0 · Free
Read-only audit
We're granted read-only access and audit against all 25 controls. No changes made, no user disruption.
Week 1 · $1,500 + GST
Report & plan
Written report with findings, risk rating, and a fixed-price remediation plan. Yours to keep either way.
Week 2
Implementation
Staged rollout across the six pillars. Report-only first, pilot group next, then full enforcement.
Weeks 2-4
Handover
Full documentation pack, runbooks, and optional transition to Security Essentials managed service.
Week 5
Fixed-scope pricing
No hourly surprises. The price is agreed in writing before any changes are made.
Fixed fee. Credited back if you proceed to implementation.
- 25-point read-only tenant audit
- Written report with findings & risk rating
- Fixed-price remediation plan (no obligation)
- Suitable for insurer / regulator submission
Fixed fee banded by user count. Typical 15-60 user tenants.
- Everything in Audit Only
- Full 25-control implementation across 6 pillars
- Staged rollout — report-only → pilot → enforced
- Full documentation & runbook handover
- Audit fee credited toward implementation
Larger tenants, complex hybrid environments, or scopes outside the standard 6 pillars (e.g. Purview eDiscovery, Defender for Identity, Sentinel) are quoted separately on the same fixed-scope basis.
Compliance alignment
The hardening checklist is built against the ASD Essential Eight and the specific controls your regulator or insurer asks about.
ASD Essential Eight
MFA, application hardening, admin restriction, patching, and logging controls mapped to ML1-ML2 targets.
AFSL & ASIC
Cyber resilience expectations in RG 255 and the ASIC Cyber Pulse surveys — MFA coverage, logging, incident readiness.
TPB
Tax Practitioners Board data security practice notes for tax agents and BAS agents handling client records.
RACGP CISS
Computer and Information Security Standards for general practice — identity, access, backup, and logging controls.
Cyber insurance
Hardening report is structured to answer the controls section of every major AU cyber insurance questionnaire.
Privacy Act 1988
DLP, audit logging, and access controls aligned to Australian Privacy Principles — including the updated breach notification obligations.
Case study
Accounting & Financial Services — 25-user accounting firm, Subiaco
Trigger: Internal AFSL audit flagged missing Conditional Access enforcement and inconsistent MFA coverage. Firm had 90 days to remediate before the next review cycle.
Engagement: Read-only audit in week 1 surfaced 14 of 25 controls as gaps — including legacy auth still allowed, two shared mailboxes with interactive sign-in, and external SharePoint sharing open tenant-wide. Fixed-price remediation quoted at $4,200 + GST.
Delivery: 3-week staged rollout. CA baseline deployed in report-only for 5 days, piloted to the partner group, then enforced tenant-wide. Defender for Business onboarded, DLP policies for TFN and bank account data went live, Secure Score lifted from 38% to 82%.
Outcome: AFSL remediation items closed, evidence pack submitted to compliance. Firm moved onto Security Essentials managed service the following month for ongoing alert monitoring and quarterly Secure Score reviews.
Frequently asked questions
Will this disrupt our users?
Do we need Microsoft 365 E5 licensing?
What about our existing MSP or internal IT team?
How long does the project take?
Is this suitable for AFSL, TPB, RACGP or cyber insurance requirements?
What happens after handover?
Why Support Perth
CSDF certified
Cyber Security Defence Framework, ECU Perth
Microsoft 365 Specialist
Deep expertise in M365 tenant security
Perth-based
Wembley WA, serving Perth metro
No Lock-In
Month-to-month engagement, no long contracts, no offshoring.
Ready to harden your Microsoft 365 tenant?
Book a 20-minute tenant review with Aaron. We'll confirm scope, timeline, and pricing on the call — no obligation and no sales funnel.