Blog › Microsoft 365

Microsoft 365 Security Settings Every Practice Should Enable

Microsoft 365 7 min read February 2025

Microsoft 365 is the backbone of most dental and medical practices in Australia. Email, Teams, SharePoint, OneDrive, patient communication — it all runs through 365. But out of the box, many of the platform's security features are either off by default or configured in ways that leave practices exposed.

This isn't a criticism of Microsoft. The defaults are designed for ease of adoption, not maximum security. The settings that matter most require a deliberate choice to enable. Here's what we check — and configure — for every practice we work with.

1. Enable Multi-Factor Authentication for all users

This is non-negotiable. Every account in your Microsoft 365 tenant — including shared mailboxes and admin accounts — should require MFA. The easiest way to enforce this is through Security Defaults or Conditional Access policies in Entra ID (formerly Azure AD).

Admin accounts should have stronger MFA — ideally hardware security keys or at minimum the Microsoft Authenticator app with number matching enabled.

2. Enable Microsoft Defender for Office 365

The standard Microsoft 365 email filtering catches known spam and basic threats. Defender for Office 365 adds:

  • Safe Attachments — opens every attachment in a sandbox before delivering it to the user's inbox
  • Safe Links — rewrites and checks URLs in emails at click-time, not just at delivery
  • Anti-phishing policies — detects impersonation attacks, including emails pretending to be your practice principal or a trusted supplier

These features are included in Microsoft 365 Business Premium. If your practice is on a lower plan, this is one of the strongest reasons to upgrade.

3. Configure anti-spoofing and DMARC

Email spoofing lets attackers send emails that appear to come from your domain. Your patients could receive a convincing email from billing@yourpractice.com.au asking for a payment — but it actually came from an attacker.

Three DNS records protect against this:

  • SPF — specifies which servers are authorised to send email on behalf of your domain
  • DKIM — adds a cryptographic signature to outgoing emails, verifying they haven't been tampered with
  • DMARC — tells receiving mail servers what to do with emails that fail SPF/DKIM checks (quarantine or reject)

DMARC is particularly important. Without it, a spoofed email from your domain will be delivered normally to the recipient. With a DMARC policy set to reject, it won't reach their inbox at all.

4. Disable legacy authentication protocols

Older email protocols — IMAP, POP3, Basic Authentication via SMTP — don't support MFA. If these are left enabled, attackers can bypass MFA entirely by connecting through one of these protocols. Microsoft has been phasing out Basic Auth, but it's worth confirming it's disabled in your tenant rather than assuming.

Block legacy authentication using a Conditional Access policy. This forces all clients to use modern authentication, which supports MFA.

5. Set up mailbox auditing and alert policies

If an account is compromised, you need to know what the attacker did with it. Mailbox auditing records actions such as emails read, deleted, forwarded, and rules created. It should be enabled for all users (it's on by default for newer tenants, but worth verifying).

Alert policies notify you when suspicious activity occurs:

  • A new inbox forwarding rule is created (a common post-compromise action)
  • An unusual volume of emails is deleted
  • A user logs in from an unfamiliar country
  • Multiple failed login attempts occur against an account

6. Review and restrict admin account access

Global Administrator is the most powerful role in Microsoft 365. Whoever holds it can do anything — reset passwords, access all mailboxes, disable security controls. Practices often have too many accounts with Global Admin rights, including accounts that don't need that level of access.

Best practice is:

  • No more than 2–3 Global Admin accounts, and they should not be used for day-to-day email
  • Admin accounts should be separate from regular user accounts (e.g., admin.johndoe@practice.com.au)
  • Use Privileged Identity Management (PIM) to require approval before activating admin roles
  • All admin accounts must have MFA — preferably hardware keys

7. Enable Microsoft Secure Score monitoring

Microsoft Secure Score gives your tenant a security score out of 100 and lists specific actions that would improve it. It's available in the Microsoft Defender portal at no additional cost. While the score isn't a perfect measure of security, it provides a useful ongoing checklist of configuration gaps.

Checking Secure Score regularly — or having your security provider do so — helps catch settings that have drifted from best practice.

The most important thing: Microsoft 365 Business Premium includes nearly all of these features. If your practice is on Business Basic or Business Standard, you're missing Safe Attachments, Safe Links, advanced anti-phishing, and Conditional Access policies. The cost difference between plans is often less than the cost of a single incident.

What about shared mailboxes?

Shared mailboxes — like reception@practice.com.au — should not have direct login enabled unless absolutely necessary. Access should be granted through delegation (each staff member logs in with their own account and accesses the shared mailbox from there), not through shared credentials. If login is required on a shared mailbox, MFA must still apply.

Not sure how your Microsoft 365 tenant is configured?

We review your M365 settings against current best practices as part of our free security audit — including MFA coverage, email protection, admin access, and more.

Book your free audit

More from the blog

Identity5 min read
What Is MFA and Why Every Clinic Needs It
Read article →
Phishing5 min read
How to Spot a Phishing Email Before It's Too Late
Read article →
Data Breach6 min read
Lessons from the MediSecure Breach for Your Practice
Read article →