Let’s get your team trained and using Microsoft Copilot and moving your business forward. Click here to book +61 3 4803 4915Client PortalRemote Support
Belton IT Nexus
NZ AU
Contact us
01 Run

We become your IT department and own the day-to-day.

Managed IT Your whole environment, owned Managed Devices Endpoints, patched & tracked Microsoft 365 The workplace, managed Cloud & Azure Networks, Wi-Fi, voice
02 Protect

Security operations you can verify, and show.

24-Hour CyberSOC Security ops that don't clock off Compliance Reviews Aligned to Essential 8 & ISO Backup & Recovery Provably restorable Identity & Email MFA enforced, threats stopped
03 Improve

Honest strategy and predictable budgets.

IT Advisory & vCIO Honest, predictable plans AI & Copilot Where it genuinely helps Compliance & Governance Audit-ready evidence Projects & Consulting Build what you can't buy
Belton · Run / Protect / ImproveView all services ›
Professional Services

Firms that run on trust, time and confidential data.

Accounting Ledgers & client data Legal Privilege & matter files Business Advisory Plans & reporting Mortgage & Finance Loan files & AML/CFT Insurance Claims & client records Insurance Brokers Cover & premiums
Built & Made

Site, studio and floor, where uptime is the product.

Construction Sites & project files Architecture Drawings & large models Quantity Surveyors Cost data & big files Manufacturing Floor & ERP uptime Healthcare Patient data & privacy
Trade & Technology

Fast-moving operations that can't carry downtime.

Logistics Fleet, orders & tracking Retail & Wholesale POS & storefronts Technology Cloud-native teams Distribution Inventory & systems
Belton · Sector-specialised IT & securityAll industries ›
Guides & Frameworks

Plain-English playbooks for the controls that matter.

Essential Eight ASD's eight, explained DIY Cybersecurity Lock down the basics Cyber Standards Guide ISO, SMB1001 & more M365 Selection Guide Pick the right licences
Tools & Assessments

Self-serve checks that map where you stand.

Security Assessment Score your posture Network Assessment Find the weak spots M365 Security Checklist Find the gaps Cyber Insurance Readiness Be claim-ready
Reading & Learning

Get more from the tools you already pay for.

SME Tech Outlook 2026 Where NZ tech heads next Copilot Learning Hands-on with Copilot FAQ Straight answers CEO's Blog Plain-English views
Belton · Knowledge, not gatekeepingResource library ›
The Firm

A senior team with the skills and scale for any project.

About Belton Who we are, plainly How We Work Our delivery process Who We Work With The fit we look for Leadership Jason & Amy Agnew + team
Proof & Partners

The evidence behind the claims, and ways to build with us.

Case Studies Real outcomes, named Accreditations The proof behind the practice Industries Sector-specialised White-label / Partners Our bench, your brand
Connect

Real people, fast, no ticket-queue runaround.

Contact Us Talk to a human, today Book a Session A 90-minute discovery Find Us Newmarket, Auckland Remote Support Get help now
Belton IT Nexus · Est. 2004 · Newmarket, AucklandAbout us ›
Home/ Resources/ M365 Security Checklist

Microsoft 365 Security Checklist

The essential security controls every M365 tenant should have configured. Default settings prioritise ease of use over security. This is what to check, and why it matters.

IdentityYour new perimeter EmailThe primary attack vector DataSharing & audit controls 99.9%Of takeovers stopped by MFA

Most Microsoft 365 tenants have security gaps. Default configurations prioritise ease of use over security. Features that should be enabled are off. Settings that should be restricted are wide open. This guide covers what to check, and why it matters.

Identity is your perimeter

The old security model protected the network edge. Firewalls, intrusion detection, perimeter defences. That model assumed your data lived inside your building and attackers came from outside.

With M365, your data lives in the cloud. Your users sign in from home, from client sites, from airports. The perimeter is now the login screen. If an attacker gets valid credentials, they walk straight into your environment like a legitimate user.

Multi-factor authentication stops 99.9% of account compromise attacks. It should be mandatory for every user, no exceptions. Use the Microsoft Authenticator app or hardware security keys. SMS codes are better than nothing but weaker against sophisticated attacks.

Legacy authentication protocols like IMAP, POP3 and basic SMTP authentication cannot use MFA at all. Attackers know this and specifically target these protocols. Block them completely unless you have a documented business requirement and compensating controls.

Admin accounts need extra protection. Use separate accounts for administrative tasks, never your daily email account. Require phishing-resistant MFA. Consider privileged access workstations for Global Admin activities. If an attacker compromises a Global Admin, they own your entire tenant.

Quick checks

  • MFA enabled for all users including external guests
  • Legacy authentication blocked via Conditional Access
  • Separate admin accounts, not daily-use accounts
  • Conditional Access policies for risky sign-ins and locations

Email remains the primary attack vector

Despite decades of security investment, email is still how most attacks start. Phishing, business email compromise, malware attachments. Your M365 email configuration determines how much protection stands between your users and these threats.

Start with email authentication. SPF records tell the world which servers can send mail from your domain. DKIM adds cryptographic signatures proving emails genuinely came from you. DMARC tells receiving servers what to do when emails fail these checks. Together, they prevent attackers from spoofing your domain to attack your clients, partners and your own staff. If you have not configured these, attackers can send emails that appear to come from your CEO.

Auto-forwarding rules are a favourite persistence mechanism for attackers. They compromise an account, set up a forwarding rule to an external address, then quietly collect emails for weeks or months. The user never notices because mail still arrives normally. Block external auto-forwarding at the tenant level and regularly audit inbox rules.

Microsoft Defender for Office 365 adds Safe Links and Safe Attachments. Safe Links rewrites URLs and checks them at time of click, catching phishing links that were clean when delivered but weaponised later. Safe Attachments detonates suspicious files in a sandbox before delivery, catching malware that signature-based scanning misses. Anti-phishing policies protect against impersonation of executives and trusted partners. Configure all of these.

Protecting your data

M365 makes sharing easy. Sometimes too easy. Default settings often allow users to share documents with anyone, create anonymous links, invite external guests without approval. This flexibility is great for collaboration but creates data exposure risks if not properly controlled.

Audit your OneDrive and SharePoint sharing settings. Can users share with anyone on the internet? Can they create links that work without signing in? Can external guests access your Teams channels? The answers should align with your business requirements and risk tolerance, not Microsoft's out-of-box defaults.

The Unified Audit Log captures all user and admin activity across your M365 tenant. It is essential for incident investigation and compliance evidence. Make sure it is enabled and retention is set appropriately for your industry requirements.

Drill down
§01

Data protection controls.

What to lock down

Review OneDrive and SharePoint sharing policies. Restrict external sharing to approved domains where possible. Disable anonymous "anyone with the link" sharing, or at minimum set short expiration dates. Require guests to authenticate. Regularly review and remove stale external sharing.

Use Intune to define what a compliant device looks like: encrypted storage, screen lock PIN, up-to-date operating system, approved security software. Then use Conditional Access to block access from non-compliant or unmanaged devices. Your data should not be accessible from an unpatched personal laptop with no security controls.

DLP policies scan content for sensitive information like credit card numbers, tax file numbers, health records, or your own custom patterns. Configure policies to warn users, require justification, or block sharing of sensitive content outside your organisation. Start with detection mode to understand your data flows before enabling blocking.

The Unified Audit Log is your forensic record of everything that happens in your tenant. Enable it, extend retention beyond the default 90 days, and know how to search it before you need to. When an incident occurs, these logs are how you understand what happened.

In practice
§02

Where the gaps hide.

Three pillars
01 / Identity
The login is the perimeter
MFA for every user, legacy authentication blocked, separate admin accounts and Conditional Access for risky sign-ins. The single biggest lever against account takeover.
02 / Email
Close the front door
SPF, DKIM and DMARC configured, external auto-forwarding blocked, and Defender Safe Links and Safe Attachments switched on against phishing and malware.
03 / Data
Control the sprawl
Sharing settings tightened, device compliance enforced, DLP applied to sensitive content, and the Unified Audit Log enabled with proper retention.

See your real
M365 posture.

A no-obligation discovery & security session. We review your Microsoft 365 tenant against these controls, name the gaps, and give you a clear path to close them.

Book a review Talk to a human
NEW ZEALAND OWNED & OPERATED EST. 2004
Sovereign by design

New Zealand owned and operated.

Sovereign data centres across New Zealand and Australia, with your data kept onshore wherever it's required. Our team understands New Zealand, and our leaders have built, scaled and secured businesses right across the New Zealand landscape.

Sovereign data centres · New Zealand & Australia
  • Auckland
  • Christchurch
  • Sydney
  • Melbourne
  • Brisbane
  • Perth
International data-centre operations
  • Singapore
  • Germany
  • Netherlands
  • USA

Servers available in minutes, not days.

Explore data centres & hosting →
Accredited partners
Microsoft Solutions Partner Fortinet Partner Lenovo Partner HP Partner Apple Business Manager