Skip to main content
Support Perth - IT support in Perth
Support Perth
Perth's trusted IT partner
Microsoft 365 Security

Microsoft 365 Security Hardening for Perth Businesses

Lock down your M365 tenant against phishing, token theft, and data leaks. Fixed-scope project, Perth-based, no offshoring.

Book a 20-min Tenant Review Get a Fixed-Scope Quote

The default M365 tenant isn't secure

Microsoft ships tenants with productivity enabled and security mostly off. Unless someone has explicitly hardened yours, these gaps are almost certainly open right now.

  • Legacy authentication still allowed — bypasses MFA entirely
  • No Conditional Access policies enforcing MFA or device compliance
  • Shared mailboxes signing in interactively with no MFA protection
  • External sharing wide open on SharePoint and OneDrive by default
  • No Defender for Office 365 policies — Safe Links and Safe Attachments unset
  • No DLP policies preventing TFN, credit card or client data leaving the tenant
  • OAuth consent unrestricted — any user can grant third-party apps full mailbox access
  • Break-glass account unprotected — no alerting if it's used, often weak password

These gaps are what cyber insurance questionnaires, AFSL audits, and post-incident forensics consistently find. The good news: every one of them is closable in a defined project, without disrupting your users.

Our hardening checklist

25 controls across six pillars. Every item is scoped, documented, and verified before handover — you receive the full checklist as part of your report.

Identity

Entra ID & access

  • • Conditional Access baseline (MFA, device compliance, risk)
  • • Block legacy authentication protocols
  • • MFA enforced on all users including shared mailboxes
  • • PIM for privileged admin roles
  • • Break-glass account with alerting & FIDO2 key

Device

Intune compliance

  • • Intune device compliance baselines (Windows & macOS)
  • • BitLocker / FileVault enforced & key escrow
  • • Mobile app protection policies (iOS & Android)
  • • Compliant-device-only sign-in for sensitive apps

Email

EOP & Defender for O365

  • • Anti-phishing, anti-spam & anti-malware policies tuned
  • • Defender for Office 365 Safe Links & Safe Attachments
  • • SPF, DKIM & DMARC (p=reject) configured & monitored
  • • Impersonation protection for VIPs & trusted domains

Data

SharePoint & OneDrive

  • • External sharing locked down (by site, not tenant-wide)
  • • Sensitivity labels for client, financial & PII data
  • • DLP policies — TFN, credit card, bank account, PII
  • • Guest access lifecycle & access reviews

Threat

Defender for Business

  • • Defender for Business onboarded on all endpoints
  • • Attack Surface Reduction (ASR) rules in block mode
  • • Web content filtering & network protection
  • • OAuth app governance & risky consent blocking

Governance

Audit & alerting

  • • Unified audit log enabled with extended retention
  • • Alert policies for risky sign-ins, admin actions, mailbox rules
  • • Admin role review & least-privilege remediation
  • • Secure Score baseline & 90-day uplift target

Typical engagement

A defined, phased project — not a rolling consulting arrangement. You know exactly what happens, when, and what it costs before we touch your tenant.

Phase 1

Discovery call

20-minute scoping call. We confirm user count, licensing, compliance drivers and timeline.

Day 0 · Free

Phase 2

Read-only audit

We're granted read-only access and audit against all 25 controls. No changes made, no user disruption.

Week 1 · $1,500 + GST

Phase 3

Report & plan

Written report with findings, risk rating, and a fixed-price remediation plan. Yours to keep either way.

Week 2

Phase 4

Implementation

Staged rollout across the six pillars. Report-only first, pilot group next, then full enforcement.

Weeks 2-4

Phase 5

Handover

Full documentation pack, runbooks, and optional transition to Security Essentials managed service.

Week 5

Fixed-scope pricing

No hourly surprises. The price is agreed in writing before any changes are made.

Audit Only
$1,500 + GST

Fixed fee. Credited back if you proceed to implementation.

  • 25-point read-only tenant audit
  • Written report with findings & risk rating
  • Fixed-price remediation plan (no obligation)
  • Suitable for insurer / regulator submission
Most popular
Full Hardening
$2,500 – $6,000 + GST

Fixed fee banded by user count. Typical 15-60 user tenants.

  • Everything in Audit Only
  • Full 25-control implementation across 6 pillars
  • Staged rollout — report-only → pilot → enforced
  • Full documentation & runbook handover
  • Audit fee credited toward implementation

Larger tenants, complex hybrid environments, or scopes outside the standard 6 pillars (e.g. Purview eDiscovery, Defender for Identity, Sentinel) are quoted separately on the same fixed-scope basis.

Compliance alignment

The hardening checklist is built against the ASD Essential Eight and the specific controls your regulator or insurer asks about.

ASD Essential Eight

MFA, application hardening, admin restriction, patching, and logging controls mapped to ML1-ML2 targets.

AFSL & ASIC

Cyber resilience expectations in RG 255 and the ASIC Cyber Pulse surveys — MFA coverage, logging, incident readiness.

TPB

Tax Practitioners Board data security practice notes for tax agents and BAS agents handling client records.

RACGP CISS

Computer and Information Security Standards for general practice — identity, access, backup, and logging controls.

Cyber insurance

Hardening report is structured to answer the controls section of every major AU cyber insurance questionnaire.

Privacy Act 1988

DLP, audit logging, and access controls aligned to Australian Privacy Principles — including the updated breach notification obligations.

Case study

Accounting & Financial Services

25-user accounting firm, Subiaco

Trigger: Internal AFSL audit flagged missing Conditional Access enforcement and inconsistent MFA coverage. Firm had 90 days to remediate before the next review cycle.

Engagement: Read-only audit in week 1 surfaced 14 of 25 controls as gaps — including legacy auth still allowed, two shared mailboxes with interactive sign-in, and external SharePoint sharing open tenant-wide. Fixed-price remediation quoted at $4,200 + GST.

Delivery: 3-week staged rollout. CA baseline deployed in report-only for 5 days, piloted to the partner group, then enforced tenant-wide. Defender for Business onboarded, DLP policies for TFN and bank account data went live, Secure Score lifted from 38% to 82%.

Outcome: AFSL remediation items closed, evidence pack submitted to compliance. Firm moved onto Security Essentials managed service the following month for ongoing alert monitoring and quarterly Secure Score reviews.

Frequently asked questions

Will this disrupt our users?

No. We use a staged rollout — every Conditional Access, MFA, and Defender policy is deployed in report-only mode first, validated against a pilot group, then switched to enforced. Users see a one-off MFA registration prompt and a handful of sign-in changes, but day-to-day email, Teams, and SharePoint work continues uninterrupted.

Do we need Microsoft 365 E5 licensing?

No. Microsoft 365 Business Premium covers roughly 90% of the hardening scope, including Conditional Access, Intune, Defender for Business, Defender for Office 365 Plan 1, and basic DLP. We only recommend stepping up to E3 or E5 add-ons where a specific control (advanced DLP, Purview audit, or Defender for Identity) is required for a compliance obligation. No unnecessary licence upsells.

What about our existing MSP or internal IT team?

Co-managed engagements are common. We run the hardening project as a defined scope of work, hand the tenant back with documentation, and your existing MSP or internal team continues BAU support. We can also stay on afterward as your managed security provider through Security Essentials — your choice, not ours.

How long does the project take?

Typical end-to-end timeline is 3-5 weeks for a 15-60 user tenant. Week 1 is discovery and read-only audit. Week 2 is the written report and remediation plan. Weeks 2-4 are staged implementation across Identity, Device, Email, Data, Threat, and Governance pillars. Final week covers handover, documentation, and optional Security Essentials onboarding.

Is this suitable for AFSL, TPB, RACGP or cyber insurance requirements?

Yes. The hardening checklist is aligned with the ASD Essential Eight and specifically addresses the controls most commonly required by AFSL cyber obligations, TPB data security practice notes, RACGP CISS accreditation, and Australian cyber insurance questionnaires (MFA coverage, CA enforcement, patching, backup, email authentication, logging). You receive a written report suitable for regulator or insurer submission.

What happens after handover?

You own the tenant and the documentation outright. No lock-in, no recurring fee required. If you want ongoing monitoring, alert triage, and quarterly Secure Score reviews, our Security Essentials managed service is priced per-user, month-to-month. Roughly half our hardening clients move onto it. The other half keep internal or existing-MSP ownership — both are fine.

CSDF certified

Cyber Security Defence Framework, ECU Perth

Microsoft 365 Specialist

Deep expertise in M365 tenant security

Perth-based

Wembley WA, serving Perth metro

No Lock-In

Month-to-month engagement, no long contracts, no offshoring.

Ready to harden your Microsoft 365 tenant?

Book a 20-minute tenant review with Aaron. We'll confirm scope, timeline, and pricing on the call — no obligation and no sales funnel.

Book a 20-min Review → Call 1300 769 337
Need IT help? Call Now