Your Microsoft 365 Security Is Probably Broken: Here's How to Fix It in Under 30 Minutes

29 Aug Your Microsoft 365 Security Is Probably Broken: Here's How to Fix It in Under 30 Minutes

Last week, we got a call from a Perth-based accounting firm. Their Microsoft 365 environment had been compromised, and cybercriminals had accessed three years' worth of client financial data. The kicker? The breach could have been prevented with three simple security settings that would have taken less than 30 minutes to configure.

This isn't an isolated incident. We see it constantly—businesses running Microsoft 365 with glaring security holes that are surprisingly easy to fix. The problem isn't that the tools don't exist; it's that most organisations don't know where to look or what to prioritise.

Here's the truth: your Microsoft 365 security is probably broken, and you don't even know it. But the good news is that you can fix the most critical vulnerabilities in the time it takes to grab a coffee.

The Three Security Gaps That Keep Us Up at Night

Gap #1: Multi-Factor Authentication Is Missing (Or Incomplete)

This one drives us crazy. Multi-Factor Authentication (MFA) can block 99.9% of account compromise attacks, yet we still see businesses relying purely on passwords. Even worse, when MFA is enabled, it's often only applied to some users—leaving your most privileged accounts completely exposed.

We once worked with a law firm that had MFA enabled for regular staff but not for their IT administrator. Guess which account got compromised first?

Gap #2: Administrator Accounts Are Sitting Ducks

Admin accounts are like having the master key to your entire digital kingdom. Yet many organisations treat them like regular user accounts. No special protection, no monitoring, no restrictions. It's like leaving your house keys in the front door with a sign saying "please rob me."

Gap #3: Anti-Phishing Protection Is Turned Off

Microsoft 365 comes with powerful anti-phishing tools built right in. Safe Attachments, Safe Links, advanced threat protection—all available out of the box. But they're not enabled by default, so most businesses are running completely unprotected against email-based attacks.

Your 30-Minute Security Fix Checklist

Grab a timer and let's get your Microsoft 365 environment locked down. We're going to tackle these in order of impact—the changes that give you the biggest security boost first.

Minutes 1-10: Enable MFA for Everyone (Yes, Everyone)

Start with Security Defaults—it's Microsoft's quick-win approach that enables MFA for all users with minimal configuration. Here's how:

1. Go to Azure Active Directory admin center
2. Navigate to Properties → Manage Security Defaults
3. Toggle "Enable Security Defaults" to Yes
4. Save the changes

For organisations that need more control, set up Conditional Access policies instead. These let you enforce MFA based on user roles, locations, and device compliance. Priority one: make sure every administrator account has MFA enabled with the Microsoft Authenticator app using number matching.

Minutes 11-20: Lock Down Your Admin Accounts

Your administrator accounts need special treatment. Here's what to do right now:

Create dedicated admin accounts that are separate from daily-use accounts. Your IT manager shouldn't be checking email with the same account they use to manage your entire Microsoft 365 environment.

Enable Privileged Identity Management (PIM) if you have the appropriate licensing. This requires administrators to request elevated access when they need it, rather than having permanent admin rights.

Review your admin roles and apply the principle of least privilege. Most users don't need Global Administrator access—they just need specific roles like Exchange Administrator or SharePoint Administrator.

Minutes 21-30: Activate Advanced Threat Protection

Now let's turn on Microsoft's built-in security tools:

Enable Safe Attachments to scan all email attachments and files shared through Teams, SharePoint, and OneDrive. Go to Microsoft 365 Defender → Policies & Rules → Threat Policies → Safe Attachments, and create a policy that applies to all users.

Turn on Safe Links to scan URLs in real-time. Navigate to Safe Links policies and create a new policy that covers email messages and Office applications for all users.

Set up external email tagging so your users can easily identify emails coming from outside your organisation. This simple visual cue can prevent a surprising number of phishing attacks.

Beyond the 30-Minute Fix: Next-Level Security

Once you've tackled the immediate vulnerabilities, here are the next steps to take your Microsoft 365 security to the next level:

Implement Conditional Access Policies

These policies automatically assess risk and respond accordingly. Set up policies that require additional authentication for logins from unusual locations, block access from non-compliant devices, or require managed devices for sensitive applications.

Deploy Data Loss Prevention (DLP)

Configure DLP policies to identify and protect sensitive information like credit card numbers, social security numbers, or confidential business data. These policies can automatically encrypt sensitive emails or block them from being sent to external recipients.

Enable Message Encryption

Protect sensitive communications across Teams, email, and file sharing. Message encryption ensures that only authorised recipients can read your sensitive business communications, even if they're intercepted.

What If You're Already Compromised?

If you suspect an account has been compromised, Microsoft provides a dedicated tool specifically for this situation. Access it through admin.microsoft.com and search for "compromised account." This tool runs automated tests to identify suspicious activity and provides specific remediation steps based on what it finds.

The tool will check for things like unusual login locations, forwarding rules that redirect email to external accounts, and permission changes that might indicate unauthorised access.

Why Most Businesses Skip These Steps

We see the same pattern over and over: businesses know security is important, but they don't prioritise it until something goes wrong. There are usually three reasons for this:

1. They think it's complicated: It's not. These fixes are straightforward and designed for non-technical users.

2. They assume they're not a target: Every business is a target. Cybercriminals use automated tools that don't discriminate based on company size.

3. They're worried about user pushback: Yes, MFA adds an extra step to login. But it's a small inconvenience compared to explaining to your clients that their data has been stolen.

The Real Cost of Waiting

That accounting firm we mentioned earlier? The breach cost them $127,000 in incident response, regulatory fines, and lost business. Their insurance covered some of it, but not the reputation damage or the three months they spent rebuilding client trust.

The manufacturing company whose server died (from our previous blog post) lost $50,000 because they didn't have proper backups. But businesses with compromised Microsoft 365 accounts often face much higher costs because of the sheer amount of sensitive data at risk.

We've seen companies lose customer lists, financial records, legal documents, and intellectual property—all because they didn't spend 30 minutes configuring basic security settings.

Getting Professional Help

While these 30-minute fixes will dramatically improve your security posture, they're just the beginning. A comprehensive security strategy includes regular security assessments, incident response planning, and ongoing monitoring for threats.

At Katalyst IT, we've been helping Perth businesses secure their Microsoft 365 environments for years. We know which settings matter most, how to balance security with usability, and how to implement protections that actually work in the real world. If you'd like help developing a comprehensive security strategy, you can learn more about our cybersecurity services.

But don't wait for professional help to start. The fixes in this article can be implemented right now, and they'll provide immediate protection against the most common attack vectors we see.

Take Action Today

Here's what we want you to do after reading this article:

1. Set aside 30 minutes today (not next week, not next month—today)
2. Follow the checklist above in order
3. Test your MFA setup with a few users to make sure it's working properly
4. Schedule a monthly review to check for new security recommendations

Your Microsoft 365 security doesn't have to be perfect, but it needs to be better than it is right now. These 30 minutes of work could save you thousands of dollars and months of headaches down the road.

Don't become another cautionary tale. Fix your security today.