I recently helped a friend audit their company’s Microsoft 365 setup. 40 users, Business Premium plan, running for 3 years. What I found was terrifying: MFA wasn’t enforced, Conditional Access wasn’t configured, audit logging was disabled, and SharePoint had sites shared with “Everyone except external users.”
This isn’t unusual. Microsoft 365 includes powerful security features, but most of them are turned off by default. Here’s what you need to check — and how to fix it.
1. Multi-Factor Authentication (MFA)
If you do nothing else, do this. MFA blocks 99.9% of automated account compromise attacks (Microsoft’s own data). Yet I regularly find Singapore companies where MFA is only enabled for admins — or not at all.
How to check: Go to Azure AD → Security → Authentication methods. Look at the MFA registration completion rate. If it’s not 100%, you have a problem.
How to fix: Enable Security Defaults (free, all plans) or configure Conditional Access (Business Premium/E3+) to require MFA for all sign-ins.
2. Conditional Access Policies
MFA is step one. Conditional Access is step two. It lets you define rules like:
- Block sign-ins from countries where you have no employees
- Require compliant devices for accessing sensitive data
- Force re-authentication for risky sign-ins (impossible travel, new devices)
- Block legacy authentication protocols that bypass MFA entirely
Minimum baseline: Create three policies: (1) block legacy auth, (2) require MFA for all users, (3) block sign-ins from high-risk countries. This takes 30 minutes and dramatically reduces your attack surface.
3. Microsoft Defender for Office 365
Business Premium includes Defender for Office 365, but the default configuration is weak. You need to enable:
- Safe Attachments — detonates email attachments in a sandbox before delivery
- Safe Links — rewrites URLs and checks them at click time (not just send time)
- Anti-phishing policies — impersonation protection for executives and domains
For businesses that want deeper email security, Barracuda Email Protection adds AI-powered anti-phishing, BEC detection, and security awareness training on top of what Defender provides. It integrates via API — no MX record changes needed.
4. Data Loss Prevention (DLP)
DLP prevents sensitive data from being shared externally. In Singapore, this is especially important for PDPA compliance. You can create policies that:
- Block emails containing NRIC numbers from being sent to external recipients
- Warn users when sharing files containing credit card numbers on SharePoint
- Prevent sensitive documents from being uploaded to personal OneDrive
How to check: Microsoft Purview → Data loss prevention → Policies. If the list is empty, you have no DLP protection.
5. Audit Logging
When a security incident happens, the first question is: “What did the attacker access?” If audit logging isn’t enabled, the answer is: “We don’t know.”
Audit logging is available on all business plans but not always enabled by default. And the default retention is only 180 days on standard plans.
How to fix: Microsoft Purview → Audit → Enable audit logging. Extend retention to at least 12 months. Set up alerts for suspicious activities: mass file downloads, mailbox forwarding rules, admin role changes.
6. SharePoint Permissions
This is the silent threat. Over years, SharePoint permissions accumulate like technical debt. Sites created with “Everyone” access still exist. Shared links from old projects remain active. Former employees’ access persists through nested groups.
This matters even more now because of Microsoft Copilot. When you deploy Copilot, it can access everything your users can access. If permissions are broken, Copilot will surface confidential documents to the wrong people.
If you’re considering Copilot, do a permissions audit first. Sakal Network’s Copilot Readiness Checklist covers exactly what to audit before activation.
7. Microsoft Secure Score
Microsoft provides a built-in security scorecard: Secure Score. It grades your tenant’s security configuration and recommends specific improvements.
How to check: security.microsoft.com → Secure Score. Most Singapore SMEs I’ve seen score between 30-50 out of 100. A well-configured tenant should be 70+.
Each recommendation in Secure Score tells you exactly what to enable and how much it improves your score. Work through them systematically — start with the highest-impact, lowest-effort items.
Don’t DIY If You’re Not Sure
If this article made you realize you have gaps, that’s good — awareness is the first step. But misconfiguring security policies can lock users out or break email flow. If you’re not confident, get help.
Sakal Network provides Microsoft 365 security assessments for Singapore businesses. They check your Secure Score, audit your configurations, and deliver a prioritised action plan. It’s the fastest way to go from “probably insecure” to “properly locked down.”
They also offer a M365 Security Audit package on their shop for SGD $2,000 if you want a fixed-scope assessment.
Either way — check your settings. Today. Before someone else does.
