What does a Microsoft 365 managed service provider do?

A Microsoft 365 managed service provider (MSP) handles the setup, migration, security configuration, licensing, user support, and ongoing optimisation of your Microsoft 365 environment — so your team can focus on business rather than IT administration. All IT Services has provided managed M365 services to Australian SMBs since 2005.

How much does Microsoft 365 cost for a small business in Australia?

Microsoft 365 Business Basic starts from around AUD $9 per user per month, Business Standard from approximately AUD $18.70, and Business Premium from approximately AUD $33. Pricing varies based on the number of users and the plan selected. All IT Services can help you choose the most cost-effective plan for your business needs.

How long does a Microsoft 365 migration take?

A typical Microsoft 365 migration for a small business (10-50 users) takes between 1 and 4 weeks, depending on the complexity of your existing environment, the volume of data to migrate, and whether you are moving from on-premise Exchange, Google Workspace, or another platform. All IT Services plans every migration with zero-downtime as the goal.

What is Microsoft 365 security hardening?

Microsoft 365 security hardening is the process of configuring your M365 tenant to meet CIS (Centre for Internet Security) benchmarks. This includes enabling multi-factor authentication, configuring conditional access policies, disabling legacy authentication protocols, tightening email forwarding rules, and reviewing admin permissions. All IT Services audits tenants against the full CIS Microsoft 365 Foundations Benchmark.

Can I keep my existing email domain when migrating to Microsoft 365?

Yes. When migrating to Microsoft 365, you retain your existing email domain (e.g., yourcompany.com.au). All IT Services handles the DNS configuration, MX record updates, and mailbox migration so the transition is seamless for your staff and clients.

What is the difference between Microsoft 365 Business Basic, Standard, and Premium?

Microsoft 365 Business Basic includes web and mobile versions of Office apps plus Exchange, Teams, SharePoint, and OneDrive. Business Standard adds the full desktop Office apps (Word, Excel, PowerPoint, Outlook). Business Premium adds advanced security features including Intune device management, Azure Information Protection, and Microsoft Defender for Office 365.

Does All IT Services provide Microsoft 365 training for staff?

Yes. All IT Services provides onboarding and ongoing training for Microsoft 365, including Teams, SharePoint, OneDrive, and Outlook. Training can be delivered remotely or on-site across our Sydney, Melbourne, and Brisbane service areas.

What areas does All IT Services service for Microsoft 365 support?

All IT Services provides Microsoft 365 managed services across Sydney (including the Northern Beaches), Melbourne, and Brisbane. As a cloud-first MSP, we also support businesses Australia-wide with remote Microsoft 365 management and support.

How does Microsoft 365 backup work and why do I need it?

Microsoft 365 built-in retention policies are not a substitute for a dedicated backup solution. A third-party M365 backup captures point-in-time snapshots of your mailboxes, OneDrive files, SharePoint sites, and Teams data, allowing you to recover from accidental deletion, ransomware, or compliance requirements. All IT Services deploys and manages automated M365 backup for all clients.

What CIS benchmarks does All IT Services apply to Microsoft 365 tenants?

All IT Services applies the CIS Microsoft 365 Foundations Benchmark, which covers over 100 security controls across Azure Active Directory, Exchange Online, SharePoint, OneDrive, and Teams. Key areas include identity and access management, data loss prevention, email authentication (SPF, DKIM, DMARC), and audit logging.

How much does Microsoft 365 cost for small business in Australia?

Microsoft 365 Business Basic starts from around $9 AUD per user per month, Business Standard from $18.70, and Business Premium from $33 per user per month. Pricing varies based on the plan, number of users, and whether you purchase through a Microsoft partner like All IT Services. We provide licensing advisory to help you choose the most cost-effective plan for your needs.

What happens to my data if I cancel Microsoft 365?

If you cancel your Microsoft 365 subscription, you typically have a 90-day grace period to retrieve your data before Microsoft permanently deletes it. During this period, your account is in a disabled state and users cannot access services. We strongly recommend implementing a third-party backup solution like those we provide to ensure your emails, files, and SharePoint data are protected regardless of subscription status.

Is Microsoft 365 compliant with Australian privacy regulations?

Yes, Microsoft 365 supports compliance with Australian Privacy Principles (APPs) under the Privacy Act 1988 and can be configured for industry-specific requirements. Microsoft stores data in Australian data centres (Sydney and Melbourne regions) and holds ISO 27001, SOC 2, and IRAP certifications. All IT Services configures Data Loss Prevention (DLP) policies, retention labels, and Compliance Manager to help your business meet Australian regulatory obligations.

Microsoft 365 Security Hardening: 20 Settings Every Australian Business Should Change Today

The practical security guide your Microsoft admin didn’t know you needed

Published by All IT Services | March 2026

Your Microsoft 365 tenant is probably less secure than you think

Microsoft 365 is the backbone of most Australian businesses. Email, file storage, collaboration, video conferencing, identity management — it all runs through your M365 tenant. And Microsoft ships 365 with default settings that prioritise ease of use over security.

The good news is that most security improvements are already included in your licence — you just need to turn them on. This guide walks through 20 specific settings that every Australian business should address.

The critical five — do these first

1. Enforce multi-factor authentication for all users

The single most important security control. Configure in Microsoft Entra ID > Security > Authentication methods. Use Conditional Access policies to enforce MFA for all users, all applications, all locations. Use Microsoft Authenticator with number matching. Avoid SMS-based MFA where possible.

2. Block legacy authentication protocols

Legacy protocols (POP3, IMAP, SMTP AUTH) don’t support MFA. Create a Conditional Access policy that blocks legacy authentication for all users and cloud apps.

3. Configure Conditional Access policies

At minimum: require MFA for all users, block legacy auth, require compliant devices for sensitive data, block risky locations, require MFA for all admin actions.

4. Enable Security Defaults (if you don’t have Conditional Access)

If your licence doesn’t include Conditional Access, enable Security Defaults as a minimum baseline. Note: Security Defaults and custom Conditional Access are mutually exclusive.

5. Secure administrator accounts

Create dedicated admin accounts separate from day-to-day accounts. Limit Global Admins to two to four. Enforce phishing-resistant MFA. Enable Privileged Identity Management (PIM) if your licence supports it.

The important ten — do these next

6. Configure email authentication (DMARC, DKIM, SPF)

Prevents email spoofing. SPF lists authorised sending servers. DKIM adds cryptographic signatures. DMARC tells receivers what to do with failures. Start with DMARC p=none, move to p=quarantine, then p=reject. The ACSC specifically recommends DMARC.

7. Enable audit logging

Records user and admin activity across Exchange, SharePoint, Teams, and Entra ID. Verify in Microsoft Purview compliance portal. Invaluable during incident investigation.

8. Configure anti-phishing policies

In Microsoft Defender for Office 365: configure impersonation protection for key personnel (CEO, CFO, Finance Manager) and commonly spoofed domains.

9. Enable Safe Attachments and Safe Links

Safe Attachments sandboxes email attachments. Safe Links checks URLs at time of click. Both should be enabled for all users.

10. Configure external email tagging

Prepend a warning banner to all emails from external senders via Exchange transport rules.

11. Disable auto-forwarding to external recipients

Attackers set up auto-forward rules after compromising a mailbox. Disable in Exchange admin centre > Remote domains > Default.

12. Configure Data Loss Prevention (DLP) policies

Block external sharing of Tax File Numbers, Medicare numbers, credit card numbers, driver’s licence numbers, and bank account numbers. Microsoft provides built-in Australian sensitive information types.

13. Review SharePoint and OneDrive sharing settings

Disable anonymous sharing links. Consider restricting external sharing to approved domains.

14. Enable mailbox auditing

Verify via PowerShell: Get-OrganizationConfig | Format-List AuditDisabled. Captures message access, deletion, and permission changes.

15. Configure session timeouts and sign-in frequency

12 hours for general access, 1 hour for administrative access. Configure via Conditional Access session controls.

The valuable five — do these when you can

16. Review and restrict application consent

Restrict user consent to apps from verified publishers only, or require admin approval for all consent requests.

17. Enable sign-in risk and user risk policies

With Entra ID P2: automatically challenge or block high-risk sign-in attempts from unfamiliar locations or impossible travel.

18. Configure alerts for suspicious activity

Set up alerts for: multiple failed sign-ins, sign-ins from unusual locations, new inbox rules, changes to admin roles, mass file downloads or deletions.

19. Implement a sensible password policy

The ACSC and Microsoft now recommend against frequent password changes. Instead: minimum 14 characters, block common/compromised passwords, MFA as primary defence, encourage passphrases.

20. Enable Microsoft Secure Score and track progress

Provides a numerical measure of your tenant’s security posture with specific improvement recommendations. Review monthly in Microsoft 365 Defender portal.

The bottom line

None of these require exotic tools or massive budgets. Most are included in your existing licence. The payoff: a materially more secure environment that aligns with the ACSC Essential Eight and the expectations of Australian cyber insurers.

Want us to run through your tenant?

All IT Services provides Microsoft 365 security assessments for Sydney businesses. We’ll review your configuration against these 20 controls and more.

Reach out to Tom Buckley — call (02) 8073 4848 or send Tom an email. We’ll have your Secure Score heading in the right direction in no time.

Sources and references:
– Microsoft — Microsoft 365 security documentation (learn.microsoft.com)
– Australian Cyber Security Centre — Essential Eight (cyber.gov.au)
– Australian Cyber Security Centre — Email Security guidance (cyber.gov.au)
– Microsoft — Entra ID Conditional Access (learn.microsoft.com)
– Australian Signals Directorate — Information Security Manual (cyber.gov.au)

1300 425 548