Microsoft 365 · 5 July 2026 · 8 min read
Business Premium with defaults is not a security baseline. Before cyber insurance renewal or enterprise client diligence, fix MFA enforcement, admin separation, legacy auth, and logging — in that order.
Assessors and enterprise clients do not care that you bought Microsoft 365 Business Premium. They ask for enforced MFA, blocked legacy authentication, separated admin accounts, audit logging retention, and evidence backups restore — often with screenshots or policy exports.
FC-04 M365 Security Baseline delivers an email break-in risk review: identity, admin roles, MFA, Conditional Access gaps, and prioritised remediation order in five business days.
Require MFA for all users — with exceptions documented and time-bound, not permanent.
Block legacy auth protocols. Require compliant or hybrid-joined devices for admin roles where feasible.
Geo and risky sign-in policies are secondary until MFA and legacy auth are solid.
Separate admin accounts from daily email. Fewer Global Admins. Privileged Identity Management for just-in-time elevation where licensing allows.
Document break-glass accounts, store credentials securely, and test recovery — insurers ask about this after incidents, not before.
Unified audit log retention, mailbox auditing, and SharePoint audit — know where logs go and who can read them.
Backup: know what is protected, restore tested in the last 12 months, and who owns recovery drills.
Fix baseline before Copilot seats — FC-27 bundles FC-19 and FC-04 for teams buying AI and insurance at once.
See the M365 security Brisbane guide and book FC-04 from Microsoft packages.
