Microsoft 365 security checklist for Malaysian businesses
Microsoft 365 security starts with identity: enforce MFA for every user, layer conditional access on top, and disable the legacy authentication protocols that bypass both. Then audit mailbox forwarding rules and OAuth app consents, minimise privileged roles, monitor risky sign-ins, tune anti-phishing policies with DKIM and DMARC, and back up tenant data independently, because retention settings are not a backup.
Why Microsoft 365 tenants get compromised
Most Microsoft 365 breaches are not exotic. An attacker phishes or buys a password, signs in from anywhere because MFA is missing or a legacy protocol sidesteps it, then quietly reads mail, sets a forwarding rule and waits for an invoice thread to hijack. Business email compromise of this kind is patient and low-noise, and almost every step of it is preventable with tenant settings you already own.
The Microsoft 365 security checklist
- 01
MFA enforced for every user, no exceptions
Enforcement comes through policy rather than user choice, covering staff, interactively used shared mailboxes and external consultants. Accounts excluded temporarily are the ones attackers find.
- 02
Conditional access policies in place
Sign-ins are evaluated against location, device state and risk, with blocks or extra verification applied automatically. At minimum, block countries you never operate from and require known devices for sensitive roles.
- 03
Legacy authentication disabled
Older protocols such as IMAP, POP and basic SMTP authentication ignore MFA entirely. They are blocked tenant-wide, with genuine dependencies like old scanners migrated rather than left as permanent exceptions.
- 04
Mailbox forwarding rules audited
External auto-forwarding is disabled by default, and inbox rules across the tenant have been reviewed for silent forwards to outside addresses, a classic sign of an already-compromised mailbox.
- 05
OAuth app consents reviewed
Users cannot grant consent to unverified third-party apps, and existing grants have been reviewed for anything with mailbox-wide or file-wide access nobody recognises. Malicious OAuth grants survive password resets.
- 06
Privileged roles reviewed and minimised
Global administrator membership is limited to a few named, MFA-protected accounts not used for daily email, lesser roles are used wherever they suffice, and emergency access accounts are documented.
- 07
Risky sign-ins monitored
Someone reviews impossible-travel and other risky sign-in reports, or the alerts feed a monitoring service, so a stolen credential is caught in hours rather than surfacing months later in a fraud investigation.
- 08
Anti-phishing policies tuned
Anti-phishing, anti-spoofing and impersonation protection are configured for your executives and domains rather than left at defaults, and quarantined items are reviewed through a defined process.
- 09
DKIM and DMARC enforced on your domains
Sending domains publish SPF, sign with DKIM, and carry a DMARC policy moved beyond monitoring to quarantine or reject, so criminals cannot send convincing invoices in your name.
- 10
Microsoft 365 data backed up independently
Mail, OneDrive, SharePoint and Teams data is copied outside the tenant on a schedule, with tested restores. Retention policies help compliance but do not protect against deletion, ransomware or a rogue administrator.
Closing the gaps
Work the list top down, identity first, because those items shut the front door. Most controls cost configuration time rather than new licences, although conditional access and risk reporting depend on your Microsoft licensing tier, so confirm what your plan includes before designing policy.
Datasafe Online offers a Microsoft 365 security assessment that benchmarks a tenant against these controls and returns a prioritised fix list, and partners with Microsoft and Proofpoint on the email security layer. Its 24/7 SOC can take on the sign-in monitoring most IT teams cannot watch around the clock. Contact sales@datasafe.com.my or 03-2242 3191.
Microsoft 365 is the default productivity platform across Malaysian businesses, which makes tenant compromise a leading path to invoice fraud and data exposure locally. A breached mailbox holding customer or employee personal data raises PDPA obligations, and financial institutions face Bank Negara Malaysia RMiT expectations around access control and monitoring that map directly onto the identity items in this checklist.
Common questions
Isn't Microsoft 365 secure by default?
Microsoft secures the platform; configuring your tenant is your responsibility under the shared responsibility model. Defaults have improved and newer tenants get basic MFA enforcement, but forwarding rules, app consents, DMARC and backup remain your job, and older tenants often predate the better defaults entirely.
Do we really need a separate backup if Microsoft keeps our data?
Yes. Microsoft provides availability and retention, not a backup service. Deleted or encrypted content can pass beyond recovery windows, and a compromised administrator can purge data along with its retention copies. An independent backup with tested restores is the control that survives those scenarios.
Will enforcing MFA disrupt our staff?
Briefly, with planning. Modern methods such as the authenticator app keep daily friction low, and conditional access can reduce prompts on trusted devices. Communicate the rollout, pilot with one department, and brief the helpdesk. The disruption of a compromised mailbox is far larger.
What is the single highest-impact item on this list?
Enforced MFA combined with disabling legacy authentication, treated as one move because legacy protocols bypass MFA. Together they defeat the bulk of credential-based attacks on Microsoft 365. If you can only schedule one change window this quarter, schedule that.
How do we know if a mailbox is already compromised?
Look for inbox rules that forward externally or delete messages, sign-ins from unfamiliar countries, OAuth app grants nobody recognises and MFA registrations you cannot explain. A tenant security assessment normally includes this check; treat any silent external forward as an incident until proven otherwise.
Talk it through with an operator.
A 30-minute Cyber Risk Review maps this topic against your environment, with an analyst from Datasafe's Kuala Lumpur SOC. No slideware, no obligation.