If you're on Microsoft 365 Business Premium, E3, or E5, you've got security tools sitting in your tenant right now that you haven't configured. I see it every time we onboard a new client.

The typical business is sitting at a Microsoft Secure Score of 30 to 40 out of 100. Not because they're careless — they just didn't know this stuff was there.

Here's what's included and what each thing actually does, in plain English.

Microsoft Defender for Office 365

This goes beyond basic spam filtering. It scans every email attachment in a sandbox before delivering it, rewrites URLs in emails so they're checked at the moment you click them (not just when the email arrived), and detects phishing attempts that basic filters miss.

Included in: Business Premium (Plan 1), E5 (Plan 1 and 2).

Most businesses have this available and are running on default settings. The defaults are okay. Properly configured, it's significantly better.

Conditional Access

This is probably the single most impactful security feature in M365. It lets you set rules: only allow sign-ins from Australia, require MFA when accessing email from a new device, block access from non-compliant devices entirely.

Without it, anyone with a stolen username and password can sign in from anywhere. With it, you decide the rules.

Included in: Business Premium, E3, E5 (requires Entra ID P1, which is bundled).

Intune (Endpoint Manager)

Manages every device that touches your business data. Laptops, phones, tablets. You can enforce BitLocker encryption, require screen locks, push security updates, and remotely wipe a device if it's lost or stolen.

If your team works remotely — even sometimes — and you're not using Intune, your devices are unmanaged. That's a risk most businesses don't realise they're carrying.

Included in: Business Premium (Intune Plan 1), E3, E5.

Microsoft Purview

Data classification and protection. You can label documents as "Internal Only" or "Confidential" and enforce rules — like preventing anyone from emailing a confidential document to an external address. Also handles data loss prevention (DLP), retention policies, and eDiscovery.

Relevant if you handle client data, financial records, or anything covered under Australian privacy legislation.

Included in: Business Premium (basic), E3 (standard), E5 (advanced including insider risk management).

Entra ID Protection

Monitors sign-in patterns and flags risky behaviour automatically. If someone signs in from Sydney at 9am and then from Eastern Europe at 9:15am, it notices. You can set it to block access, force MFA, or alert an admin.

Included in: E5 (requires Entra ID P2). For Business Premium and E3, the P1 features (Conditional Access, self-service password reset) are included.

Your Secure Score

Microsoft gives every tenant a security score out of 100. It tells you exactly what's configured, what isn't, and what to do next. You can find it in the Microsoft 365 admin centre under Security.

Most businesses we work with jump from 30-40 to 60-70 just by configuring what's already included. No new products, no extra cost.

What to do next

Check your Secure Score. If it's under 50, there's low-hanging fruit. If you want someone to walk you through it, we run free 30-minute security reviews for Australian businesses — we'll show you what's on, what's off, and what to do first.

Use our M365 Features Calculator to see what's included in your specific plan

Or book a free security review with our team