The Microsoft 365 Security Baseline for Malaysian SMEs: A Complete 2026 Hardening Guide

Why default M365 is insecure

A brand-new Microsoft 365 tenant, without additional hardening, leaves these defaults in place:

• Security Defaults on (good), but you outgrow them within weeks of wanting granular policy
• Legacy authentication protocols frequently still reachable on tenants migrated from older licences
• Every user can register external OAuth apps with access to your mailbox and files
• External sharing on OneDrive and SharePoint allows link-sharing to anyone on the internet
• Mailbox auditing is on, but retention defaults are shorter than most forensic investigations need
• Global administrators are not required to have FIDO2 keys; password + app MFA is sufficient by default
• DKIM and DMARC are not configured; your domain can be spoofed

Every item above is weaponised by attackers within hours of tenant creation. The baseline below closes each of them. Related reading on the wider cost of this work: How Much Does Cybersecurity Cost in Malaysia?.

Licensing prerequisites

Security features are gated by licence. For Malaysian SMEs in 2026:

For the rest of this guide we assume Business Premium as the base. Where a feature requires higher, we call it out explicitly. Business Standard does not include the security tooling and is not a credible baseline — if your tenant is on Business Standard, fix that first.

Phase 1 — Entra ID hardening

Entra ID (formerly Azure AD) is the identity plane. Harden it first; everything else builds on top.

1.1 Disable legacy authentication

In Entra admin centre → Protection → Conditional Access → Authentication methods:

• Block legacy auth protocols (SMTP basic, IMAP, POP, older Exchange Web Services, older Autodiscover). Create a Conditional Access policy named CA-Block-Legacy-Auth covering All users, All cloud apps, client apps: Exchange ActiveSync clients + Other clients. Grant: Block.

Expect a handful of legacy-client breakages (old scanners, old CRM plugins). Handle via app-specific service accounts with tight scoping, not by re-enabling legacy auth.

1.2 Enforce MFA for admins with FIDO2 or passkeys

Password + phone-app MFA is fine for regular users. Admins should be on phishing-resistant MFA:

• YubiKey 5 NFC, Feitian, or Windows Hello for Business
• Enforce via a dedicated Conditional Access policy CA-Admins-Require-Phish-Resistant-MFA

Break-glass accounts: create exactly two global-admin break-glass accounts, with 32+ character passwords in a sealed envelope in the owner’s safe. Exempt them from CA (otherwise a misfire locks you out) and monitor their login attempts tightly.

1.3 Privileged Identity Management (PIM)

Business Premium includes Entra ID P1 which supports group-based activation and access reviews. If you can justify the licence step to P2 (via the Entra ID P2 SKU add-on), enable PIM so admins elevate just-in-time with approval and MFA rather than holding persistent global-admin.

1.4 Password policy

• Remove periodic expiry. NIST guidance and Microsoft both recommend no forced rotation absent a known compromise — forced rotation weakens rather than strengthens.
• Enable Entra Password Protection with a custom banned-password list of local Malaysian terms (e.g., your brand name, “Malaysia123”, “Selamat2024”).
• Prohibit SMS-only MFA for admins.

1.5 Application consent

In Entra admin centre → Enterprise applications → Consent and permissions:

• Set “Users can consent to apps from verified publishers, for selected permissions” (low-impact only)
• Enable admin consent workflow and name an approver
• Review existing third-party OAuth grants — revoke what you don’t recognise

This single setting has prevented many of the OAuth-grant attacks we have investigated in Malaysian SMEs in the last 18 months.

Phase 2 — MFA and Conditional Access

Security Defaults is a reasonable starting point for micro-SMEs. For anything above 10 users, move to explicit Conditional Access policies. Build these in report-only mode first, monitor for 48 hours, then flip to enforce.

The baseline CA policy set

Notes on specific policies

• CA-004 (compliant device): This is the single highest-leverage control and the one that needs the most care. Give users a week to enrol devices into Intune before flipping enforce, or you will lock out laptops.
• CA-007 (country block): Malaysia-based SMEs rarely need global sign-in. Allow MY plus a small list of frequent travel countries (SG, TH, ID, VN, HK, AU, JP, KR, GB, US if relevant). Block the rest. If someone travels outside the list, they request an ad-hoc exception for 24 hours.
• Break-glass exemption: Always exempt break-glass accounts from CA. Monitor their use via Sentinel or Defender for Cloud Apps.

Phase 3 — Email security (Defender for Office 365)

Email is still the #1 attack vector. Defender for Office 365 Plan 1 ships with Business Premium. Configure it, don’t just have it.

3.1 SPF, DKIM, DMARC

Publish three DNS records. Do it today.

• SPF: v=spf1 include:spf.protection.outlook.com -all (replace the include if you use additional senders)
• DKIM: enable in Defender portal → Policies → Threat policies → DKIM, both selectors
• DMARC: start with v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.my, monitor reports for 30 days, move to p=quarantine, then p=reject

Without DMARC at reject, your domain is a free spoofing vehicle.

3.2 Preset security policies

In the Defender portal → Email & collaboration → Policies & rules → Threat policies → Preset security policies:

• Enable Standard protection for all users as a baseline
• Enable Strict protection for priority accounts (owner, finance, HR, IT admins)

Preset policies wrap anti-spam, anti-malware, anti-phishing, Safe Links, and Safe Attachments into sensible bundles.

3.3 Anti-phishing tuning

• Enable mailbox intelligence and impersonation protection. Protect the owner’s display name, finance director’s, and up to 60 priority personas (included in Business Premium).
• Protect your own domain (internal impersonation) and commonly-spoofed external domains you do business with (your bank, your main vendors).
• Threshold: Rigorous for priority accounts; Aggressive for all others. Standard is too permissive for most Malaysian SME risk profiles in 2026.

3.4 Safe Links and Safe Attachments

• Safe Links: enable for Office apps and Teams. Scan rewritten URLs at click time. Track user clicks.
• Safe Attachments: enable dynamic delivery so users get the message immediately and the attachment arrives after sandboxing. Dynamic delivery beats full blocking for UX.

3.5 External-sender banner

Mail flow rule: prepend “⚠️ EXTERNAL — verify sender before responding” to any inbound email where sender domain ≠ recipient domain. A trivial control that measurably reduces CEO-fraud effectiveness.

3.6 Attack simulation training

Defender includes phishing simulation and training at no extra cost on Business Premium. Run a simulation every 60 days, target 5% click rate after 6 months, treat clickers with remedial training rather than punishment.

Phase 4 — Endpoint security (Defender for Business + Intune)

Business Premium includes Defender for Business and Intune. Use them.

4.1 Enrol every device in Intune

Windows, macOS, iOS, Android. Personal-owned phones of staff who access email should be enrolled in MAM (Mobile Application Management) if not MDM.

4.2 Compliance policies

Create one per platform. Minimum conditions for compliance:

• OS version current (within 30 days of vendor release)
• BitLocker/FileVault enabled, recovery keys escrowed to Entra
• Local firewall on
• Microsoft Defender Antivirus (Windows) running and up-to-date
• Password / PIN required, complexity set
• Screen lock after 5 minutes idle
• Jailbreak / root detection on mobile
• Not compromised per Defender risk score

Non-compliant devices are blocked by CA-004.

4.3 Configuration profiles

• Windows: BitLocker silent enablement, Windows Update for Business rings, Defender ASR rules (block Office from creating child processes, block credential stealing from LSASS, etc.), Windows Hello for Business
• macOS: FileVault, Gatekeeper on, SIP on, automatic OS and app updates via Intune
• iOS: require device passcode, disable iCloud backup for corporate data apps, Managed Apple IDs where feasible
• Android: Android Enterprise work profile, require Play Protect, block sideloading

4.4 Defender for Business policies

• Next-gen antivirus: cloud-delivered protection on, real-time protection on, PUA protection block
• EDR in block mode on
• Attack surface reduction rules: start in audit, then block for the mature-client list; the 16 ASR rules cover most fileless attack vectors
• Web protection on (blocks malicious domains at network level, even off-VPN)
• Automated investigation and response: semi or full (depends on your comfort with automation)

4.5 App deployment

Use Intune for first-party app deployment (Office, Edge, Teams, OneDrive). Disable Microsoft Store for Business on corporate devices; whitelist only approved apps via AppLocker/Smart App Control.

Phase 5 — Data protection (Purview DLP + sensitivity labels)

Purview is the part of M365 most SMEs under-use. A light baseline goes a long way toward PDPA compliance.

5.1 Sensitivity labels

Start with four labels, not forty:

• Public — safe for anywhere
• Internal — staff only
• Confidential — requires authentication, no external sharing
• Restricted — encrypted, named recipients only

Auto-apply where possible (e.g., any document containing a MyKad number → Confidential). Users manually label the rest.

5.2 DLP policies

Minimum policy set for Malaysian SMEs:

• MY-PII-Block-External — detect MyKad numbers, passport numbers, bank account numbers; block sharing externally
• Financial-Detection — detect credit card PANs (PCI DSS regex); notify user + admin
• Health-Data — if you are in healthcare or insurance, detect clinical codes; block sharing
• Source-Code-Leak — if you do software, detect source-code patterns in Exchange and OneDrive; warn user

Start DLP in notify-only mode. Tune for 30 days. Then move to block.

5.3 External sharing settings

SharePoint admin centre → Policies → Sharing:

• OneDrive external sharing: New and existing guests. Not “anyone.”
• Anonymous “anyone” links: disable for OneDrive entirely, allow for SharePoint only on specific sites where business justifies
• Default link type: “People in your organisation”
• Default link permission: View
• Guest expiration: 60 days with renewal required

5.4 Retention labels

Match retention to PDPA’s Retention Principle. Typical baseline:

• Exchange mail: retain 5 years, delete thereafter
• Teams chat: retain 2 years
• SharePoint/OneDrive files: retain 7 years for finance, 5 years for everything else
• Deleted items: 30 days soft, 14 days hard

Phase 6 — Logging and monitoring

6.1 Unified audit log

Enable in Purview. Retention depends on licence:

• Business Premium: 180 days audit log retention
• E3: 1 year
• E5: 1 year (10 years with add-on)

If you need longer retention (most Malaysian SMEs should target 12 months post-PDPA 2024), stream to a SIEM such as Microsoft Sentinel, Splunk, Elastic, or a managed SOC service.

6.2 Alerts to subscribe to

At minimum, route these to an email DL monitored by IT or your MSSP:

• Impossible travel detected
• Suspicious inbox rule creation (classic BEC indicator)
• Admin elevation
• Mass download / mass external share
• Mailbox audit disabled / mailbox forwarding to external address enabled
• Failed sign-ins above threshold per user per hour

6.3 Secure Score

Use Microsoft Secure Score as a rolling scoreboard. Target 70%+ for SMEs. Every improvement recommendation is quantified; work them in descending risk-impact order.

Phase 7 — Third-party backup

Microsoft’s Shared Responsibility Model is clear: Microsoft keeps the platform running; you are responsible for your data. Native retention will not protect you from accidental or malicious deletion, ransomware encryption of synced files, or admin compromise.

Recommended SME backup products:

• Veeam Backup for Microsoft 365
• AvePoint Cloud Backup
• Barracuda Cloud-to-Cloud Backup
• Keepit
• Redstor

Baseline configuration:

• Daily backup of Exchange, OneDrive, SharePoint, Teams chat
• Retention: 3 years minimum, 7 years for finance and HR data
• Cross-region storage (e.g., Singapore + Sydney)
• Immutable storage option enabled where available
• Quarterly test restore of a representative item from each workload

Related reading: Ransomware in Malaysia: A Step-by-Step Prevention Guide for SMEs covers backup philosophy in depth.

Baseline policy names and a rollout schedule

Consistent naming and a disciplined rollout prevents the helpdesk wave that kills most security projects.

Naming convention

• Conditional Access: CA-XXX-Purpose
• Intune compliance: COMP-Platform-Purpose
• Intune config: CONF-Platform-Purpose
• Defender policies: ATP-Purpose
• DLP: DLP-Scope-Purpose
• Retention labels: RET-Scope-Years

A three-week rollout for a 25-user SME

Week 1 — Identity and MFA
– Day 1: Enable Unified Audit Log, review Secure Score, document tenant baseline
– Day 2: Legacy auth block policy in report-only; communicate to staff
– Day 3: MFA roll-out to all staff; enrolment drive
– Day 4: Flip legacy auth block to enforce; monitor helpdesk
– Day 5: Break-glass accounts + PIM; document recovery procedures

Week 2 — Endpoints and email
– Day 6–7: Intune compliance policies; device enrolment drive
– Day 8: Defender for Business policies
– Day 9: Defender for Office 365 preset policies; DKIM/DMARC
– Day 10: External-sender banner; Attack Simulation baseline test

Week 3 — Data, logging, backup
– Day 11: Sensitivity labels (four-label model) + user training
– Day 12: DLP policies in notify mode
– Day 13: Retention labels
– Day 14: Third-party backup deployment and first run
– Day 15: Full secure-score review; handover doc for ongoing management

A mature MSSP can compress this; a team doing it for the first time often stretches to 6 weeks. Do not rush Conditional Access — broken CA locks out CEOs on Monday mornings.

Admin hygiene: the small things that catch people out

1. Don’t use daily accounts as admins. Every admin has two accounts: their regular user account (for email, Teams, daily work) and a dedicated admin account used only for privileged tasks.
2. Review ex-employees weekly. Accounts should be blocked on the day of departure. Review licensing after 30 days.
3. Audit mailbox forwarding quarterly. Unknown external forwards are a classic sign of compromise.
4. Audit third-party apps quarterly. Revoke any consented app that isn’t actively used.
5. Keep break-glass paper copies current. Rotate break-glass passwords yearly, re-seal.
6. Document everything. Your IR plan, your baseline, your exceptions. A 3am incident responder needs to find the info.
7. Review guest accounts monthly. External collaborators accumulate; trim regularly.

What this means for your business

A well-hardened Microsoft 365 tenant is the single highest-leverage cybersecurity investment a Malaysian SME can make. It is also the easiest to get 70% right and then stop — which leaves enough gaps for attackers. The last 30% is where Cybergate spends most of its hardening-engagement time. Tenants at that level consistently pass cyber-insurance attestations, satisfy PDPA Security Principle requirements, and survive the phishing attempts that land daily in Malaysian inboxes.

How Cybergate helps

Cybergate’s Microsoft 365 hardening engagement delivers the full baseline above in 2–3 weeks for a 25–50 user SME. We are Microsoft Defender-trained, Entra ID and Intune experienced, and we operate M365 tenants for Malaysian SMEs across Melaka, the Klang Valley, and Johor. Our ongoing managed service keeps your tenant tuned as Microsoft ships changes monthly.

FAQ

Do I need Entra ID P2 or is P1 enough?
P1 covers Conditional Access, Intune integration, and password protection — enough for the baseline above. P2 adds Identity Protection (risk-based CA), Privileged Identity Management, and Access Reviews. Most SMEs at 50+ users find P2 worth the cost; below that, P1 suffices.

What’s the difference between Defender for Business and Defender for Endpoint?
Defender for Business is the SME-packaged EDR included in M365 Business Premium for up to 300 users. Defender for Endpoint P1/P2 is the enterprise version, sold with M365 E3/E5. Capability is largely the same for SMEs; policy UI and integration differ.

Can I deploy this on a mixed Mac/Windows fleet?
Yes. Intune manages both, Defender for Business runs on both, and the Conditional Access policies are platform-agnostic. macOS-specific configuration profiles cover FileVault, Gatekeeper, SIP.

What happens to my current antivirus?
Uninstall it. Running third-party AV alongside Defender creates conflicts, false positives, and performance issues. Defender for Business is at least as strong for the SME use case and tighter integrated.

How do I prove to a customer auditor that the baseline is in place?
Export your Conditional Access policies (JSON), Intune compliance policies, Defender policy configuration, and a recent Secure Score report. Package into a compliance evidence bundle refreshed quarterly.

Is this baseline enough for ISO 27001 or SOC 2 readiness?
It is a strong contribution to the Annex A technical controls for ISO 27001 and the Security/Availability categories for SOC 2, but certification programs also require policy, governance, and evidence processes the baseline does not supply.

How often should the baseline be reviewed?
Quarterly. Microsoft ships Conditional Access features, Intune settings, and Defender capabilities on a monthly cadence. An unreviewed baseline ages faster than most SMEs realise.

Related reading

• How Much Does Cybersecurity Cost in Malaysia?
• PDPA Amendment 2024: SME Guide
• The 72-Hour PDPA Breach Notification Playbook
• Ransomware in Malaysia: Prevention Guide for SMEs
• Phishing Emails in Malaysia: Real Examples

External references

• Microsoft 365 security documentation
• Defender for Office 365 overview
• Defender for Business
• Intune configuration guidance
• Microsoft Secure Score
• NIST SP 800-63 digital identity guidelines
• CISA Secure Cloud Business Applications (SCuBA) M365 baseline

Last updated: 15 April 2026. Microsoft naming and UI change frequently; verify current names in your admin centre when applying.