In 2023, Verizon's Data Breach Investigations Report found that compromised credentials were the leading attack vector in data breaches, involved in 86 percent of web application attacks globally. The defence against credential compromise is well understood, widely available, and free in most Microsoft 365 business plans. It is also, as of 2024, still not enabled by roughly 30 percent of Australian Microsoft 365 tenants.
Multi-factor authentication is perhaps the starkest example of a broader phenomenon: organisations paying for a sophisticated productivity and security platform and using a fraction of what they have. The average business-tier Microsoft 365 subscription includes tools for advanced threat protection, information governance, endpoint management, workflow automation, and business intelligence — most of which sit unconfigured, or configured to defaults that provide minimal protection.
The Security Configuration Gap
Microsoft's own Secure Score — a measurement of how well a tenant's security settings align with Microsoft's recommended configurations — averages in the low 30s out of 100 for small and mid-sized Australian businesses, according to analysis published by managed service providers operating in this market. The gap is not primarily a knowledge problem; most IT managers know MFA exists. It is an implementation problem. Enabling MFA without a proper rollout plan generates a wave of helpdesk calls and user complaints. Conditional Access policies — which determine when and from where users can access company data — require careful design to avoid locking out legitimate users. The path of least resistance is to leave settings at default.
The consequence is exposure. Microsoft records approximately 1.5 billion password spray and credential stuffing attempts against its identity services every day. Accounts without MFA are roughly 99 times more likely to be compromised than those with it enabled, according to Microsoft's own telemetry. An account compromise in a Microsoft 365 environment does not just expose email — it potentially exposes SharePoint files, OneDrive documents, Teams conversations, and any other applications connected to the same identity.
Conditional Access policies, properly configured, add a second control layer. They can require that access to sensitive data only be permitted from managed devices, flag sign-ins from unusual locations, and automatically prompt for additional verification when risk signals are detected. The Azure AD Identity Protection component that powers this capability is included in Microsoft 365 Business Premium — a licence tier that costs approximately $28 per user per month in Australia.
What Most Businesses Are Leaving on the Table
Beyond security, the productivity gap in typical Microsoft 365 deployments is substantial. SharePoint and Teams together provide a document management and collaboration platform that eliminates the version control chaos of emailed attachments and local file shares — but only if users are trained to work that way and sites are structured sensibly. Most organisations that deployed Teams during the COVID remote-work period ended up with an ungoverned proliferation of channels, no clear naming conventions, and files scattered across dozens of Teams sites with no coherent structure.
The Power Platform — Power Apps, Power Automate, and Power BI — represents perhaps the most underutilised component of a Microsoft 365 subscription. Power Automate can automate repetitive workflows without requiring code: approval processes, data entry tasks, notifications, and integrations between systems. A basic approval workflow that currently involves email chains and manual follow-up can typically be automated in a few hours by someone with moderate platform familiarity, saving meaningful amounts of staff time at the cost of a one-off configuration effort.
"We built a supplier onboarding workflow in Power Automate that replaced about three hours of manual processing per new supplier," says operations manager Caroline Hsu at a Perth-based property management company. "We have maybe 40 new suppliers a year. The automation paid for the time we spent building it within six months, and now it runs without anyone thinking about it."
The Copilot Question
Microsoft's AI assistant Copilot for Microsoft 365 — available as an add-on at approximately $37 per user per month — applies large language model capabilities directly to the Microsoft 365 data a user already has access to. Meeting summaries, email drafting, document creation from prompts, and data analysis in Excel are the headline use cases.
The productivity gains from early enterprise deployments are real but unevenly distributed. Users who regularly attend many meetings and write substantial volumes of documentation see the clearest return. Those whose work is primarily client-facing, hands-on, or reliant on systems outside the Microsoft ecosystem see less. The licence cost is substantial at scale; a 100-person deployment adds $3,700 per month to the Microsoft bill. The investment case requires honest assessment of which users will genuinely change how they work, rather than a blanket rollout.
Getting Configuration Right
For most businesses, the highest-return Microsoft 365 work is not adding new features — it is properly configuring what they already have. An experienced managed service provider working through a Microsoft 365 security and optimisation review typically focuses on: enabling and correctly scoping MFA, implementing Conditional Access policies, configuring Data Loss Prevention to prevent sensitive data from being emailed or shared externally without authorisation, activating Safe Links and Safe Attachments in Defender for Office 365, and establishing retention policies that satisfy both operational and compliance requirements.
None of this requires additional licences. All of it measurably reduces risk. And all of it is sitting in the admin portal, waiting.