Most small and medium businesses in Sydney get their Microsoft 365 tenancy up and running within an afternoon — and that’s precisely the problem. A quick setup gets email flowing, but it typically leaves security gaps wide open, licences misallocated, and no clear recovery plan if something goes wrong. The cost of fixing a poorly configured M365 environment after the fact — particularly if a phishing attack or data breach exposes the gaps — can run into tens of thousands of dollars in remediation, downtime, and potential regulatory exposure under the Australian Privacy Act 1988. If your business handles personal information (and most do), getting the Microsoft 365 setup right from the start is not optional; it’s a compliance obligation as much as an IT decision.
Start with your tenant design — it matters more than you think
When you first create a Microsoft 365 tenancy, you’re asked to choose a primary domain and an initial admin account. Many businesses rush through this, using a personal email address or a generic name like admin@yourbusiness.onmicrosoft.com as the global administrator account. That account then sits as a permanent, high-privilege target with no meaningful protection. A structured approach means creating dedicated break-glass admin accounts with long, randomly generated passwords stored securely offline, then operating day-to-day admin through separate accounts that have only the permissions they actually need.
Your tenant region also matters. Microsoft lets you choose where your data is stored during the initial setup, and for Australian businesses, selecting Australia as the data residency region ensures your Exchange Online mailbox data, SharePoint files, and Teams content sit within Australian data centres. This is directly relevant to Privacy Act compliance and, for businesses in regulated sectors like health or financial services, may be a non-negotiable requirement. Once a tenancy is created, changing the data residency is not straightforward — it often requires Microsoft support involvement and potential data migration — so getting it right at the start saves significant pain later.
Licencing: matching the right plan to the right people
Microsoft 365 licencing for small and medium businesses in Australia sits across several tiers: Microsoft 365 Business Basic (roughly $8–$10 AUD per user per month), Business Standard (roughly $18–$22), and Business Premium (roughly $30–$36), with pricing subject to change and volume agreements. The temptation is to assign everyone the cheapest licence that gets them email and Teams access. The problem is that Business Premium includes Intune device management, Defender for Business, Azure AD Premium P1, and Information Protection features that Basic and Standard do not. For any user handling sensitive data — finance, HR, management — the absence of those controls creates a measurable security gap that a lower licence price does not justify.
A proper Microsoft 365 setup for a small business involves auditing each role and matching licence features to actual need. Warehouse staff who only need Teams on a shared device might suit an F1 or F3 Frontline Worker licence. A partner or executive handling confidential client files needs Business Premium at a minimum. Over-licencing everyone to Business Premium is also wasteful if half your users genuinely only need basic email. The right approach is a licencing matrix — a simple spreadsheet mapping each role to its required features — reviewed every six to twelve months as the business changes.
Security defaults are a starting point, not a finish line
Microsoft enables Security Defaults on all new tenancies. Security Defaults enforce multi-factor authentication (MFA) for all users and block legacy authentication protocols, which is a meaningful improvement over having nothing in place. But for most small and medium businesses with more than five users, Security Defaults are too blunt an instrument to rely on long-term. They don’t give you conditional access policies, they can’t enforce device compliance as a condition of sign-in, and they apply the same controls to a full-time employee and a contractor who needs temporary access.
A properly structured M365 security configuration moves beyond Security Defaults to named Conditional Access policies. Common examples include: requiring MFA for all users when signing in from outside your office network; blocking sign-ins from countries your business has no presence in; requiring compliant or Hybrid Azure AD-joined devices for access to SharePoint and Teams; and enforcing a risk-based sign-in policy that prompts step-up authentication when Microsoft’s identity protection signals detect unusual behaviour. These policies require Azure AD Premium P1, which is included in Business Premium — another reason licencing decisions and security decisions need to be made together, not separately. For businesses wanting a deeper look at their risk posture, Kawco’s cybersecurity and risk management services cover M365 security assessments as part of a broader review.
Email authentication: the configuration most businesses skip
One of the most consequential oversights in a Microsoft 365 setup for a small business is failing to properly configure SPF, DKIM, and DMARC records in DNS. SPF (Sender Policy Framework) tells the world which mail servers are authorised to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature that receiving servers can verify. DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving servers what to do when a message fails SPF or DKIM checks — and, critically, it sends you reports so you can see who is attempting to send email that impersonates your domain.
Without all three configured correctly, your domain is vulnerable to spoofing attacks where criminals send convincing phishing emails that appear to come from your address. This harms your clients directly and damages your reputation. The configuration itself is not complex — Microsoft provides the DKIM keys directly in the Defender admin portal, and SPF for a basic M365 setup is a single DNS TXT record — but it requires access to your DNS zone and an understanding of what each record does. DMARC should be set to a p=reject policy once you’ve monitored the reporting data and confirmed only legitimate sources are sending on your behalf. Moving from p=none to p=reject prematurely is a common mistake that can cause legitimate mail to be blocked.
Backup: Microsoft 365 does not protect you the way you think it does
This is the single most persistent misunderstanding among small and medium businesses using Microsoft 365: Microsoft’s built-in retention and recycle bin features are not a backup solution. Microsoft operates under a shared responsibility model. They protect the infrastructure; you are responsible for your data. Deleted items in Exchange Online are recoverable for up to 30 days by default (extendable to 180 days with retention policies), but that window does not protect against accidental mass deletion, ransomware that encrypts files in SharePoint or OneDrive, or a malicious insider who deliberately purges data. Once data is outside the retention window, it is gone.
A proper backup strategy for M365 involves a third-party backup tool — solutions like Veeam Backup for Microsoft 365, Acronis, or similar — that takes independent, immutable copies of your Exchange, SharePoint, OneDrive, and Teams data on a regular schedule and stores them in a separate location. For Sydney businesses, this typically means replication to a secondary Australian data centre or a compliant cloud storage provider. Recovery testing matters as much as the backup itself: a backup you’ve never tested is a backup you can’t rely on. Kawco’s backup and business continuity services include scheduled recovery testing as a standard part of the engagement, not an afterthought.
Ongoing governance: the part that actually keeps you protected
A Microsoft 365 environment is not a set-and-forget system. New features roll out continuously, Microsoft deprecates older protocols, and your business changes — people join, leave, change roles, and bring new devices. Without a governance process, what starts as a clean, well-configured environment drifts over time. Guest access accumulates in Teams. Old accounts remain active after staff leave. Shared mailboxes get converted to full mailboxes when no one is watching. Licences pile up on accounts that haven’t logged in for six months.
Effective governance for a small or medium business doesn’t need to be complicated. A quarterly review that covers active user accounts, licence assignments, conditional access policy effectiveness, MFA adoption rates, and backup job status is enough to keep most environments in good shape. The Microsoft 365 admin centre and the Secure Score dashboard give you a clear, prioritised view of outstanding configuration issues — treat your Secure Score as a KPI, not just a dashboard widget. Pairing that internal review with a relationship with a structured IT provider who understands your environment means issues get caught before they become incidents. Kawco’s Microsoft 365 and cloud services include proactive environment management, not just reactive support when things break.
Frequently Asked Questions
How much does a proper Microsoft 365 setup cost for a small business in Sydney?
The licence cost itself starts at roughly $8–$10 AUD per user per month for Business Basic and rises to $30–$36 per user per month for Business Premium, as of 2024 pricing. On top of licences, a professional setup engagement — covering tenant configuration, security policies, email authentication, device enrolment, and staff onboarding — typically costs between $1,500 and $5,000 for a business with 10–30 users, depending on complexity. That investment is substantially less than the average cost of recovering from a compromised account or a data breach, which for a small Australian business routinely exceeds $30,000 once you account for IT remediation, legal review, and client notification obligations under the Notifiable Data Breaches scheme.
What’s the difference between Microsoft 365 Business Standard and Business Premium?
Business Standard includes the full Office app suite, Exchange, SharePoint, Teams, and OneDrive — everything most staff need for daily work. Business Premium adds Intune (device management), Microsoft Defender for Business (endpoint protection), Azure AD Premium P1 (conditional access policies), and Microsoft Purview Information Protection. For most businesses that handle any form of sensitive client, financial, or personal data, Business Premium is the appropriate choice because those additional controls are what allow you to enforce security at the device and identity level, not just at the application level. Choosing Standard over Premium to save roughly $12–$15 per user per month makes sense only for roles with genuinely minimal data access requirements.
Do we need a third-party backup if we already use Microsoft 365?
Yes, for most businesses the answer is clearly yes. Microsoft’s built-in retention features are designed for compliance scenarios — legal holds, eDiscovery, retention policies — not for operational recovery from data loss events like accidental deletion, ransomware, or insider threats. The default recycle bin and deleted item recovery windows are limited in duration, and they don’t protect against scenarios where data is corrupted or deleted within the retention period. An independent backup solution that stores copies outside the Microsoft 365 environment gives you a true recovery point regardless of what happens inside your tenancy. For businesses subject to Australian Privacy Act obligations or sector-specific regulations, having a documented and tested backup process is often a requirement, not just good practice.
Can we set up Microsoft 365 ourselves without an IT provider?
Technically, yes — Microsoft’s admin portal is accessible to anyone and the basic configuration steps are well-documented. The challenge is that the defaults Microsoft ships with are not optimised for security; they’re optimised for ease of getting started. A self-configured tenancy that hasn’t gone through a structured security review typically has MFA gaps, missing email authentication records, no conditional access policies, and no backup. For a sole trader or micro-business with minimal sensitive data, a self-setup may be acceptable. For any business with more than five users, client data, financial records, or obligations under the Privacy Act, professional setup is the lower-risk path — the cost of fixing problems later consistently exceeds the cost of doing it properly at the start.
How long does it take to properly set up Microsoft 365 for a small business?
A basic tenant creation and licence assignment can be done in a couple of hours. A proper setup — including security policy configuration, email authentication, conditional access, device enrolment via Intune, and staff onboarding — typically takes two to five business days for a business with 10–30 users, assuming DNS access and device availability are in place. Staff training on MFA setup and basic security hygiene adds time but is not optional; the most secure configuration in the world can be undermined by a staff member who doesn’t know how to recognise a phishing attempt. Building in at least a half-day of structured onboarding for staff is worthwhile and reduces support calls in the weeks that follow.
How Kawco Can Help
Kawco is a managed IT provider based in Alexandria, Sydney. We work with small and medium businesses that need their technology to be reliable, secure, and properly managed — not patched together over time and held together with hope. Our approach to Microsoft 365 is structured: we document what we build, we configure environments to a defined security standard, and we review them on a scheduled basis so they don’t drift.
Whether you’re setting up M365 for the first time, inheriting a tenancy that’s never been properly reviewed, or looking for ongoing management that goes beyond reactive helpdesk support, we’re happy to have a practical conversation about what your business actually needs. Get in touch with the Kawco team to start that conversation.