Microsoft 365 Security for Medical Practices

Microsoft 365 sits at the centre of most Australian medical practices. Email, calendars, shared documents, internal chat, video consultations and remote work all flow through it. That makes it the single most important platform to secure well.

This guide walks through the areas that matter most for practice managers and clinic owners — identity, email, files, Teams, devices and visibility. It is written in plain English and is intended to support a conversation with your IT provider, not replace one.

Why Microsoft 365 is critical to healthcare

For most practices, a Microsoft 365 account is also the front door to the rest of the environment. A compromised mailbox does not just expose email — it often exposes OneDrive and SharePoint files, Teams conversations, and any third-party app that uses Microsoft as the sign-in provider. Getting Microsoft 365 right is therefore the highest-leverage cybersecurity investment most practices can make.

Common Microsoft 365 risks

• Mailboxes without enforced multi-factor authentication.
• Legacy authentication still enabled, allowing password-only sign-ins.
• Anonymous sharing of OneDrive and SharePoint files.
• Old guest accounts that nobody recognises but still have access.
• Mailbox forwarding rules silently sending email outside the practice.
• Audit logging disabled, so incidents cannot be reconstructed.

Identity security

Identity is the foundation. Every other Microsoft 365 control depends on knowing who is signing in and what they should be able to do. The basics:

• Each user has their own account — no shared mailboxes as sign-ins
• Privileged accounts are separate from day-to-day accounts
• Self-service password reset is configured securely
• Old accounts are disabled promptly when staff leave
• Service accounts are inventoried and reviewed

MFA best practices

Multi-factor authentication is the single highest-value setting in Microsoft 365. Practical advice:

• Enforce MFA via conditional access, not legacy per-user MFA
• Prefer Microsoft Authenticator over SMS where possible
• Apply MFA to administrator accounts without exception
• Block legacy authentication protocols that bypass MFA
• Review trusted devices and locations periodically

Conditional access

Conditional access lets a practice define rules such as "users can only sign in from Australia", "admin actions require a compliant device", or "sign-ins from unfamiliar locations require additional verification". Even a small number of well-chosen policies materially reduces risk without disrupting staff.

• Block sign-ins from countries the practice does not operate in
• Require MFA for all users for all cloud apps
• Tighter controls for administrator and high-risk roles
• Session controls for browser-based access on unmanaged devices

Email security

Email remains the most common entry point. Microsoft Defender for Office 365 (included with several Microsoft 365 plans) provides advanced anti-phishing, safe links, safe attachments and impersonation protection. The defaults are a starting point, not the destination.

• Anti-phishing policies tuned for the practice's users and domains
• Safe Links rewriting enabled across email and Office apps
• Safe Attachments scanning enabled
• SPF, DKIM and DMARC configured and monitored
• External sender warnings shown clearly to staff
• Quarantine notifications enabled so users see what is blocked

Defender for Business

Defender for Business is Microsoft's endpoint protection product for small and mid-sized organisations and is included with Microsoft 365 Business Premium. It provides EDR for Windows and macOS devices, central visibility and automated response. Where practices currently rely on basic antivirus, Defender for Business is usually a material upgrade.

SharePoint security

SharePoint stores most of the documents that staff collaborate on. Securing it well means thinking about both site-level and tenant-level settings:

• Conservative tenant-level external sharing defaults
• Site-level sharing matches the sensitivity of each site
• Guest access reviewed periodically
• Sensitive sites locked down to specific groups
• Versioning and retention enabled on key document libraries

OneDrive security

OneDrive is where most individual user files live, including files shared in private Teams chats. The key controls are the same shape as SharePoint, with attention to what happens when a staff member leaves the practice.

• Default sharing links set to internal-only where possible
• Anonymous link sharing disabled or restricted
• OneDrive retention configured for departing staff
• Known folder backup enabled to capture Desktop and Documents

Teams security

Teams brings together messaging, files, meetings and calls. Each of those surfaces has its own security considerations. A few principles go a long way:

• External access (federation) limited to known partners where required
• Guest access policies match the practice's sharing posture
• Meeting policies prevent accidental anonymous joins to sensitive meetings
• Channels for sensitive topics use private channels with limited membership

External sharing controls

Most medical practices need some external sharing — referring providers, allied health partners, accountants and so on. The aim is not to block sharing, but to make it deliberate and auditable. Conservative defaults plus periodic review work much better than restrictive policies that staff route around.

Data protection

Beyond access controls, practices should think about what happens to sensitive data once it is in Microsoft 365 — labelling, retention and (where licensing supports it) data loss prevention. Even simple steps, such as a documented retention policy for email and a process for departing staff, materially improve the practice's position under the Privacy Act and at accreditation.

Audit logging

Audit logging is the difference between knowing what happened during an incident and guessing. Make sure logging is on, retention is set appropriately for the practice's needs, and someone is responsible for reviewing alerts.

• Unified audit log enabled in Microsoft Purview
• Sign-in logs reviewed for unusual locations or repeated failures
• Mailbox forwarding rules monitored and alerts configured
• Admin activity logged and visible to a second pair of eyes

Common misconfigurations we see in medical practices

• MFA enabled for "most" users but not enforced for everyone.
• Legacy authentication still allowed because an old app needs it.
• Anonymous OneDrive and SharePoint links enabled by default.
• Forgotten guest accounts from previous projects or providers.
• Audit logging never turned on, so incidents cannot be investigated.
• Mailbox forwarding rules sending email to unknown external addresses.
• Global administrator accounts used for everyday work.

Healthcare security improvement roadmap

A realistic Microsoft 365 security uplift for a small practice typically runs over 60 to 90 days and looks like this:

1. Weeks 1–2 — Identity. Enforce MFA for every user via conditional access. Block legacy authentication. Remove unused accounts.
2. Weeks 3–4 — Email. Tune anti-phishing and impersonation policies. Confirm SPF, DKIM and DMARC. Remove unwanted mailbox forwarding rules.
3. Weeks 5–6 — Files. Set conservative SharePoint and OneDrive sharing defaults. Review existing guest access.
4. Weeks 7–8 — Endpoint. Deploy Defender for Business (where appropriate) and confirm endpoint coverage.
5. Weeks 9–12 — Visibility. Enable and configure audit logging, establish a simple monthly review, and document the result.

Want a Microsoft 365 baseline for your practice? Book a Healthcare IT & Cybersecurity Alignment Review, explore our healthcare IT services, or read about the common IT risks we see in medical practices.