M365 Security Checklist 2026: 12 Steps to POPIA Compliance
Published April 2026 | 8 min read | Updated for SA businesses
Microsoft 365 is the #1 target for SA cyber attacks. Business Email Compromise cost South African companies R2.2 billion last year, and POPIA fines now reach R10 million. Most breaches we see could’ve been stopped with 30 minutes of settings.
We secured a 60-user manufacturer’s M365 tenant in 3 days using this exact checklist. Use it to audit your own setup, or send it to your IT guy.
The 12-Point M365 Lockdown Checklist
1
Enforce MFA for all users, no exceptions
Use Microsoft Authenticator app. SMS is not secure. POPIA You must protect account access.
2
Block legacy authentication
Old mail apps bypass MFA. Attackers use this daily. Disable in Azure AD > Security > Authentication methods.
3
Create separate admin accounts
Never use your daily email as Global Admin. One breach = total takeover. Create admin@company.onmicrosoft.com
4
Set up Conditional Access
Block logins from Nigeria, Russia, China if you don’t operate there. Require compliant devices only.
5
Enable mailbox auditing
Turned off by default. You need this for POPIA breach investigations. POPIA
6
Configure Safe Links & Safe Attachments
Stops 99% of phishing emails. Requires Defender for Office 365 Plan 1 or Business Premium.
7
Disable auto-forwarding to external emails
Common ex-employee/attacker tactic to steal data silently. Block in Exchange Admin > Mail flow.
8
Set up Data Loss Prevention (DLP)
Auto-block ID numbers, bank details, CVs from being emailed externally. POPIA Required.
9
Review OAuth app permissions
Revoke “Mail.ReadWrite” access from dodgy apps. Attackers buy access tokens on dark web.
10
Enable Unified Audit Log for 1 year
Default is 90 days. You need 1 year for POPIA compliance. POPIA
11
Turn on Alerts: “Elevation of privilege” + “New global admin”
Get SMS/email if someone makes themselves admin. Security & Compliance Center > Alerts.
12
Immutable cloud backups for Email/OneDrive/SharePoint
Microsoft 365 recycle bin ≠ backup. Ransomware can delete it. Use third-party backup like Veeam/Acronis.
📥
Get the Printable PDF + PowerShell Scripts
Download the 1-page PDF checklist to share with your team. Includes PowerShell snippets to verify items #2, #5, and #7 in 60 seconds.
Download Free PDF
We’ll email you once per month with M365 security updates. Unsubscribe anytime.
What if you fail more than 3?
If you’re missing MFA, legacy auth is on, or you have no backups, you’re at high risk. We do a 3-day M365 Hardening Sprint for Gauteng businesses — zero downtime.
Get Your R950 Security Check
POPIA Compliance Note
This checklist helps meet Section 19 of POPIA: “Secure the integrity and confidentiality of personal information.” Items marked POPIA are directly referenced in the Act. But this is not legal advice. Pair this with staff training and documented policies.
Questions? WhatsApp us or book a 15-min call — we’ll scan your tenant for free.