Microsoft 365 Governance Best Practices for Australian Businesses
Microsoft 365 is the most widely used productivity platform in Australian business, but most organisations are running it without proper governance. The result is chaos: thousands of orphaned Teams channels, SharePoint sites nobody owns, and permissions that have never been audited. Without governance, M365 becomes a security liability rather than a productivity tool.
What M365 Governance Actually Covers
Governance is not a single setting. It is a framework that spans every service in the Microsoft 365 suite:
- Identity and access management — who can access what, how accounts are provisioned and deprovisioned
- Data governance — retention policies, labelling, and disposal of sensitive information
- Teams governance — who can create Teams, naming conventions, lifecycle management
- SharePoint governance — site creation policies, external sharing controls, storage limits
- Compliance — meeting Australian Privacy Act requirements, Essential 8 alignment, and industry-specific regulations
- Device management — Intune policies, conditional access, endpoint protection
Most MSPs focus on keeping the lights on (email works, Teams is up) but ignore governance entirely. The MSP Health Score includes governance maturity as a key indicator.
The Foundation: Entra ID Governance
Before you govern SharePoint, Teams, or anything else, you need to govern your identity layer. Microsoft Entra ID (formerly Azure AD) is the foundation of every governance decision.
Critical Entra ID Policies
1. Conditional Access Policies Define rules that determine who can access M365 and from where. At minimum:
- Require MFA for all users (non-negotiable in 2026)
- Block sign-ins from countries where you have no operations
- Require compliant devices for sensitive applications
- Block legacy authentication protocols
2. Privileged Identity Management (PIM) Global Administrator and other high-privilege roles should not be assigned permanently. PIM allows just-in-time access — administrators request elevated privileges when needed and lose them automatically after a defined period.
If your MSP has three people with permanent Global Admin access, that is a governance failure.
3. Access Reviews Schedule quarterly reviews of who has access to what. Entra ID supports automated access reviews that prompt managers to certify or revoke permissions. This is Essential for maintaining least-privilege access.
Teams Governance
Uncontrolled Teams creation is the number one governance headache for Australian businesses. Within six months of adoption, most organisations have hundreds of Teams with no naming conventions, no owners, and no lifecycle management.
What to Implement
Team Creation Policy
- Restrict who can create Teams (ideally IT or a自助-service approval process)
- Require a business justification for each new Team
- Apply naming conventions (e.g., [Department]-[Project]-[Year])
Team Lifecycle Policy - Set automatic expiration dates (e.g., 12 months) - Require owners to renew before expiry - Archive inactive Teams automatically - Delete archived Teams after 6 months with no activity
Sensitivity Labels Classify Teams by data sensitivity: - Public — internal communication, no sensitive data - Confidential — departmental, restricted membership - Highly Confidential — regulated data, enhanced encryption, external access blocked
SharePoint Governance
SharePoint is where governance failures become most visible — and most dangerous.
Key Policies
Site Creation - Restrict site creation to IT or a managed自助-service portal - Require approval for external-facing sites - Apply naming conventions and metadata tags
External Sharing - Disable external sharing by default - Enable it only for specific sites with a business case - Require Azure AD B2B for external collaborators - Audit external sharing monthly
Storage Management - Set storage quotas per site (e.g., 25 GB default, 100 GB with approval) - Monitor usage quarterly - Archive or delete sites that exceed limits without justification
Retention and Disposition Apply retention policies based on content type: - Financial records: 7 years - Employee records: 7 years after termination - Client data: 7 years after engagement ends (or as per contract) - Temporary/working documents: 1 year
Data Governance and Compliance
Australian businesses must align M365 data governance with the Privacy Act 1988 and relevant state legislation. Key requirements:
Australian Privacy Principles (APPs)
- Collect only the data you need (APP 3)
- Store it securely (APP 11)
- Destroy it when no longer needed (APP 11)
- Allow individuals to access their data (APP 12)
Information Barriers
Prevent conflicts of interest by restricting communication between certain groups. Essential for financial services and legal firms.
Data Loss Prevention (DLP)
Configure DLP policies to: - Detect and block sending of sensitive data (TFNs, ABNs, credit card numbers) via email or Teams - Alert when users attempt to share classified documents externally - Apply sensitivity labels automatically based on content
Governance Maturity Model
Where does your organisation sit?
| Level | Description | Characteristics |
|---|---|---|
| 1 — Ad Hoc | No governance | Everyone creates everything, no policies, no audits |
| 2 — Basic | Some policies exist | Naming conventions, basic access controls, but inconsistent enforcement |
| 3 — Defined | Formal framework | Documented policies, regular reviews, automated controls |
| 4 — Managed | Measured and enforced | KPIs, dashboards, automated compliance checks, regular audits |
| 5 — Optimised | Continuously improving | AI-driven governance, predictive analytics, full automation |
Most Australian businesses sit at Level 1 or 2. Getting to Level 3 is the goal. The M365 Governance Mistakes article covers common pitfalls in more detail.
How Your MSP Should Be Handling This
If your MSP manages your Microsoft 365 environment, they should be implementing governance as part of their service. Ask them:
- Do we have conditional access policies configured? Show me the policy list.
- How many Teams do we have, and how many have been reviewed in the last 6 months?
- What is our external sharing posture across SharePoint?
- Do we have DLP policies in place? Show me the last quarter's alerts.
- How many Global Admin accounts exist, and are any using shared credentials?
If your MSP cannot answer these questions, they are managing your email, not governing your environment. Our M365 Governance Mistakes article provides a more detailed self-assessment.
Getting Started: Your First 30 Days
If you are starting from scratch, prioritise in this order:
Week 1: Implement MFA everywhere and review Global Admin accounts Week 2: Configure conditional access policies and disable legacy authentication Week 3: Apply Teams creation restrictions and naming conventions Week 4: Enable sensitivity labels and configure basic DLP policies
This gets you from Level 1 to Level 2 in a month. Building from there is an ongoing process, not a one-time project.
Related Guides
- M365 Governance Mistakes — Common pitfalls to avoid
- Essential 8 Guide — Australian cybersecurity framework
- MSP Onboarding Checklist — What your MSP should set up
- MSP Health Score — Benchmark your MSP's performance
- How to Choose an MSP — Select the right provider
Was this helpful?