WA OAG Microsoft 365 Security Controls Report - why every Australian state should take notice

A practical briefing for WA agencies and other Australian public sector organisations looking to strengthen Microsoft 365 security, governance and configuration.

cover-OAG-Report
PageGraphic

The WA OAG’s message is clear: Microsoft 365 security depends on the strength and consistency of the settings organisations actually implement and maintain.

What you’ll learn in this briefing 

Microsoft 365 is now central to identity, access, communication and information management across government. The WA Office of the Auditor General’s report found that most audited entities were only partly effective in managing and configuring their Microsoft 365 environments.

While the findings are specific to WA State entities, the risks highlighted in the report are relevant to public sector organisations across Australia.

 

You'll learn:

  • High‑level findings from the audit – assessment of more than 160 Microsoft 365 security settings across governance, identity and access management, information protection, security management/visibility and threat protection.

  • Common weaknesses across State entities – no clear M365 security baseline, weak MFA for privileged users, legacy authentication still enabled, patchy DLP, broad external sharing, inconsistent logging and monitoring, and partly effective threat protection.

  • Real‑world case studies – incidents involving unmanaged personal devices, third‑party storage such as Dropbox, business email compromise and mis‑used privileged roles, and the implications for WA agencies.

  • How CoreView helps government organisations respond.  – using baselines aligned to ASD Essential Eight, the WA Government Cyber Security Policy, SCuBA, WA secure configuration guidelines and ASD mitigation guidance to monitor drift, reduce identity and email‑related risk, and improve logging, DLP and sharing controls.

Complete the form to get instant access to the briefing