Frontrow Technology
← All insights & guides
Guide

Compliance

Privacy Act 2026: the seven Microsoft 365 controls regulators expect

OAIC determinations and tribunal decisions through 2025-2026 have hardened the 'reasonable steps' standard. These are the seven Microsoft 365 controls that now define the contemporary baseline — and what to do if you don't have them.

Daniel Brown · 7 May 2026 · 11 min read

Privacy Act amendments enacted through 2024 and 2025 changed the regulatory expectations for organisations handling personal information in Australia. The headline changes are well-publicised: increased OAIC enforcement powers, statutory tort for serious invasions of privacy, expanded notifiable data breach scheme. The less-publicised change matters more day-to-day: the 'reasonable steps' standard has hardened, and OAIC determinations through 2025-2026 are pointing at specific Microsoft 365 controls as the contemporary baseline.

If your organisation runs on Microsoft 365 and processes personal information at scale, these are the seven controls that the regulator now expects to see when investigating an incident. Not exotic add-ons. Capabilities that exist in the licensing you almost certainly already have, with configuration steps that are well-documented.

1. Sensitivity labels with encryption on personal-information content

Sensitivity labels must be deployed, applied (manually or via auto-labelling) to content containing personal information, and configured to apply encryption with usage rights restricting external sharing of the highest tier. The deployment-and-not-applied pattern that most AU mid-market tenants run does not satisfy this. Adoption needs to be measurable and above 60 percent on new documents.

Microsoft Purview Activity Explorer surfaces label adoption rates. The evidence the regulator will ask for is the adoption rate report, exported quarterly, with a trend line. If the rate is low and not trending up, the regulator will note that the organisation has the capability and isn't using it.

2. Container labels on sites holding personal information

SharePoint sites, Microsoft 365 Groups and Teams holding personal information must have container labels constraining external sharing and unmanaged-device access. File labels alone are insufficient because they only travel with files that are labelled, and most tenants have file label adoption gaps that make container-level controls necessary.

Container labels require a tenant-level enablement step that most Purview deployments skip. Enable EnableMIPLabels in Entra, sync labels via PowerShell, apply container labels to existing sites, configure M365 Group creation to require label selection.

3. Data Loss Prevention in enforcing mode

DLP policies covering Exchange, SharePoint, OneDrive and Teams must be in enforcing mode (not audit-only) for the categories of personal information the organisation processes. The audit-only-forever pattern that Frontrow finds in approximately 80 percent of audited tenants does not satisfy the contemporary baseline. Audit-only DLP is a hypothesis. Enforcing DLP is a control.

Tiered enforcement is acceptable: enforce-with-override for most policies, enforce-without-override for the highest-sensitivity content (PCI, healthcare identifier, identity documents). The triage queue must be staffed and incidents must close within an SLA. The evidence is the triage log and the SLA conformance report.

4. Multi-factor authentication, phishing-resistant on privileged accounts

MFA on all users, all apps. Phishing-resistant authentication strength on privileged directory roles (Global Admin, Privileged Role Admin, etc.). This is also the Essential Eight ML2 baseline. Tenants without phishing-resistant MFA on admin roles are now both below the Essential Eight bar and below the Privacy Act 2026 contemporary baseline — the same control covers two compliance regimes.

Implementation: Conditional Access policy targeting users in admin roles, grant requires Authentication Strength = Phishing-resistant MFA. Authentication strength = FIDO2 security key, Windows Hello for Business, or certificate-based authentication. Authenticator push and SMS no longer satisfy.

5. Audit log retention sufficient for breach assessment

The Notifiable Data Breaches scheme requires assessment within 30 days of awareness of a suspected eligible breach. The scoping work — determining which individuals' personal information was accessed — requires audit logs covering the relevant period. Default Purview Audit (Standard) retains for 90 days, which is insufficient when breaches are discovered months after they occurred.

The contemporary baseline is Audit Premium (1 year retention) at minimum, with 10-year retention add-on for privileged accounts and high-sensitivity roles. Without sufficient retention, the organisation can be in the position of being unable to scope the breach — which OAIC will note as a control failure.

6. Detection capability with named ownership

Detection of unauthorised access, mass download, anomalous sign-ins and credential abuse must be in place with a named owner and a 24/7 escalation path. Microsoft Defender XDR and Sentinel are the standard delivery vehicles, with tuned alerts on credential abuse, unusual data movement and risky sign-ins. The named owner is critical — OAIC determinations have noted instances where alerts fired and were not actioned because no one owned the queue.

Smaller organisations can satisfy this via a managed detection service rather than an in-house SOC. The evidence is the SLA, the alert volume report, and the mean time to triage.

7. Documented NDB response with rehearsed runbooks

A dedicated Notifiable Data Breach response runbook with named owners, OAIC online form pre-mapping, individual notification templates by data type, legal review SLA, and board reporting flow. Containment runbooks for the common breach patterns (compromised user, compromised service principal, compromised endpoint). An annual tabletop exercise based on a recent OAIC-published breach pattern.

The runbooks are evidence in two directions: they shorten the actual response when a breach occurs, and they evidence to OAIC that the organisation took reasonable steps to be ready. The annual tabletop is the rehearsal that turns documented runbooks into operationally usable runbooks.

Try it

Score your Notifiable Data Breach readiness

The NDB Readiness Check scores detect, scope, notify, remediate and improve against the contemporary baseline.

10 questions · 5 domains

Notifiable Data Breach Readiness Check

Under the NDB scheme you have 30 days from awareness to assess whether a breach is notifiable, and you must then notify OAIC and affected individuals as soon as practicable. Score whether your Microsoft 365 tenant can detect, scope, notify, remediate and improve fast enough to meet the clock. Pick the option closest to your tenant today.

Domain 1

Detect

Mean time to detect a personal information breach. Without detection, the 30-day clock never starts and the breach gets discovered when an affected individual raises it.

  • What's your estimated mean time to detect a personal-information breach in your M365 tenant?

    Source: OAIC Notifiable Data Breaches Report (median discovery times); Microsoft Learn: Microsoft Defender XDR.

  • What's your Purview Audit log retention?

    Source: Microsoft Learn: Microsoft Purview Audit (Premium); Audit log retention policies.

Domain 2

Scope

How quickly you can determine which individuals' personal information was accessed, exfiltrated or modified. The scoping work is what feeds the OAIC notification.

  • Can you reconstruct the scope of a data exposure (which files accessed, by whom, exfiltrated where) within 7 business days?

    Source: Microsoft Learn: Microsoft Purview eDiscovery (Premium); Microsoft Defender for Cloud Apps file investigation.

  • Can you determine which categories of personal information were involved (health, financial, government identifier) without a manual file-by-file review?

    Source: Microsoft Learn: Microsoft Purview sensitive information types; Trainable classifiers in Microsoft Purview.

Domain 3

Notify

Whether you have a documented notification flow, OAIC contact established, communications templates ready, and legal review pre-arranged.

  • Do you have a documented notifiable data breach response runbook covering OAIC notification, individual notification and stakeholder communications?

    Source: OAIC Notifiable Data Breaches scheme — entity guidance; Privacy Act 1988 s 26WK (notification timing).

  • Are individual notification templates pre-drafted and legally reviewed?

    Source: OAIC: Notifying individuals about an eligible data breach; Privacy Act 1988 s 26WL.

Domain 4

Remediate

Whether the organisation can contain the breach (rotate credentials, revoke tokens, disable accounts, isolate devices) within hours, and preserve evidence for forensic analysis.

  • Do you have containment runbooks for the common breach patterns (compromised user, compromised service principal, compromised endpoint)?

    Source: Microsoft Learn: Investigate and respond to incidents in Microsoft Defender XDR; Microsoft Sentinel automation rules and playbooks.

  • How is evidence preserved during containment to support OAIC investigation and post-incident review?

    Source: Microsoft Learn: Microsoft Purview Audit; Microsoft Defender for Endpoint live response; ISO 27037 digital evidence handling.

Domain 5

Continuous improvement

Whether tabletop exercises run, post-incident reviews update controls, and OAIC published trends inform internal control updates.

  • When did you last run a tabletop exercise for a notifiable data breach scenario?

    Source: OAIC Notifiable Data Breaches Report (sectoral trends); ASD Cyber Incident Response Plan guidance.

  • After a real or simulated incident, how are control updates tracked through to closure?

    Source: ASD Cyber Incident Response Plan guidance; ISO 27035 information security incident management.

This is an indicative self-assessment. It is not a substitute for an incident readiness exercise or legal advice. Frontrow Technology offers a Notifiable Data Breach readiness review with a tabletop exercise.

Where AU mid-market sits today

Frontrow's audit data: across the seven controls, the average AU mid-market tenant is in compliance with two to three. The most common gaps are container labels (deployed in around 30 percent of tenants), DLP enforcing (around 20 percent), audit retention beyond default (around 25 percent), and a documented NDB runbook with rehearsed templates (around 10 percent). MFA is reasonably well covered. The other six are not.

If you do nothing in response to this article, the most useful single move is to score your tenant against the Information Protection Stack Maturity Check and the NDB Readiness Check. Both are free, both are scored against published Microsoft and OAIC guidance, both produce a board-grade PDF you can take to your next risk meeting.

How Frontrow runs this as a managed service

The Frontrow Managed Identity & Information Protection program covers all seven of these controls as a continuous quarterly cycle. Each control has documented configuration, evidence-of-firing, and a quarterly review that produces the Privacy Act 2026 alignment evidence pack for the board. The same evidence pack is what gets handed to OAIC if a notifiable breach occurs.

If your organisation is in the two-to-three-of-seven cohort and is processing personal information at scale, the engagement is straightforward. Email Frontrow at info@frontrow.email.

Want us to run this with your team?

30 minutes. No deck. We'll walk through your tenant, your priorities, and the next sensible move.

Book a chatEmail Frontrow1300 012 466