Microsoft 365 is now deeply embedded across government, but strong adoption does not always mean strong governance. The recent WA Office of the Auditor General audit exposed serious gaps across several government entities, from weak oversight and external sharing risks to a lack of complete tenant configuration backup.
It’s a timely reminder that Microsoft 365 security is not just about preventing attacks, but also about being able to govern, recover and maintain control when something goes wrong. So what did the audit actually reveal, and what should government and IT leaders be focusing on now?
Here’s an overview of what the OAG audit found, why it matters, and why waiting for a mandate is the wrong move.
In this article
The Western Australian Office of the Auditor General’s review of Microsoft 365 security across seven state government entities found weak governance, unchecked external sharing, and no complete backup of tenant configurations at any of the agencies audited. This blog will unpack what the audit set out to do, what it found, and the real-world cost when tenant governance goes wrong, including a department that took three and a half months to rebuild its environment after a ransom incident. The findings expose a shared responsibility gap that extends well beyond government. For IT leaders, the message is simple: waiting for a mandate, an audit, or an incident to force action is the most expensive option available.
Audits have a reputation for being dry, bureaucratic exercises, useful only in generating thick reports no one will ever read.
Now and then, though, one lands that reveals something genuinely important. The recent Western Australian Office of the Auditor General’s (OAG) review of Microsoft 365 adoption across federal agencies is one such example.
The OAG has held up a mirror to a problem that extends beyond government and into every organisation running Microsoft 365.
The Western Australian Office of the Auditor General is an independent statutory body that reports directly to the WA Parliament. Its role is to provide assurance on the financial integrity of state and local government entities and to hold the public sector accountable for how it manages public resources. It isn’t a technology regulator, and this was the first time we’ve seen an audit report from a security and governance standpoint that was very specific to Microsoft 365, which is what makes this audit significant.
Released on 6 March 2026, the report exposed systemic failures in Microsoft 365 security across seven state government entities. Crucially, the audit was designed to assess whether those seven entities were effectively managing and configuring their Microsoft 365 cloud applications and security controls to minimise the risk of data breaches.
The audit evaluated the agencies across five key domains: governance, identity and access management, information protection, logging and monitoring, and threat prevention. The report is freely available for download, and if you work in government IT or security, I strongly encourage you to read it.
What the report found wasn’t a surprise to us here at CoreView. Essentially, none of the seven departments had strong governance for their M365 tenant.
Sensitive government information was sitting inside collaboration suites with external shares flying around unchecked. Guest users had been granted access to these environments with little understanding of how to govern or monitor them properly, and this had simply been accepted as business as usual.
On the security side, the findings were equally concerning. Not one of the departments was treating the configuration layer of their M365 tenant as a control plane, a security mechanism in its own right. None had a complete backup of their tenant configurations and settings, creating serious additional risks.
In the private sector, the path is relatively straightforward: you identify the gap, build a business case, secure a budget, and address it. In the public sector, that same journey comes with what I describe as a lot of ‘side quests’. Procurement frameworks, compliance obligations, spending justifications, and layers of internal governance all sit between recognising a risk and acting on it.
From my perspective, the vendor community undoubtedly has a significant role to play in bridging that gap, but it requires commitment. Government agencies need third-party support that can adhere to their specific security and compliance standards. For CoreView, that has meant achieving IRAP certification, a rigorous and specific federal government security standard that validates the controls we have in place on our platform.
The encouraging sign is that the government is starting to lean in. The OAG report is evidence of that and at the federal level, the Albanese government’s $25 billion commitment to cyber initiatives signals that investment is on the way. The Australian Signals Directorate’s (ASD) Essential 8 framework and the Information Security Manual also provide the compliance backbone that agencies need.
Government departments are high-value targets, and state-sponsored cyberattacks are an operational reality that agencies need to plan for. When sensitive departmental information lives within an M365 tenant with weak configuration controls and poor governance hygiene, it’s only a matter of time before a serious incident occurs.
The governance gaps the OAG identified aren’t theoretical risks, and we’ve now seen what happens when they go unaddressed in real time. Here’s an example:
A government department had its Microsoft tenant held to ransom, and because they had a data backup solution in place, they decided not to pay. When they spun up a new tenant through Microsoft, expecting to recover their data and resume normal operations relatively quickly, they instead discovered that the new tenant bore no resemblance to their previous environment. Every configuration, setting, and governance control had to be rebuilt from scratch, a process that took three and a half months.
During that time, the impact cascaded across public services in ways that most wouldn’t associate with a cyber incident; library systems went offline, and residents couldn’t borrow books. But more critically, emergency services had to revert to manual operations because so much of their day-to-day function ran through that Microsoft environment.
That’s the real cost of treating M365 configuration and governance as an afterthought: a public services problem that lands on real people. The OAG audit was a warning, and other state jurisdictions are now looking to the Western Australian government as a pioneer in taking M365 governance seriously, with CoreView stepping in to brief Western Australian government officials and provide support.
The information held inside government departments is extremely sensitive, and the operational dependencies are crucial. Beyond this, governments are a unique target and cybersecurity challenge owing to the significant reputational stakes and societal disruption at play.
We’ve seen what state-sponsored attacks on public-sector infrastructure can look like globally. North Korean operatives creating accounts inside government tenants, operating silently in watch-and-listen mode before executing something more aggressive.
At the same time, government departments have to manage broad IT and security infrastructure while working within constrained budgets and navigating complex procurement processes.
When the path to deploying the right combination of people, process and technology is difficult to navigate, the easier option is often to accept the risk and move on. We see that regularly at CoreView, but accepting risk in an environment this targeted, with this much sensitive data at play, is becoming increasingly untenable.
For many organisations, there’s a long-held belief that I’ve consistently encountered throughout my time in cybersecurity: that Microsoft, as a sophisticated global technology company that many pay a lot of money for, is taking care of security. Unfortunately, this belief is wrong.
Microsoft clearly documents the shared responsibility model, but it rarely gets the attention it deserves in practice. Microsoft’s obligation is to keep the platform itself operational and secure at an infrastructure level. What happens inside your tenant is entirely your responsibility.
The OAG audit clearly highlighted this responsibility gap. Every vulnerability identified across the seven departments existed not because Microsoft’s platform failed, but because the agencies hadn’t taken ownership of their configuration layer.
Until organisations, government or otherwise, start to heed this responsibility and fully take ownership, they’ll continue operating with a false sense of security that no amount of Microsoft licensing spend can fix.
From my experience, the conversation almost always starts with education. The misconceptions around M365 are deeply embedded, even at the C-suite level, so before anything else can happen, a conversation needs to be had about where Microsoft’s responsibility ends, and yours begins.
From there, what moves organisations to act tends to fall into one of a few categories. Some are pushed through an audit, an incident, or the discovery of something unsettling in their tenant, such as a third-party application with privileges that should have been revoked months ago. Others are pulled because they’ve watched high-profile cases in which entire states or local governments were rendered ineffective for weeks due to M365-related outages.
The OAG report has already done that for seven Western Australian departments, but I’d wager the other fifty-odd state agencies that weren’t audited are asking themselves the same questions right now.
The proactive organisations we’re seeing come to us aren’t doing it because they’ve been told to, but because they’ve done the math on what getting it wrong actually costs.
If the OAG report has you questioning how well your M365 tenant is governed and protected, you're not alone. CoreView has put together a briefing that unpacks the findings and what they mean for your organisation.