Microsoft 365 powers over 400 million paid seats worldwide, making it the default productivity platform for businesses of every size. But the same features that make M365 easy to deploy also make it easy to misconfigure. Most organizations activate their licenses, migrate their email, and never revisit the security defaults — leaving critical gaps that attackers know exactly how to exploit.
After 35 years of managing IT environments for businesses across the Atlanta metro area and beyond, COMNEXIA has audited hundreds of Microsoft 365 tenants. The same oversights show up again and again. Here are the ten settings most businesses miss — and what to do about each one.
What Is Microsoft 365 Security Hardening?
Microsoft 365 security hardening is the process of configuring your M365 tenant beyond the default settings to reduce your attack surface. Out of the box, Microsoft enables basic protections called “Security Defaults,” but these are designed as a starting point for small organizations — not a complete security posture. True hardening involves layering conditional access policies, audit controls, sharing restrictions, and authentication rules tailored to how your business actually operates.
Why Do So Many Businesses Have Weak M365 Security?
The core problem is that Microsoft 365 works immediately after setup. Email flows, Teams connects, SharePoint serves files. Because nothing appears broken, most businesses never dig into the admin centers where the real security controls live. The Microsoft 365 admin portal contains over 50 distinct security settings spread across multiple dashboards — Entra ID, Exchange Online, SharePoint, Defender, Purview, and Intune. Without dedicated IT oversight, critical protections simply stay off.
Which Microsoft 365 Security Settings Are Most Commonly Missed?
1. Is Multi-Factor Authentication Actually Enforced for Everyone?
MFA is the single most effective defense against account compromise — Microsoft’s own data shows it blocks 99.9% of automated attacks. Yet many businesses have MFA enabled for some users but not enforced across the board. Service accounts, admin accounts, and new hires frequently slip through the cracks. The fix: use Conditional Access policies (requires Entra ID P1 or Microsoft 365 Business Premium) to require MFA for all users, all apps, all locations — with no exceptions for “trusted” devices unless explicitly managed through Intune compliance.
2. Is Legacy Authentication Still Enabled?
Legacy authentication protocols like POP3, IMAP, and SMTP AUTH don’t support MFA. Attackers use these as a backdoor to bypass multi-factor requirements entirely. Microsoft began disabling Basic Authentication in 2022, but many tenants still have legacy auth enabled for specific apps or mailboxes — often to support older printers, scanners, or line-of-business applications. Check your Entra ID sign-in logs for “Legacy Authentication Clients.” If you see activity, create a Conditional Access policy to block legacy auth and migrate those devices to Modern Authentication or application passwords.
3. Are Audit Logs Actually Turned On?
Unified Audit Logging in Microsoft Purview records user and admin activity across Exchange, SharePoint, Teams, and Entra ID. It’s essential for investigating breaches, meeting compliance requirements, and understanding what happened after an incident. The problem: audit logging is enabled by default for E5 licenses but must be manually turned on for E3, Business Premium, and lower tiers. If your organization hasn’t explicitly enabled it, you may have zero forensic data when you need it most. Navigate to Microsoft Purview > Audit and verify that recording is active.
4. Who Has Global Admin Access?
Microsoft recommends no more than two to four Global Administrator accounts per tenant. In practice, many businesses have five, eight, or even fifteen accounts with full admin privileges — including former employees, vendor accounts, and shared credentials. Every Global Admin account is a high-value target. Audit your admin roles in Entra ID > Roles and administrators. Downgrade users to the least-privilege role they actually need (Exchange Admin, SharePoint Admin, User Admin) and enable Privileged Identity Management (PIM) for just-in-time admin access if your licensing supports it.
5. Are External Sharing Controls Configured in SharePoint and OneDrive?
By default, SharePoint Online and OneDrive allow users to share files and folders with anyone — including anonymous external users via “Anyone” links. This means a single employee can accidentally (or intentionally) expose sensitive documents to the entire internet. Tighten this by navigating to SharePoint admin center > Policies > Sharing. At minimum, restrict external sharing to “New and existing guests” (authenticated users only) and disable anonymous “Anyone” links. For regulated industries, consider restricting sharing to specific verified domains.
6. Is Email Forwarding to External Addresses Blocked?
One of the most common techniques in business email compromise (BEC) attacks is setting up a hidden mail forwarding rule. An attacker gains access to a mailbox, creates an Outlook rule that silently forwards all incoming email to an external address, and then monitors communications for weeks — waiting for a wire transfer request or sensitive data. Block this by creating a mail flow rule in Exchange Online that prevents automatic forwarding to external recipients. Microsoft also offers an outbound spam policy setting to control auto-forwarding at the tenant level.
7. Is Microsoft Defender for Office 365 Configured Beyond Defaults?
Many organizations pay for Microsoft 365 Business Premium or E5 — which include Defender for Office 365 — but never configure Safe Links, Safe Attachments, or anti-phishing policies beyond the default settings. Default policies provide baseline protection, but custom policies allow you to target specific user groups, enable URL detonation for links in Teams and SharePoint (not just email), and configure impersonation protection for your executives. If you’re paying for Defender, configure it fully or you’re leaving protection on the table.
8. Are Inactive and Guest Accounts Being Cleaned Up?
Guest accounts accumulate over time as employees invite external collaborators to Teams channels, SharePoint sites, and shared mailboxes. These accounts persist indefinitely unless someone removes them. Inactive guest accounts are a significant risk — they often belong to people who have left partner organizations, changed roles, or no longer need access. Review guest accounts quarterly using Entra ID > Users > Guest users, and implement access reviews to automatically prompt account owners to re-confirm whether guests still need access.
9. Is Data Loss Prevention (DLP) Configured?
Microsoft Purview Data Loss Prevention can detect and block the sharing of sensitive information — credit card numbers, Social Security numbers, health records, financial data — across email, Teams, SharePoint, and OneDrive. Despite being included in Business Premium and E3/E5 licenses, DLP policies are frequently left unconfigured. Start with Microsoft’s built-in templates for PCI-DSS (payment card data), HIPAA (health data), or PII (personally identifiable information), and customize from there based on your industry and compliance requirements.
10. Are Mobile Devices Managed or at Least Protected?
Employees access Microsoft 365 from personal phones and tablets constantly. Without mobile application management (MAM) or mobile device management (MDM) through Intune, you have no control over what happens to corporate data on those devices. At minimum, configure App Protection Policies in Intune to require a PIN for Outlook and Teams, prevent copy-paste of corporate data into personal apps, and enable remote wipe of corporate data if a device is lost or an employee leaves.
How Can You Audit Your Own Microsoft 365 Security?
Microsoft provides a free tool called Microsoft Secure Score that evaluates your tenant configuration against recommended security practices and assigns a numerical score. It breaks recommendations into identity, data, device, and app categories with specific remediation steps. Most businesses score between 30-50% on their first assessment. A managed IT provider like COMNEXIA can help you interpret the results and prioritize which changes to implement first based on your risk profile and licensing tier.
What Should Businesses Do First?
If you’re not sure where to start, prioritize these three actions:
- Enforce MFA for all users via Conditional Access — this single change eliminates the majority of account compromise attacks
- Block legacy authentication — close the backdoor that bypasses MFA
- Enable unified audit logging — ensure you have forensic data available if an incident occurs
These three changes take less than an hour to implement and dramatically improve your security posture. From there, work through the remaining seven settings systematically — or engage a cybersecurity partner to conduct a full tenant review.
Frequently Asked Questions
Q: Does Microsoft 365 come secure out of the box? A: Microsoft enables “Security Defaults” for new tenants, which provides basic MFA prompts and blocks legacy auth. However, Security Defaults is a one-size-fits-all baseline — it doesn’t include Conditional Access customization, DLP, advanced anti-phishing, or any of the granular controls described above. Businesses handling sensitive data or subject to compliance regulations need to go well beyond defaults.
Q: Do I need Microsoft 365 E5 to get good security? A: No. Microsoft 365 Business Premium (around $22/user/month) includes Defender for Office 365, Intune, Conditional Access, and basic DLP — enough for most small and mid-size businesses. E5 adds advanced features like Audio Conferencing, Power BI Pro, and eDiscovery Premium, but Business Premium covers the core security stack.
Q: How often should we review our M365 security settings? A: At minimum, quarterly. Microsoft releases new features and changes defaults regularly — what was secure six months ago may have new options available or new risks exposed. COMNEXIA recommends combining quarterly Secure Score reviews with annual full-tenant security audits.
Q: Can an MSP manage Microsoft 365 security for us? A: Yes. A managed service provider with Microsoft expertise can configure, monitor, and maintain your M365 security posture using delegated admin privileges (GDAP). This is particularly valuable for businesses without a dedicated IT security team. COMNEXIA has managed Microsoft 365 environments for businesses across metro Atlanta since the platform launched as Office 365 in 2011.
Q: What’s the biggest risk of ignoring these settings? A: Business email compromise. BEC attacks caused over $2.9 billion in reported losses in the United States in 2023 according to the FBI’s Internet Crime Report. Most BEC attacks begin with a compromised Microsoft 365 account — and most of those compromises exploit exactly the gaps described in this article: missing MFA, legacy auth enabled, no forwarding rules blocked, and no audit logging to detect the breach early.