Microsoft 365 is powerful — but the default configuration often leaves businesses exposed. These are the most common gaps we find.
The Default Configuration Problem
Microsoft 365 is the productivity backbone for millions of small businesses. It's reliable, feature-rich, and deeply integrated with the tools organizations depend on. But there's a critical issue that many businesses don't realize until it's too late: the default configuration is not a secure configuration. Microsoft has designed Microsoft 365 to be easy to adopt and accessible to a wide range of users — and in doing so, they've made choices that prioritize convenience over security in several important areas.
When we conduct security assessments on Microsoft 365 environments, we see the same misconfigurations repeatedly — across industries, organization sizes, and IT maturity levels. These aren't obscure settings buried in an admin console. They're foundational configurations that have significant implications for your exposure to phishing, account takeover, and data loss.
The Most Common Gaps We Find
Multi-Factor Authentication Not Enforced
This remains the most prevalent gap across every M365 assessment we conduct. MFA is not enabled by default for all users in Microsoft 365 — it requires deliberate configuration. We frequently find organizations where MFA is enabled for some users but not others, where legacy authentication protocols are still permitted (bypassing MFA entirely), or where the MFA rollout was started but never completed.
Microsoft has introduced Security Defaults and Conditional Access Policies to help organizations enforce MFA, but these require active configuration. Without them, a compromised password is all an attacker needs to access your email, files, and connected applications.
Legacy Authentication Protocols Enabled
Legacy authentication protocols — older methods like Basic Authentication used by legacy email clients — do not support MFA. This means that even if you've enabled MFA for your users, an attacker with a valid password can bypass it by connecting through a legacy authentication protocol. Microsoft has been progressively deprecating these protocols, but many organizations still have them enabled, often unknowingly. They must be explicitly blocked through Conditional Access policies.
No External Email Warning Banner
A simple but high-impact setting: flagging emails that originate from outside your organization. When employees receive an email that appears to be from a colleague or executive but actually originates externally — a hallmark of business email compromise — a clear warning banner in the email header can break the illusion before any action is taken. This setting is not enabled by default but takes less than five minutes to configure.
Excessive Admin Privileges
Microsoft 365 Global Administrator accounts have unrestricted access to everything in your tenant. We routinely find organizations where five, ten, or more users have Global Admin rights — often because it was the easiest way to grant access to a specific feature when the organization was getting started. Excessive admin privileges mean that if any one of those accounts is compromised, an attacker has full control of your Microsoft 365 environment.
Administrative roles should be assigned on the principle of least privilege. Most administrative tasks in Microsoft 365 can be performed with role-specific permissions rather than the catch-all Global Admin role.
Mailbox Audit Logging Disabled
Audit logging is essential for investigating security incidents — it gives you a record of who accessed what, when. In Microsoft 365, mailbox audit logging is turned on by default for most license types, but the default audit log retention period is 90 days. Many organizations have not extended this retention or enabled the additional auditing options that log more detailed user activity. When an incident occurs, limited audit data can significantly hamper the investigation.
Email Forwarding Rules Not Monitored
One of the most common techniques attackers use after compromising a Microsoft 365 account is to create inbox rules that silently forward copies of all incoming email to an external address. This allows them to monitor communications — and look for wire transfer opportunities, sensitive business information, or passwords — without the account owner seeing any outward sign of compromise. Organizations should regularly audit inbox rules and external forwarding configurations, and be alerted when new rules are created.
No Advanced Anti-Phishing Configuration
Microsoft 365 includes Defender for Office 365 (in higher-tier plans) with advanced anti-phishing capabilities that go well beyond the default spam filtering. Features like anti-impersonation protection (which flags emails that appear to impersonate specific users or domains) and safe links (which scans URLs in real time at click) provide meaningful additional protection. However, these protections require configuration — they're not active out of the box.
Getting Your M365 Environment Right
Securing Microsoft 365 doesn't require a large budget or a dedicated security team. It requires deliberate configuration, informed by an understanding of where the defaults fall short. A security assessment of your M365 environment will surface the specific gaps in your configuration — and most remediation steps can be completed quickly once you know what to look for.