Microsoft 365 is the backbone of productivity for over 400 million users worldwide. But most businesses deploy it with default settings and never look back — leaving critical security gaps that attackers actively exploit. The reality is that Microsoft provides powerful security tools within every M365 subscription, but many of them are turned off by default or buried in admin consoles that nobody checks after initial setup.
At COMNEXIA, we’ve spent 35 years helping businesses across metro Atlanta secure their IT environments. When we onboard a new client’s Microsoft 365 tenant, we consistently find the same misconfigurations — settings that take minutes to fix but could prevent a catastrophic breach.
Here are the ten Microsoft 365 security settings most businesses are missing, and exactly what to do about each one.
1. Is Multi-Factor Authentication Actually Enforced for Every Account?
Multi-factor authentication (MFA) blocks over 99.9% of account compromise attacks, according to Microsoft’s own telemetry. Yet many organizations have MFA enabled for some users while leaving others — often admin accounts — unprotected.
The most common gap we see is MFA configured through “security defaults” rather than Conditional Access policies. Security defaults are a baseline, but they don’t cover service accounts, break-glass accounts, or scenarios where you need granular control. Businesses should audit every account in their tenant, including shared mailboxes and service accounts, to confirm MFA is enforced without exception.
What to check: Go to the Microsoft Entra admin center → Protection → Conditional Access. If you don’t see any policies, you’re relying on defaults alone — and that’s not enough for a business environment.
2. What Is Legacy Authentication and Why Should You Block It?
Legacy authentication protocols — POP3, IMAP, SMTP AUTH, and older versions of Exchange ActiveSync — don’t support MFA. Attackers know this. They specifically target legacy auth endpoints because they can bypass MFA entirely with stolen credentials.
Microsoft began disabling basic authentication for Exchange Online protocols in 2022, but many tenants still have exceptions or haven’t fully transitioned. A single legacy mail client connecting via IMAP can be the unlocked back door to your entire organization.
What to check: Create a Conditional Access policy that blocks legacy authentication for all users, all cloud apps, no exceptions. Then review your sign-in logs for any “legacy authentication” entries — each one is a vulnerability.
3. Are Your Admin Accounts Using Dedicated Privileged Identities?
Using a Global Administrator account for daily email and Teams is one of the most dangerous practices in M365 security. If that account gets phished — and phishing remains the number one attack vector — the attacker has unrestricted access to your entire tenant.
Microsoft recommends a tiered admin model: daily work happens on a standard user account, and administrative tasks use a separate, dedicated admin account with MFA, no email, and time-limited privilege elevation through Privileged Identity Management (PIM).
What to check: Count your Global Administrators. Microsoft recommends no more than five. If any of them are also used for daily email, that’s an immediate risk to remediate.
4. What Does the Microsoft Secure Score Actually Tell You?
Microsoft Secure Score is a built-in security posture measurement tool available in every M365 tenant. It analyzes your configuration against Microsoft’s security benchmarks and gives you a percentage score with specific, actionable recommendations.
Most businesses we encounter have never looked at their Secure Score. The average score for a small or mid-size business tenant that hasn’t been hardened is typically between 25% and 40%. After proper configuration, scores above 70% are achievable without purchasing additional licenses.
What to check: Navigate to security.microsoft.com → Secure Score. Review the “Improvement actions” tab. Sort by “Score impact” to prioritize the changes that make the biggest difference first.
5. How Should External Sharing Be Configured in SharePoint and OneDrive?
By default, SharePoint Online and OneDrive allow users to share files and folders with anyone — including external users who don’t need a Microsoft account. This means an employee can accidentally (or intentionally) share sensitive financial documents, client data, or intellectual property with any email address on the internet.
The appropriate sharing level depends on your business, but “Anyone with the link” sharing should almost never be the default. Most organizations should restrict external sharing to “Existing guests” or “Only people in your organization” and require authentication for any external access.
What to check: SharePoint admin center → Policies → Sharing. Review both the organization-level setting and individual site-level overrides. Pay special attention to sites containing financial, HR, or client data.
6. Is Audit Logging Enabled and Are You Actually Reviewing It?
Unified audit logging in Microsoft 365 captures user activity, admin actions, and security events across Exchange, SharePoint, Teams, and Entra ID. It’s essential for investigating breaches, detecting insider threats, and meeting compliance requirements — but it isn’t always enabled by default, and even when it is, almost nobody reviews the logs.
Without audit logs, if an attacker compromises an account, you have no forensic trail to determine what data was accessed, what emails were forwarded, or what files were downloaded. You’re investigating blind.
What to check: Go to compliance.microsoft.com → Audit. If you see a banner asking you to “Start recording user and admin activity,” audit logging isn’t turned on. Enable it immediately — and consider setting up alert policies to flag suspicious activities automatically.
7. What Are Mail Transport Rules and How Can Attackers Abuse Them?
One of the first things an attacker does after compromising a mailbox is create a mail transport rule — also called an inbox rule — that automatically forwards copies of incoming email to an external address. This lets them maintain persistent access to sensitive communications even after you reset the user’s password.
Attackers also create rules to auto-delete security notifications, password reset confirmations, and MFA alerts so the legitimate user never sees them.
What to check: In the Exchange admin center, review mail flow rules at the organization level. Then use PowerShell or the admin center to audit individual mailbox rules across all users, looking specifically for forwarding rules pointing to external domains. Consider implementing a policy that blocks auto-forwarding to external recipients entirely.
8. Is Data Loss Prevention Configured to Protect Sensitive Information?
Data Loss Prevention (DLP) policies in Microsoft 365 can automatically detect and protect sensitive information — Social Security numbers, credit card numbers, medical records, financial account data — before it leaves your organization via email, Teams, or SharePoint sharing.
DLP is included in Microsoft 365 Business Premium and E3/E5 plans, but most businesses never configure it. Without DLP, there’s nothing stopping an employee from emailing a spreadsheet full of customer Social Security numbers to their personal Gmail account, whether accidentally or deliberately.
What to check: Go to compliance.microsoft.com → Data loss prevention → Policies. If no policies exist, start with Microsoft’s built-in templates for your industry — financial services, healthcare, and general personally identifiable information (PII) templates are available out of the box.
9. Are Phishing and Spam Filters Using the Advanced Threat Protection Settings?
Microsoft Defender for Office 365 (included in Business Premium and E5, available as an add-on for other plans) provides anti-phishing policies, Safe Attachments, and Safe Links — but these features require explicit configuration to be effective.
The default anti-phishing policy uses basic protections. Advanced anti-phishing policies can detect impersonation attempts, flag emails from domains that look similar to yours (typosquatting), and sandbox suspicious attachments in a virtual environment before they reach the inbox.
What to check: In security.microsoft.com → Policies & rules → Threat policies, review your anti-phishing, Safe Attachments, and Safe Links policies. Ensure impersonation protection is enabled for your executives and key partners. Enable Safe Attachments for SharePoint, OneDrive, and Teams — not just email.
10. Do You Have a Break-Glass Emergency Access Account?
A break-glass account is an emergency access account that bypasses Conditional Access policies, including MFA. It exists for a single purpose: ensuring you can always access your tenant if your normal admin accounts are locked out — by a misconfigured Conditional Access policy, an MFA outage, or a compromised admin identity.
Microsoft explicitly recommends maintaining at least two break-glass accounts. These accounts should use long, complex passwords stored in a physical safe, should not be tied to any individual’s phone or email, and should have their sign-in activity monitored with alerts.
What to check: If you don’t have at least one break-glass account, create one today. Assign it the Global Administrator role, exclude it from all Conditional Access policies, set a 50+ character password, and configure an alert that triggers whenever this account signs in.
Why Do These Settings Get Missed?
The pattern is consistent: businesses purchase Microsoft 365, migrate their email and files, and move on. The IT team — if there is one — focuses on keeping things running, not on security hardening. Microsoft’s admin portals spread security settings across at least five different consoles (Entra, Exchange, SharePoint, Compliance, Security), making comprehensive configuration genuinely difficult without a systematic approach.
This is exactly why working with a managed IT partner matters. At COMNEXIA, we perform M365 security assessments as part of our managed services and cloud solutions — auditing every tenant setting against industry benchmarks and remediating gaps before they become breaches. With 35 years of experience serving businesses across Atlanta and the Southeast, we’ve hardened hundreds of M365 environments and understand the real-world tradeoffs between security and usability.
Frequently Asked Questions
Does hardening Microsoft 365 require upgrading to a more expensive license?
Many of the settings above — MFA enforcement, blocking legacy auth, audit logging, external sharing controls, and Secure Score — are available in every Microsoft 365 Business Basic plan and above. Features like DLP and Defender for Office 365 require Business Premium, E3, or E5 licensing, but the majority of critical hardening can be done with what you already have.
How long does it take to harden a Microsoft 365 tenant?
For a typical small or mid-size business tenant, a systematic security hardening can be completed in four to eight hours. This includes auditing current settings, implementing Conditional Access policies, configuring DLP, reviewing mail flow rules, and documenting the changes. Ongoing monitoring and adjustment should be part of regular IT management.
Will enabling these security settings disrupt my employees’ workflow?
Some settings, like blocking legacy authentication, may affect employees using older email clients or devices. A proper hardening process identifies these dependencies before making changes and provides migration paths — for example, moving users from Outlook 2013 to a modern Outlook version that supports MFA. The goal is always security without unnecessary friction.
How often should Microsoft 365 security settings be reviewed?
Microsoft regularly adds new security features and changes default behaviors. We recommend a full security review at least quarterly, with continuous monitoring of Secure Score, sign-in logs, and alert policies. Major events — like adding new employees, changing business processes, or experiencing a security incident — should also trigger a review.
What is the biggest Microsoft 365 security risk for small businesses?
Account compromise through phishing remains the single biggest risk. An attacker who gains access to one employee’s mailbox can launch internal phishing attacks that bypass external email filters, access shared files, and pivot to other systems. MFA enforcement and anti-phishing policies are the two most impactful controls any business can implement.