Microsoft 365 Security: 10 Settings Most Businesses Get Wrong

Microsoft 365 is the backbone of most businesses — email, file storage, collaboration, identity. Yet most organizations run it with default security settings that leave significant gaps. Here are the 10 settings we fix on virtually every new client engagement.

1. MFA Is Not Enabled for All Users

Astonishingly, many organizations still don’t have MFA enabled for every account. Microsoft reports that MFA blocks 99.9% of account compromise attacks. Enable Security Defaults at minimum; implement Conditional Access policies for more granular control.

2. Legacy Authentication Is Still Allowed

Legacy authentication protocols (POP3, IMAP, older ActiveSync) don’t support MFA, making them a backdoor for attackers. Block legacy authentication via Conditional Access. Check sign-in logs first to identify anyone still using legacy clients.

3. External Email Forwarding Is Unrestricted

By default, users can set up auto-forwarding rules that send copies of all their email to external addresses — a common attacker technique for persistent data exfiltration. Block external auto-forwarding via Exchange Online mail flow rules.

4. Global Admin Accounts Are Overused

Multiple people with Global Admin access creates unnecessary risk. Best practice: two dedicated break-glass Global Admin accounts with phishing-resistant MFA, and role-based admin accounts for everyone else. No one should use a Global Admin account for daily work.

5. Audit Logging Isn’t Configured Properly

Unified Audit Log is on by default in most tenants, but the retention period is only 180 days on standard plans. For security investigations and compliance, extend retention to at least one year. Enable Mailbox Audit Logging for detailed email activity tracking.

6. External Sharing in SharePoint/OneDrive Is Wide Open

Default settings often allow anyone to create anonymous sharing links. Restrict external sharing to authenticated guests at minimum. Implement link expiration policies and disable anonymous links.

7. Data Loss Prevention Policies Don’t Exist

DLP policies can detect and block sensitive data (credit card numbers, SSNs, medical records) from being shared externally. Most organizations have no DLP policies configured despite having Microsoft 365 E3+ licenses that include this capability.

8. Mobile Device Management Is Not Enforced

Employees access company email on personal phones without any device management. At minimum, configure Basic Mobility and Security or Intune to require device enrollment, enforce encryption, and enable remote wipe for lost devices.

9. Safe Attachments and Safe Links Are Disabled

Microsoft Defender for Office 365 includes Safe Attachments (sandboxing) and Safe Links (URL rewriting at click time). These are often not configured even when the license includes them. Enable both with policies applied to all users.

10. No Alerts for Suspicious Activity

Microsoft 365 can alert you to impossible travel sign-ins, mass file downloads, new inbox rules, and privilege escalation — but only if you configure alert policies. Set up alerts for critical security events and route them to your security team.

Fix These Today

CLIMB IT Solutions provides Microsoft 365 security assessments that identify and remediate these gaps. Book a free M365 security review and we’ll audit your tenant configuration against security best practices.