The Microsoft 365 security settings most businesses have switched off

Why M365 tenants end up misconfigured

Microsoft 365 is remarkably easy to set up badly. The initial setup wizard prioritises getting you working quickly over getting you working securely. IT providers rushing through a deployment, or business owners setting it up themselves, often end up with a tenant that works perfectly well day to day — but has security gaps that only become apparent after an incident.

The good news is that most of these issues are straightforward to identify and fix. Here are the settings we check first when we review a new client's Microsoft 365 tenant.

1. Security Defaults — often disabled, easy to re-enable

Security Defaults is Microsoft's baseline security configuration — a single toggle that enforces MFA for all users, blocks legacy authentication protocols, and requires MFA for privileged actions like accessing the Azure portal.

It's enabled by default on new tenants, but it gets disabled surprisingly often — sometimes because a consultant turned it off to configure Conditional Access (and never turned it back on), sometimes because a legacy application couldn't handle modern authentication, and sometimes because someone just clicked the wrong thing.

Check it in the Azure portal under Azure Active Directory → Properties → Manage Security Defaults. If it's off and you don't have Conditional Access policies in place, turn it back on.

2. Legacy authentication — the MFA bypass you didn't know about

Legacy authentication protocols — older connection methods used by older versions of Outlook, IMAP/POP mail clients, and some third-party applications — don't support modern authentication and therefore can't use MFA. An attacker with a valid username and password can connect via a legacy protocol and completely bypass your MFA requirement.

Blocking legacy authentication is one of the highest-impact security changes you can make. The main risk is that some older applications will break — so before blocking it, check your sign-in logs to see if any legacy authentication is actually being used, and by what.

In Microsoft 365 Business Premium, this is handled through Conditional Access. In lower-tier licences, enabling Security Defaults blocks most legacy authentication automatically.

3. Admin accounts without MFA

This is the highest-risk configuration we find. A Global Administrator account without MFA is essentially an open door — anyone who gets the password gets full control of your entire Microsoft 365 environment, including the ability to lock everyone else out, exfiltrate all your data, and set up persistent access.

Every admin account should have MFA enabled, full stop. Ideally, day-to-day work should be done with a standard account, and a separate admin account used only for administrative tasks. This limits the exposure if a regular account is compromised.

4. Audit logging — turned off by default on some licences

Microsoft 365 audit logging records user and admin activity across Exchange, SharePoint, OneDrive, Teams, and Azure AD. It's invaluable for investigating security incidents — but on some licence tiers it's not enabled by default.

Check whether audit logging is enabled in the Microsoft Purview compliance portal. If it's not on, turn it on now. You can't go back and retrieve logs that weren't captured — so if something happens before you enable it, you'll have nothing to investigate with.

5. External sharing in SharePoint and OneDrive

SharePoint and OneDrive's default sharing settings are often more permissive than businesses realise. "Anyone with the link" sharing means that a link forwarded outside your organisation gives the recipient full access to that file or folder — no login required.

Review your sharing settings in the SharePoint admin centre. For most businesses, the right setting is "New and existing guests" at most — requiring recipients to authenticate before accessing shared content. "Anyone" sharing should be disabled unless there's a specific business reason for it.

6. Anti-phishing and safe links policies

Microsoft Defender for Office 365 includes anti-phishing policies, safe links (which scan URLs in emails before you click them), and safe attachments (which detonate email attachments in a sandbox before delivering them). These are powerful protections — but they need to be configured, not just licenced.

If you're on Microsoft 365 Business Premium or have Defender for Office 365 as an add-on, check that your anti-phishing policies are applied to all users and that safe links and safe attachments are enabled. The default policies are a reasonable starting point, but the preset security policies ("Standard" or "Strict") are better.

Where to start

If this feels overwhelming, start with the two highest-impact items: make sure Security Defaults is enabled (or that you have equivalent Conditional Access policies), and make sure every admin account has MFA. Those two changes address the majority of the risk from most common attack types.

A full Microsoft 365 security review typically takes a few hours and gives you a complete picture of your configuration against best practice. It's a good investment before something goes wrong rather than after.