Your M365 Tenant Has More Exposure Than You Think
Your M365 Tenant Has More Exposure Than You Think
Published: March 24, 2026
Most small and mid-sized businesses running Microsoft 365 believe they’re reasonably well protected. They’re paying for the licences, they’ve got MFA turned on (probably), and their IT provider or MSP set it all up. What more is there to do?
Quite a lot, as it turns out. When I audit an M365 tenant — and I’ve audited more than I can count — I consistently find the same set of misconfigurations and over-permissions. Not because anyone did anything wrong, but because the defaults Microsoft ships aren’t designed for your security posture. They’re designed for onboarding speed.
Here’s what I typically find.
Legacy Authentication Is Still Enabled
This is the single most common finding, and it’s the one that matters most. Legacy authentication protocols — Basic Auth, SMTP AUTH, IMAP, POP3 — don’t support modern multi-factor authentication. If they’re enabled, an attacker who gets hold of a username and password can authenticate without needing to pass MFA at all.
Microsoft has been moving to block legacy auth for years, but many tenants still have it partially or fully enabled — often because someone needed it for an old application or printer, and nobody ever turned it off again.
The fix is to create Conditional Access policies that block legacy authentication across the board, with explicit exceptions only where you have a genuine and documented business need.
Too Many Global Admins
Almost every tenant I audit has more Global Administrators than it should. In some cases I’ve seen five or six people with Global Admin — in a company of 40 people.
Global Admin is the highest privilege level in a Microsoft 365 tenant. Anyone with it can create accounts, access all data, modify security settings, and disable MFA. It should be used sparingly, with dedicated admin accounts (not day-to-day user accounts), and protected with phishing-resistant MFA.
The principle of least privilege applies here. Most people who are Global Admins don’t need to be. Exchange Administrator, User Administrator, and Security Reader roles cover 90% of what people actually need to do.
MFA Is On, But Not Enforced Everywhere
MFA adoption in SMEs has improved significantly. But “MFA is enabled” and “MFA is enforced” are different things.
In many tenants, MFA is configured via the legacy Per-User MFA panel rather than Conditional Access. This approach has gaps — it doesn’t cover service accounts, doesn’t handle different risk levels, and gives users the option to skip registration. I’ve seen tenants where MFA is “enabled” for all users but 20% of them have never actually registered a method.
Conditional Access gives you proper control: require MFA for all users, all apps, with no exceptions except explicit break-glass accounts. If you’re on Microsoft 365 Business Premium, you have the licences for it. Most businesses aren’t using them properly.
External Sharing Is Wide Open
SharePoint and OneDrive external sharing defaults are permissive. In a default or lightly configured tenant, users can share files externally with anyone, with no expiry, no notification to IT, and no audit trail in a place anyone looks at.
I’ve found tenants where sensitive commercial documents — contracts, financials, client data — had been shared externally via “anyone with the link” and had been sitting that way for two or three years. Nobody knew.
The fix is to review and restrict your SharePoint sharing settings at tenant level, enable sharing expiry for external links, and configure alerts for broad external sharing events.
Email Security Is Incomplete
SPF is usually configured — it’s been standard practice for long enough that most tenants have it. DKIM and DMARC are a different story.
Without DKIM signing, emails from your domain can be spoofed with a reasonable success rate. Without a DMARC policy at enforcement (p=reject or p=quarantine), you have no mechanism to prevent or monitor spoofing of your domain. Most tenants I audit have DMARC either missing entirely, or set to p=none — monitoring only, no protection.
For a business of any size, a properly configured email authentication stack (SPF + DKIM + DMARC at enforcement) is non-negotiable. It’s not complex to implement, and the protection it provides against phishing and impersonation is significant.
Audit Logging Isn’t Turned On Properly
M365 has a unified audit log that captures sign-in events, admin actions, file access, mail forwarding rules, and much more. It’s invaluable when you’re investigating an incident — or trying to demonstrate compliance.
In many tenants it’s not enabled, or it’s enabled but the retention period is set to 90 days (the default for most licence types). If you need to investigate something that happened four months ago, that’s a problem.
Check that unified audit logging is enabled, review your retention settings, and make sure you have alerts configured for high-risk events: impossible travel sign-ins, mass download events, new mail forwarding rules.
What to Do With This
None of this is exotic. These are all configurations within the Microsoft 365 Admin Center and the Security portal — no additional tooling required. But they take time to work through properly, and they require someone who knows what they’re looking at.
If you want to know exactly where your tenant stands, I run a structured M365 security audit that covers all of the above and more, with a prioritised findings report. It typically takes half a day and gives you a clear picture of your exposure.