Microsoft 365 ships with enterprise-grade security tooling. The problem isn't the tools. Most of the breaches we help customers respond to come down to the same handful of settings nobody got around to fixing.
Here are the twelve we see most, with the actual fix for each. If your team can knock out half of these in a quarter, you're ahead of the average M365 tenant.
| Misconfiguration | Why it matters |
|---|---|
| MFA not fully enforced | A stolen password is a free pass into the tenant |
| Too many Global Admins | Every extra admin is another way in |
| No Conditional Access | No rules means no real access control |
| Legacy auth still on | Old protocols skip MFA entirely |
| No data classification | Unlabeled data can't be protected, especially from Copilot |
| Oversharing in Teams/SP | "Anyone with the link" is how data leaks |
| No DLP policies | Nothing stops sensitive data from walking out |
| Defender not configured | Paying for protection that isn't turned on |
| Weak phishing protection | Email is still the front door for attackers |
| Audit logging off | No logs, no investigation |
| No incident response | Alerts without owners are noise |
| No ongoing tuning | Security drifts when you stop watching |
1. MFA isn't enforced for everyone
Stolen credentials are still the most common way attackers get in. Without MFA, a leaked password is a free pass into the tenant. That's especially true for an admin account. Microsoft's own research says MFA blocks over 99% of account compromise attacks, which is why they've been steadily making it mandatory. Azure MFA Phase 2 enforcement kicked in October 2025 for all Azure resource management actions, and similar enforcement is coming across the rest of the stack.
Fix: require MFA for every user, no exceptions. Roll out admins first, then high-risk roles, then everyone else. Use Authenticator app or FIDO2 keys. SMS is better than nothing but it's not what you want long-term. Microsoft's security defaults cover most of this if you're starting from zero.
2. Too many Global Admins
We routinely find tenants with 15-30 Global Admins. That's 15-30 keys to the kingdom, and most aren't being used.
Fix: keep Global Admins to 2-4 accounts. Use Entra ID's role-based access control for everything else. Turn on Privileged Identity Management (PIM) so admin rights are granted just-in-time and time-boxed instead of permanent.
3. No Conditional Access policies
If users can sign in from anywhere, on any device, with just a password, you don't really have access control. Conditional Access is the core of a zero trust posture in M365.
Fix: build a baseline set of Conditional Access policies in Entra ID:
- Block legacy authentication
- Require compliant or hybrid-joined devices for corporate data
- Require MFA for risky sign-ins (unusual location, anonymous IP, etc.)
- Block sign-ins from countries where you don't operate
Start in report-only mode to catch the edge cases, then flip to enforce.
4. Legacy authentication still allowed
Older protocols (IMAP, POP3, basic auth SMTP) don't support MFA. Microsoft killed basic auth for Exchange Online in late 2022, but it can still be re-enabled for SMTP, and there are tenants out there with it on.
Fix: confirm basic auth is off for all protocols. Block legacy auth via Conditional Access as belt-and-suspenders. Check sign-in logs for clients still trying. They're usually old phones or third-party mail tools that need an update.
5. Sensitive data isn't labeled
If documents aren't classified, you can't apply protection policies to them. This was always a problem. With Copilot reading every file in the tenant, the cost of getting it wrong has gone up.
Fix: build a sensitivity label scheme in Microsoft Purview (Public, Internal, Confidential, Restricted is a reasonable default). Use auto-labeling for obvious patterns: credit card numbers, SSNs, anything matching your data classifications. Train users to apply labels on creation.
6. Oversharing in SharePoint, Teams, and OneDrive
The "anyone with the link" default, plus thirty people on an "Everyone except external users" group, is how confidential documents end up on Google.
Fix: review tenant-wide sharing settings. Default new SharePoint sites to "people in your org" rather than "anyone." Force expiration on guest links. Run quarterly access reviews on sensitive sites. Site owners get a list of who has access and certify it.
7. No DLP policies
Without Data Loss Prevention rules, there's nothing stopping an employee from emailing the customer list to their Gmail.
Fix: start with the Microsoft Purview DLP templates for PII, financial data, and whatever regulated data your industry cares about. Apply them across Exchange, Teams, SharePoint, and OneDrive. Begin in audit mode to see what fires, then move to block or warn once you've cleaned up the false positives. Our step-by-step on how DLP actually works in M365 walks through the deployment in more depth.
8. Defender isn't fully configured
This is the most common pattern with E5 customers. You're paying for the full Microsoft Defender suite: Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. Half of them are sitting in default config.
Fix:
- Onboard all endpoints to Defender for Endpoint and turn on attack surface reduction rules
- Configure Defender for Office 365 anti-phishing and anti-spam policies (Standard or Strict preset is a fast win). If you're not sure whether you have Plan 1 or Plan 2, check your license before assuming features are available.
- Enable Defender for Identity on your domain controllers
- Review Microsoft Secure Score monthly. It's a free, prioritized to-do list.
9. Weak phishing and email protection
Default anti-phishing settings catch the obvious stuff. The targeted attacks (impersonation of your CEO, lookalike domains, supplier compromise) slip through. Defender for Office 365 exists for exactly this, but the protections have to be turned on and tuned.
Fix:
- Turn on Safe Links and Safe Attachments
- Add your executives, finance team, and HR to the impersonation protection list
- Enable anti-spoofing
- Run periodic phishing simulations to find which users need more training
10. Audit logging off or unmonitored
Unified Audit Logging captures user and admin activity across the tenant. If it's off, or if no one's looking at it, you have nothing to investigate with when something goes wrong.
Fix: confirm audit logging is on in Purview. Extend retention if your license allows it. Most importantly, feed the logs into a SIEM. Microsoft Sentinel works natively, but anything that ingests M365 logs is fine, as long as someone is actually watching it.
11. No incident response workflow
Alerts without owners are just noise. We see this constantly: Defender is generating real, accurate alerts about credential stuffing or malware, and they're sitting unread in a portal.
Fix: assign clear ownership for security alerts. Define a workflow for the top scenarios (compromised account, malware on endpoint, DLP violation, mass file deletion). Use automated investigation and response (AIR) in Defender for the cases that don't need a human eye. If you don't have the in-house team for this, it's the highest-leverage thing to outsource.
12. No ongoing tuning
Microsoft ships M365 security updates constantly. A tenant that was well-configured two years ago probably isn't anymore.
Fix: put a quarterly review on someone's calendar. Look at Secure Score, check new feature recommendations, review which Conditional Access policies are actually firing, and adjust based on what the logs are telling you. If that's not realistic in-house, a Microsoft 365 Tenant Assessment covers the same ground in one engagement.
The bottom line
Most M365 security work isn't about buying more licenses. It's about making the licenses you already have do their job. If you're on E3 or E5 and haven't done a configuration review in the last 12 months, you're almost certainly leaving protection on the table that you've already paid for.
Gain visibility into your tenant and uncover configuration gaps, security risks, and compliance exposures. with our M365 Tenant Assessment.
