The Top Microsoft 365 Security Configuration Items CDSI Discovers Were Missed During Onboardings
Most organizations use Microsoft 365. Few configure it securely. We've audited hundreds of M365 environments across Phoenix. And we see the same security gaps over and over again. Some are configuration oversights. Some are things that look secure but aren't. Some are defaults nobody realized needed changing. As Microsoft Security experts, we've put together this guide to cover the five most commonly missed configurations we find during onboardings - and what each one actually costs when it fails.
If you'd rather download a full checklist to audit your environment: DOWNLOAD: MICROSOFT 365 SECURITY CHECKLIST.
1. Multi-Factor Authentication: The Biggest Gap
Here's what we see most often: organizations have MFA enabled. But only for administrators. Regular users? Passwords only. Email compromises happen constantly. A user's password gets stolen or phished. Attacker logs in as that user. No second factor. No notification. They're in.
Microsoft 365 makes MFA easy. It's built in. It's free. Yet most organizations either don't use it or use it selectively. The biggest attacks we see aren't from sophisticated hackers. They're from credential compromise: stolen passwords, phishing, account takeover. MFA stops most of those attacks cold.
What we commonly find missing:
- MFA only required for admins, not all users. Anyone with a compromised password gets full access.
- MFA is 'recommended' but not enforced. Users skip it. Compliance is optional.
- Legacy authentication still allowed. SMTP, POP3, older email clients can connect without MFA.
- MFA method is SMS only. SMS is vulnerable to SIM swapping and interception.
The fix: Enforce MFA for all users. Block legacy authentication. Use authenticator apps instead of SMS. Give users 30 days to enroll. That's it. One configuration change prevents the majority of email compromises.
2. Conditional Access Policies: The Silent Vulnerabilities
Imagine this scenario: It's 2 AM. Someone logs into email from a country your organization has never operated in. A new device. An IP address you've never seen. In most M365 environments, that login succeeds without any additional verification. The attacker gets access. You don't find out for weeks.
Conditional Access policies catch this. They say: "If someone logs in from an unusual location or device, require MFA again." Or: "If we detect risky behavior, block access entirely." These policies exist in Azure AD. Most organizations don't use them.
What we commonly find missing:
- No policies blocking impossible travel (access from Tokyo then New York 30 minutes later).
- No requirement for MFA when access comes from a risky IP or new device.
- Unmanaged devices (personal laptops, phones) allowed unrestricted access to email and Teams.
- Admin accounts don't require additional authentication for sensitive actions.
The fix: Create conditional access policies for risky sign-ins, unusual locations, and unmanaged devices. Azure AD can automate detection. You just need to define the response: require MFA, block access, or require device compliance.
3. Admin Account Governance: Too Many Keys to the Kingdom
We once audited a 30-person company with 8 global administrators. Eight. That means 8 people could access every mailbox, every SharePoint site, every security setting, every user account. The receptionist had global admin because "she might need it someday." She didn't. That account was eventually compromised.
Every global administrator is a risk. Not because administrators are untrustworthy, but because if their account is compromised, attackers own the entire environment. The fix is simple: minimize admin accounts, separate admin work from daily work, and log what admins do.
What we commonly find missing:
- Too many global admins (10+ in some cases). Each is a potential compromise vector.
- Admins use their admin account for daily email, Teams, and web browsing. Compromise of that account = compromise of the entire environment.
- No logging or auditing of admin actions. You don't know who changed what or when.
- Service accounts with admin permissions and weak passwords (if they exist at all in documentation).
The fix: Limit global admins to 2-3 trusted people. Create separate user accounts for daily work. Enable audit logging so you know who made changes. This isn't about distrust—it's about compartmentalizing risk.
4. Email Security: Phishing is Still the #1 Attack Vector
Email is how most attacks start. A user receives a message that looks legitimate. It's from their "bank," their "company," their "vendor." They click a link or open an attachment. Malware installs. Credentials get stolen. Account gets compromised.
Microsoft Defender for Office 365 catches most of these attacks. But most organizations either don't have it enabled or have it configured with default settings that are too permissive. Spam filtering gets configured once and never touched again. Sensitive data protection doesn't exist.
What we commonly find missing:
- Basic antivirus only. No advanced threat protection for malware, phishing, zero-day exploits.
- Spam filtering either too aggressive (legitimate mail blocked) or too permissive (phishing gets through).
- No visual warning when email comes from outside the organization. Users can't tell external email from internal.
- No data loss prevention. Sensitive information (credit cards, SSNs, IP) can be emailed outside the organization.
The fix: Enable Microsoft Defender for Office 365. Configure spam filtering to your organization's tolerance. Add external email warnings so users know when they're communicating outside the company. Set up Data Loss Prevention (DLP) for sensitive data.
5. SharePoint & Teams Permissions: Over-Sharing by Default
SharePoint is powerful. Teams is collaborative. But both make it easy to over-share. Create a SharePoint site? External sharing is turned on by default. Add someone to a Teams channel? They can see all historical conversations. Add a guest to your Team? Suddenly they have access to files, channels, conversations you didn't realize they could see.
We've found sensitive financial documents, HR files, and legal agreements shared with external users who shouldn't have access. Not because of malice, but because the default is "share." Nobody audits permissions until something goes wrong.
What we commonly find missing:
- SharePoint sites shared broadly. Anyone with a link can access, edit, download.
- External sharing enabled for all domains. Partners and vendors can be invited by anyone.
- Teams guest policies allow any user to invite external people. No approval process.
- No audit trail. You don't know who has accessed what or when.
The fix: Audit SharePoint site permissions regularly. Limit external sharing to specific trusted domains. Require team owners (not users) to approve guest additions. Enable audit logging so you have a record.
So... Does This Sound Familiar?
If you're reading this and thinking "Yes, we do that" or "We're definitely missing that," you're not alone. These are the gaps we see in almost every M365 environment we audit. As a leading cybersecurity firm, we manage our clients Microsoft 365 environments as part of our managed IT services plans.
The good news: none of these require expensive consulting or complex implementations. They're configuration changes. Things you can fix yourself if you understand what to look for. Or things CDSI can fix in a few hours.
We've created a free Microsoft 365 Security Checklist that walks you through all five areas and helps you assess your current configuration. Download it. Use it. See where you stand.
DOWNLOAD: MICROSOFT 365 SECURITY CHECKLIST
Not sure how to interpret the checklist? Not confident in your answers? CDSI offers complimentary 15-minute M365 security audits. We'll assess your actual configuration, identify gaps, and explain specifically what needs fixing.
