Default does not mean secure. Most tenants have significant gaps.
Microsoft 365 ships with sensible defaults, but “sensible” is not the same as “secure.” Every week, we audit Microsoft 365 environments for organisations of all sizes, and the same configuration gaps appear over and over again. These are not obscure edge cases. They are fundamental settings that attackers actively exploit, and most of them can be fixed in under an hour.
This guide covers the ten most commonly missed security settings we encounter during tenant reviews. We have grouped them by function: identity and access controls, email security, and data and application protections. Each setting includes context on why it matters and practical guidance on what to change. Most require Global Administrator or Security Administrator access to your Microsoft 365 tenant.
If you recognise even two or three of these gaps in your own environment, you are not alone. The important thing is to address them systematically, starting with the controls that have the greatest impact on your risk posture.
Identity and access controls
Identity is the new perimeter. The majority of successful breaches against Microsoft 365 tenants begin with a compromised identity, whether through phishing, credential stuffing, or exploiting legacy protocols that bypass modern authentication. These three settings form the foundation of a secure tenant. Without them, everything else you build is undermined.
Security Defaults or Conditional Access
Security Defaults enforce MFA for all users and block legacy authentication in a single toggle. They are the fastest way to close two of the most exploited gaps in any Microsoft 365 tenant. The problem is that many organisations disabled Security Defaults during a migration or troubleshooting exercise and never turned them back on. Without Conditional Access policies standing in as a replacement, those tenants are running with no baseline identity protection at all. If you have Azure AD P1 or Microsoft 365 Business Premium, Conditional Access gives you granular control: you can scope policies by user group, device platform, risk level, and location. If you do not have those licences, Security Defaults cost nothing and should be enabled today.
MFA for all administrator accounts
Administrator accounts are the highest-value targets in your tenant. A compromised Global Admin can disable every other security control, export data, create backdoor accounts, and cover their tracks. Despite this, we routinely find admin accounts without multi-factor authentication because they are considered emergency-only or because MFA felt inconvenient during initial setup. Every admin account needs MFA enforced, no exceptions. For Global Admins specifically, consider phishing-resistant methods such as FIDO2 security keys or Windows Hello for Business. These cannot be intercepted by adversary-in-the-middle attacks the way SMS or push-notification MFA can.
Block legacy authentication protocols
Legacy protocols such as POP3, IMAP, and basic SMTP authentication do not support modern authentication or MFA. Attackers know this and actively target these endpoints because they bypass every conditional access policy you have built. A single service account still configured for basic auth is enough to give an attacker a foothold. Creating a Conditional Access policy to block legacy authentication is straightforward but should be tested in report-only mode first. This lets you identify any line-of-business applications or devices that still rely on these protocols so you can migrate them to modern authentication before enforcement.
“The settings themselves are not complicated. What catches organisations out is not knowing they were misconfigured in the first place. A tenant that was set up three years ago and never reviewed is almost certainly running with gaps that attackers already know how to exploit.”
Email security
Email remains the primary attack vector for most organisations. Phishing, impersonation, malware delivery, and data exfiltration all run through the inbox. Microsoft 365 provides the tools to address each of these risks, but they require deliberate configuration. The four settings in this section cover inbound protection, outbound controls, domain authentication, and attachment scanning.
External email tagging
One of the simplest and most effective defences against impersonation attacks is a visible indicator that an email originated outside your organisation. Without it, a carefully crafted email from a lookalike domain can appear indistinguishable from an internal message. A mail flow rule in Exchange that prepends [EXTERNAL] to the subject line or inserts a warning banner at the top of the message body gives every recipient an immediate visual cue. This takes minutes to configure and costs nothing. It will not stop every phishing attempt, but it dramatically reduces the success rate of impersonation campaigns where attackers pretend to be internal colleagues or executives.
Mailbox forwarding controls
Automatic forwarding to external email addresses is one of the most common techniques attackers use after compromising a mailbox. They create an inbox rule that silently copies every incoming message to an external address, then sit back and collect sensitive data for weeks or months. By default, Microsoft 365 allows users to set up their own forwarding rules without administrator oversight. Blocking automatic external forwarding at the transport level is a critical control. If specific users have a legitimate business need for external forwarding, grant those exceptions explicitly and review them regularly. This single change eliminates one of the quietest and most damaging post-compromise techniques.
DKIM and DMARC records
SPF alone is not sufficient to protect your domain from spoofing. DKIM adds a cryptographic signature to outbound email that receiving servers can verify, proving the message was not tampered with in transit. DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do when authentication fails. Without DMARC, criminals can send emails that appear to come from your domain and there is no mechanism to stop them. Start with a DMARC policy of p=none to monitor authentication results without affecting mail delivery. Once you are confident that legitimate mail is passing, move to p=quarantine and eventually p=reject. This is a DNS configuration exercise that protects your brand, your clients, and your supply chain.
Safe Attachments policy
Safe Attachments detonates email attachments in a sandboxed environment before delivering them to the recipient. This catches malware that signature-based scanning would miss, including zero-day threats and polymorphic payloads. Many organisations that hold Microsoft Defender for Office 365 licences have this capability available but have never configured a policy. Creating a Safe Attachments policy for all users takes minutes. The Dynamic Delivery option is recommended because it delivers the email body immediately while the attachment is being scanned, avoiding the perception of delayed mail. Without this control, your organisation is relying solely on traditional antivirus signatures, which sophisticated attackers routinely evade.
of account compromise attacks are stopped by enabling MFA across all users
of breaches involve compromised credentials, making identity controls the highest priority
to implement the three most critical settings on this list and close your biggest gaps
Data and application controls
Even with strong identity and email controls, your tenant remains vulnerable if data can leak through overly permissive sharing settings, if applications can gain access without oversight, and if you have no audit trail to investigate incidents. These three settings close those gaps and complete a robust security baseline for any Microsoft 365 environment.
Unified Audit Logging
If an incident occurs and you have no logs, you cannot investigate what happened, how the attacker got in, what data was accessed, or whether they are still present. Unified Audit Logging in Microsoft 365 records sign-in activity, file access, mailbox operations, admin actions, and changes to security settings. It should be enabled in every tenant, and it is enabled by default in most. However, it is sometimes disabled during troubleshooting and never re-enabled. Verify that it is active, understand the retention period your licence provides, and consider exporting logs to a SIEM or long-term storage if you need more than 90 days of history. Logging is the foundation of incident response. Without it, you are flying blind.
SharePoint and OneDrive sharing controls
The default sharing settings in SharePoint and OneDrive are more permissive than most organisations realise. In many tenants, the default link type is Anyone, meaning files can be shared with anonymous users who do not need to authenticate. This creates significant data leakage risk, particularly when users share links without understanding the implications. Restricting external sharing to Existing guests or New and existing guests ensures that every external recipient must authenticate before accessing content. Setting expiration times for guest access prevents indefinite exposure. Requiring re-authentication for sensitive libraries adds another layer. These controls do not prevent collaboration. They ensure that sharing is intentional and auditable rather than accidental and invisible.
Admin consent workflow for applications
When a user clicks Allow on an OAuth consent prompt, they may be granting a third-party application access not just to their own data but to organisational resources such as mail, calendars, contacts, and files. This is exactly how credential-harvesting applications gain persistent access to Microsoft 365 environments. By default, users can consent to applications without administrator approval. Configuring the admin consent workflow changes this: users can still request access to applications, but the request goes to a designated administrator for review rather than being granted immediately. This single setting prevents one of the most effective social engineering techniques in use today and gives your security team visibility into which applications are requesting access to your data.
Implementation priority
Not every setting carries the same weight. The identity controls should be treated as urgent. The email and data controls can follow in a planned sequence. Here is a practical timeline that balances risk reduction with operational reality.
Do today
Security Defaults or Conditional Access, MFA for all admins, block legacy authentication
These three controls address the most commonly exploited attack vectors. Without them, every other setting on this list is undermined. An attacker who can authenticate as an admin without MFA or who can use legacy protocols to bypass your policies has the keys to your entire environment. These changes take less than an hour to implement and should be treated as non-negotiable.
High priority
External email tagging, audit logging, mailbox forwarding controls, DKIM and DMARC
These settings close the next tier of risk. Email remains the primary attack vector for most organisations, and these controls collectively make it harder for attackers to impersonate your staff, exfiltrate data silently, and spoof your domain. Audit logging ensures that when something does go wrong, you have the data to investigate it properly.
Complete the baseline
Safe Attachments, SharePoint and OneDrive sharing, admin consent workflow
These controls round out a comprehensive security baseline. They address attachment-borne malware, accidental data exposure through overly permissive sharing, and the risk of malicious applications gaining access through user consent. Individually, each is a meaningful improvement. Together with the earlier settings, they represent a properly hardened Microsoft 365 environment.
“Ten settings. Most can be changed in minutes. Together they represent the difference between a tenant that is waiting to be compromised and one that an attacker will move past in favour of an easier target.”
Need help securing your Microsoft 365 tenant?
We audit Microsoft 365 environments for UK businesses and implement these controls properly. A tenant security review typically takes a few hours and gives you a clear picture of where your gaps are, what to fix first, and how to maintain the baseline over time.
If you are not sure where you stand, a short call is enough for us to understand your setup and advise on next steps. No obligation, no sales pitch.