Why your Microsoft 365 tenant is almost certainly less secure than you think.
Microsoft 365 is the operating system of modern business. More than 400 million paid seats worldwide rely on it for email, file storage, collaboration, identity management, and communication. For most small and medium-sized enterprises in the UK, it is the single platform that holds everything: every email, every document, every conversation, every contact, every calendar entry.
And yet, the vast majority of these tenants are running with default settings that prioritise convenience over security. Microsoft ships its products configured for the widest possible adoption, not for the tightest possible security. Legacy authentication protocols remain enabled. External sharing is unrestricted. Users can grant third-party applications access to organisational data without any oversight. Audit logging may not even be active.
This is not a criticism of Microsoft. It is a reflection of the shared responsibility model that governs every cloud platform. Microsoft secures the infrastructure, the datacentres, the physical servers, the network backbone. You secure your configuration, your identities, your data, your policies. The line between their responsibility and yours is clearly documented, but many organisations have never read that documentation, let alone acted on it. This guide exists to close that gap.
How attackers exploit misconfigured tenants
The attacks against Microsoft 365 environments are not sophisticated in the way most people imagine. There are no hooded figures writing custom exploits in dark rooms. The reality is far more mundane, and far more effective. Attackers buy stolen credentials in bulk from dark web marketplaces, credentials harvested from data breaches at other services where your users reused the same password. They run automated tools that test these credentials against Microsoft 365 login endpoints, thousands of attempts per minute, across thousands of tenants.
When they find a working username and password, the next step depends entirely on your configuration. If MFA is enabled, the attack stops. If it is not, the attacker is in. From there, the playbook is well established: search the mailbox for invoices, contracts, and payment details. Set up a mail forwarding rule to an external address so they can monitor ongoing correspondence. Wait for a payment to be due, then send a carefully timed email from the compromised account redirecting the payment to a different bank account.
This is business email compromise, and it costs UK organisations hundreds of millions of pounds every year. It is not theoretical. It is happening to SMEs every single day. The defences are not complex, but they must be deliberately configured. Microsoft 365 will not do it for you.
“Microsoft secures the platform. You secure the configuration. That distinction is the difference between a protected business and an exposed one. Most breaches we investigate trace back not to a software vulnerability, but to a default setting that nobody changed.”
Identity and access management
Identity is the new perimeter. In a world where your staff work from home, from client offices, from airports, the traditional network boundary is meaningless. The only consistent point of control is the user account. If an attacker compromises an identity, they have access to everything that identity can reach, regardless of where they are connecting from. These four controls protect the front door of your entire environment.
Enforce MFA for every account
Multi-factor authentication is, without exaggeration, the single most effective control you can implement against account compromise. Microsoft’s own research shows that MFA blocks more than 99.9% of automated credential attacks. Yet we still walk into tenant reviews where MFA is only enabled for some users, or where admin accounts are exempted because “we only log in occasionally.” That reasoning is precisely backwards. Admin accounts are the highest-value targets and should be the first to receive MFA, not the last. Enable it for every user, every admin, every service account that supports it. No exceptions. If a legacy application cannot support modern authentication, that application needs replacing, not exempting.
Block legacy authentication protocols
Older protocols such as POP3, IMAP, and SMTP AUTH were designed in an era before multi-factor authentication existed. They accept a username and password, and nothing else. Attackers know this, and they actively target these protocols because they bypass MFA entirely. If you have MFA enabled but legacy authentication is still permitted, you have a back door standing wide open. Create a Conditional Access policy that blocks legacy authentication for all users. Before you flip the switch, run the Azure AD sign-in logs filtered by client app to identify any services still relying on these protocols. You may find old printers, scanners, or line-of-business apps that need migrating to modern authentication first.
Enable Security Defaults or Conditional Access
Security Defaults is Microsoft’s free, baseline security configuration. It enforces MFA registration for all users, blocks legacy authentication, and requires MFA for admin actions. For many SMEs, this is the fastest way to achieve a meaningful uplift in security posture. However, Security Defaults is an all-or-nothing setting. If you need more granularity, for example allowing legacy auth for a specific service account while blocking it everywhere else, or enforcing MFA only from untrusted locations, you need Conditional Access policies, which require Azure AD P1 licensing. The investment is modest, and the control it provides is substantial. Either way, running a tenant with neither Security Defaults nor Conditional Access policies is running a tenant with no safety net.
Limit global administrator accounts
Global Administrator is the most powerful role in your Microsoft 365 tenant. An account with this role can read every email, delete every file, modify every setting, and grant itself access to anything. Microsoft recommends no more than two to four global administrators, and we would push that even lower where possible. Every global admin account is a target. Use dedicated admin accounts that are separate from daily-use accounts, enforce MFA with hardware tokens, and assign specific admin roles (Exchange Administrator, SharePoint Administrator, User Administrator) for routine tasks. If your IT person is using the same account to read email and manage the entire tenant, that is a risk you should not be carrying.
Email security
Email remains the primary attack vector for businesses of every size. Over 90% of successful cyber attacks begin with a phishing email. Microsoft 365 provides powerful email security tools, but most of them require deliberate configuration. The default settings are permissive. They let things through that should be blocked and leave protections disabled that should be active.
The controls in this section address the most critical email security gaps we encounter in SME tenant reviews. Collectively, they form a layered defence that significantly reduces your exposure to phishing, spoofing, and business email compromise.
Configure SPF, DKIM, and DMARC
These three DNS records work together to prevent attackers from sending emails that appear to come from your domain. SPF specifies which mail servers are authorised to send on your behalf. DKIM adds a cryptographic signature to outgoing messages, proving they have not been tampered with in transit. DMARC ties both together and tells receiving mail servers what to do when a message fails authentication: monitor it, quarantine it, or reject it outright. Without these records, anyone can send an email that appears to come from your domain, and many recipient systems will deliver it without question. Phishing emails impersonating your CEO, fake invoices from your finance team, password reset lures from your IT department. All become trivially easy for an attacker to construct. Start with DMARC in monitoring mode (p=none), review the reports for a few weeks to identify legitimate senders, then move to p=quarantine and eventually p=reject.
Enable Safe Links and Safe Attachments
Part of Microsoft Defender for Office 365, Safe Links rewrites URLs in incoming emails and scans them at the time of click, not just at the time of delivery. This matters because attackers routinely send emails with links to clean pages that are weaponised after delivery, after the initial scan has cleared them. Safe Attachments detonates attachments in a sandboxed environment before delivering them to the recipient, catching malware that signature-based scanning misses. These features require Defender for Office 365 Plan 1 at minimum. For SMEs on Business Premium licensing, both are included. If you are paying for them and not using them, you are leaving protection on the table.
Configure anti-phishing policies
Microsoft Defender includes impersonation protection that watches for emails designed to look like they come from specific people within your organisation, typically executives, finance staff, and anyone who authorises payments. Enable impersonation protection for these high-value targets. Configure mailbox intelligence, which learns each user’s normal communication patterns and flags anomalies. Set up first-contact safety tips so users see a warning when they receive email from someone they have never corresponded with before. Phishing remains the most common initial access vector in business email compromise attacks. These controls will not stop every attempt, but they will catch the opportunistic ones that rely on speed and volume rather than sophistication.
Block automatic forwarding to external addresses
When an attacker gains access to a mailbox, one of the first things they do is create a mail flow rule that silently forwards a copy of every incoming email to an external address. The user continues working normally, unaware that every email they receive is being mirrored to an attacker-controlled inbox. This is a standard technique in business email compromise, and it can persist for weeks or months before anyone notices. The fix is simple: create a mail flow rule in Exchange Admin Center that blocks automatic forwarding to external recipients. This stops the technique dead. It takes five minutes to configure and should be done immediately on every tenant.
“Over 90% of successful cyber attacks begin with a phishing email. The tools to defend against this are already included in your Microsoft 365 licence. They are simply not turned on.”
Data protection and collaboration
Microsoft 365 makes it remarkably easy to share data. SharePoint, OneDrive, and Teams all offer frictionless collaboration with internal and external users. That frictionlessness is a feature when it is intentional and a vulnerability when it is not. The default sharing settings in most tenants are far more permissive than the organisation realises, and the cumulative effect of months or years of unchecked sharing can be significant.
Lock down SharePoint and OneDrive sharing
By default, Microsoft 365 allows users to share files and folders with anyone, including people outside your organisation, via anonymous links that require no authentication. This is extraordinarily convenient. It is also extraordinarily risky. A single misclick can expose a folder of sensitive documents to the entire internet. At minimum, disable anonymous sharing links. Restrict external sharing to authenticated guests only, meaning the recipient must sign in with a verified identity before accessing the content. For highly sensitive data, restrict sharing to internal users only. Configure default link types to “specific people” rather than “anyone with the link.” Review existing shared links periodically, because the links created last year with wide-open permissions are still active unless someone has revoked them.
Review and restrict Teams guest access
Microsoft Teams allows external guests to be added to teams and channels, giving them access to conversations, files, and shared resources. In many organisations, this is enabled by default with no restrictions. Consider whether your business actually needs guest access. If it does, configure it tightly: restrict which domains guests can be invited from, limit their access to specific teams rather than the entire organisation, set expiration policies so guest accounts do not persist indefinitely, and review guest access quarterly. An unmanaged guest account from a former partner or supplier is a dormant access path into your environment that will only become visible when someone exploits it.
Enable and configure audit logging
Unified audit logging records user and administrator activity across your entire Microsoft 365 environment: who logged in, what they accessed, what they changed, what they deleted, and when. This is the foundation of incident investigation. Without audit logs, you are flying blind. If an account is compromised, you cannot determine what the attacker accessed, what data was exfiltrated, or how long they were in your environment. Enable unified audit logging in Microsoft Purview and verify that it is actually recording. Check that your retention period meets your requirements. Standard licences retain logs for 180 days. If you need longer retention for compliance or investigative purposes, you will need to export logs to an external SIEM or configure extended retention policies.
Device and application management
Securing identities and email addresses only half of the equation. The devices that access your Microsoft 365 data, and the third-party applications that integrate with it, represent an equally significant attack surface. An unmanaged device with no encryption and outdated software can expose your data just as effectively as a compromised password. A malicious application with OAuth consent can access mailbox data indefinitely, even after the user’s password is changed.
Restrict application consent
By default, any user in your Microsoft 365 tenant can grant third-party applications access to their data, and in some cases, to organisational data, simply by clicking “Accept” on an OAuth consent prompt. Attackers exploit this through consent phishing: a user receives what appears to be a legitimate request from a familiar-looking application, grants consent, and the attacker now has persistent API access to the user’s mailbox, files, and contacts, completely independent of the user’s password. Disable user consent for applications entirely. Implement an admin consent workflow so that users can request access to new applications, but IT reviews and approves each request. This single change closes one of the most underappreciated attack vectors in the Microsoft 365 ecosystem.
Deploy Microsoft Intune for device management
If your business allows staff to access Microsoft 365 from personal devices, or even from company devices without centralised management, you have limited visibility and no control over the security posture of those endpoints. Microsoft Intune, included with Business Premium and Microsoft 365 E3 and above, provides mobile device management (MDM) and mobile application management (MAM). With Intune, you can enforce device compliance requirements: the device must have encryption enabled, must be running a supported operating system, must have endpoint protection active. Non-compliant devices can be blocked from accessing company data entirely. For organisations working toward Cyber Essentials, Intune provides the evidence trail that assessors need to verify that device-level controls are consistently applied across your fleet.
Understanding the shared responsibility model
Every conversation about cloud security eventually arrives at the shared responsibility model, and for good reason. It is the single most important concept that SMEs need to understand about their Microsoft 365 environment. The principle is straightforward: Microsoft is responsible for the security of the cloud. You are responsible for the security of what you put in the cloud.
Microsoft ensures that their datacentres are physically secure, that their networks are resilient, that their software is patched, and that the platform is available. They do this exceptionally well. What they do not do is configure your tenant for you. They do not enforce MFA on your accounts. They do not restrict your sharing policies. They do not review your admin roles. They do not monitor your mail flow rules for signs of compromise. These are your responsibilities, and they are explicitly documented in Microsoft’s shared responsibility matrix.
The misconception that “Microsoft handles security” is the root cause of most tenant compromises we investigate. The platform provides the tools. The customer must use them. If you treat Microsoft 365 as a managed service that secures itself, you will eventually learn otherwise, and the lesson will be expensive.
of credential attacks are blocked by multi-factor authentication
of successful cyber attacks begin with a phishing email
average cost of a data breach in the UK in 2025
Six quick wins to implement today
If the scope of this guide feels overwhelming, start here. These six changes can be completed in a single afternoon, require no additional licensing in most cases, and collectively address the most common attack vectors we see in compromised Microsoft 365 environments. They are not a substitute for a comprehensive security review, but they will materially reduce your risk while you plan a more thorough approach.
Enable MFA for all users
If you do nothing else on this list, do this. Enable multi-factor authentication for every account in your tenant. It takes less than thirty minutes and prevents the vast majority of credential-based attacks.
Turn on Security Defaults
One toggle that enforces MFA registration, blocks legacy authentication, and requires MFA for administrative actions. Five seconds of configuration for a substantial improvement in security posture.
Block external auto-forwarding
Create a transport rule in Exchange Admin Center that prevents automatic forwarding to external recipients. This closes the most common persistence technique in business email compromise attacks.
Audit your global administrators
Log into Azure AD, check Roles and administrators, and count your global admins. If the number is above four, reduce it. Reassign specific admin roles for routine tasks.
Configure SPF, DKIM, and DMARC
Add or update your DNS records to prevent domain spoofing. Start DMARC in monitoring mode, review the aggregate reports, then tighten the policy over the following weeks.
Enable unified audit logging
Open Microsoft Purview, navigate to Audit, and confirm that logging is active. If it is not recording, you have no investigative capability when something goes wrong.
“The six changes listed above can be completed in a single afternoon. Collectively, they address the attack vectors responsible for the majority of Microsoft 365 compromises we investigate. Start here. Build from here.”
Beyond the baseline
The settings in this guide represent a baseline: the minimum configuration that every Microsoft 365 tenant should have in place. They are not the ceiling. For organisations handling sensitive data, operating in regulated industries, or pursuing certifications such as Cyber Essentials Plus or ISO 27001, there is significantly more to do.
Advanced configurations include Data Loss Prevention (DLP) policies that prevent sensitive information from being shared inappropriately, sensitivity labels that classify and protect documents based on their content, Conditional Access policies that enforce device compliance and location-based restrictions, and Privileged Identity Management (PIM) that provides just-in-time admin access rather than standing permissions.
The Microsoft 365 security ecosystem is deep. It rewards investment in expertise, whether internal or external. The organisations that get the most value from their licences are the ones that treat security configuration as an ongoing discipline, not a one-time project. The threat landscape evolves. Microsoft releases new features and retires old ones. Your organisation grows and changes. Your security posture must evolve with it.
Need help securing your Microsoft 365 tenant?
We help UK businesses configure, harden, and manage their Microsoft 365 environments. That includes tenant security reviews, baseline configuration, Conditional Access policy design, email security hardening, and ongoing monitoring. We work with organisations of every size, from ten-person firms that have never reviewed their settings to established businesses with complex multi-tenant environments.
If you are not sure where you stand, a Microsoft 365 security review takes around two hours and will give you a clear, prioritised list of what needs addressing. No jargon, no sales pressure. Just a straightforward assessment of your current posture and the steps needed to improve it.