Security

9 Microsoft 365 Security Settings Most Organizations Have Wrong

In nearly every Microsoft 365 tenant we audit, the same misconfigurations appear: legacy authentication still enabled (which bypasses MFA entirely), Conditional Access exclusion groups that swallowed the policy, standing Global Administrator accounts without protection, unrestricted external sharing, no mailbox auditing, and mail forwarding rules nobody reviews. None of these require new licenses to fix — they're configuration debt, usually inherited from a previous provider.

The short version
  • Legacy authentication enabled — the #1 finding, and it neutralizes your MFA investment
  • MFA "registered" but not enforced via Conditional Access
  • 5+ Global Admins with no PIM, no separate admin accounts
  • External sharing set to "anyone with the link" tenant-wide
  • Auto-forwarding to external addresses allowed (a breach persistence classic)
  • Defender features owned but never configured (Safe Links, Safe Attachments, ASR rules)
Going deeper

The full article lists all nine with the exact admin center path to check each one, what "correct" looks like for a 15–250 user organization, and which order to fix them in — because two of the nine can lock people out if you sequence them wrong.

Prefer answers about your environment specifically?

Reading is good. A 30-minute session with an engineer who can see your actual tenant is better.

Schedule a Microsoft 365 Strategy Session