Top 10 Microsoft 365 Security Misconfigurations We Find in Every Audit

Security Assessments
April 29, 20268 min read

Top 10 Microsoft 365 Security Misconfigurations We Find in Every Audit

In our security assessments across hundreds of Microsoft 365 tenants, we consistently find the same critical misconfigurations. These aren’t obscure settings or edge cases—they’re fundamental security controls that are systematically overlooked or deprioritized.

This post details the ten most dangerous misconfigurations we discover, why they matter, and exactly how to fix them.

Misconfiguration #1: No Multi-Factor Authentication (MFA) Enforcement

What we find: 60% of organizations haven’t enabled MFA for all users; many exempt entire departments or contractor accounts.

Why it’s critical: MFA is your strongest defense against account compromise. Without it, a single password breach exposes your entire Microsoft 365 environment to threat actors.

The statistics: Microsoft reports that MFA blocks 99.9% of account compromise attacks.

Fix it:

  1. Microsoft 365 Admin Center > Settings > Org settings > Security defaults
  2. If already enabled, verify in Microsoft Entra ID > Conditional Access
  3. Create conditional access policy:
    • Name: “Require MFA for All Users”
    • Conditions: All users, all cloud apps, all locations
    • Grant: Require multi-factor authentication
    • Enable: On

Alternatively, for more granular control, use conditional access policies instead of security defaults.

Timeline: Implement immediately; 2-week rollout with user communication

Misconfiguration #2: Legacy Authentication Not Blocked

What we find: IMAP, POP3, SMTP, and basic auth protocols remain enabled, allowing password-spray attacks against non-MFA users.

Why it’s critical: Legacy protocols can’t support MFA. Attackers exploit this, using automated tools to spray passwords until they crack accounts. One compromise leads to full environment access.

The attack: Threat actor obtains 10,000 Microsoft 365 password hashes from a data breach; runs spray attack against legacy auth endpoints. Across a 500-user tenant, they compromise 15-20 accounts.

Fix it:

  1. Microsoft Entra ID > Security > Conditional Access
  2. Create policy:
    • Name: “Block Legacy Authentication”
    • Users: All users
    • Target resources: All cloud apps
    • Conditions: Client apps = Legacy authentication clients
    • Grant: Block
    • Enable: On

This blocks IMAP, POP3, SMTP, and basic auth while allowing modern clients.

User communication: Some users may need IMAP for legacy applications; work with them to migrate or create exemptions for specific accounts.

Timeline: Enable immediately after testing in your environment

Misconfiguration #3: External Guest Access Unrestricted

What we find: Guest sharing to external tenants is enabled with no restrictions; users can add any external email address as a guest, accessing all SharePoint and Teams.

Why it’s critical: One compromised external account grants threat actors access to your shared content. Additionally, accidental oversharing exposes confidential information.

Real incident: Employee shares HR data folder with external consultant. Consultant’s email is compromised. Attacker accesses employee records, salary information, performance reviews.

Fix it:

  1. SharePoint Admin Center > Policies > Sharing

  2. Set External sharing to “New and existing guests”

  3. Restrict sharing to specific domains: Limit external sharing by domain

  4. Allow list: Add trusted vendor/partner domains only

  5. Block list: Add competitor domains, known risky providers

  6. Microsoft Entra ID > External Identities > External collaboration settings

    • Guest invite restrictions: Only users assigned the guest inviter role
    • Collaboration restrictions: Restrict to specific external organizations

Timeline: Implement in phases; review sharing patterns first

Misconfiguration #4: No DLP Policies (or Disabled DLP)

What we find: DLP policies aren’t configured, or existing policies are disabled due to “false positives” or “user complaints.”

Why it’s critical: DLP detects and prevents sensitive data (SSN, credit card, proprietary data) from leaking. Without it, insider threats and account compromise lead to data loss.

The incident: Marketing manager’s account is compromised; attacker forwards all customer data to external email. No DLP policy detects or blocks it.

Fix it:

  1. Compliance Portal > Data Loss Prevention > Policies

  2. Click + Create policy

  3. Choose template: “U.S. PII” or “Payment Card Industry (PCI)”

  4. Select locations: Exchange, SharePoint, Teams, OneDrive

  5. Configure rules:

    • Condition: Content contains sensitive information type
    • Action: Block (with user override option)
    • Notifications: Alert admin

  6. Deploy in audit mode first (2-4 weeks) to tune false positives

  7. Then enable enforcement

Timeline: 4-6 weeks from pilot to full enforcement

Misconfiguration #5: No Conditional Access Policies

What we find: No conditional access policies at all, or only basic “Require MFA” without risk-based or device-based controls.

Why it’s critical: Conditional Access allows you to verify device health, location, and sign-in risk. It’s essential for zero trust architecture.

Example scenario: User logs in from impossible location (country change in 2 hours), different device, unknown application. Without conditional access, this succeeds instantly.

Fix it:

Create baseline policies:

Policy 1: Require Compliant Device

  • Target: Exchange, SharePoint, Teams
  • Condition: All users
  • Grant: Require device to be marked compliant
  • Enable: On

Policy 2: High-Risk Sign-In Challenge

  • Condition: Sign-in risk = High (E5 required; alternative: block all)
  • Grant: Require MFA or password change
  • Enable: On

Policy 3: Persistent Browser OFF

  • Target: SharePoint, Teams
  • Session: Persistent browser session = OFF
  • Effect: Users re-authenticate on new browser window

Timeline: 2-week audit phase, then enforce (low user impact)

Misconfiguration #6: SharePoint External Sharing at Site Level Unrestricted

What we find: Global external sharing policy is restricted, but individual SharePoint sites have unrestricted external sharing enabled.

Why it’s critical: Admins think they’ve restricted sharing, but site-level settings override global policies. Accidental oversharing still occurs.

Fix it:

  1. SharePoint Admin Center > Sites > Active sites
  2. For each site:
    • Click site name
    • Sharing tab
    • Set to “Existing guests only” or “Only people in your organization”
  3. Apply to sensitive sites: HR, Finance, Legal, Executive

Alternatively, use PowerShell to audit all sites:

$sites = Get-SPOSite -Limit all
foreach ($site in $sites) {
  if ($site.SharingCapability -eq "ExternalUserAndGuestSharing") {
    Write-Output "$($site.Url) - Unrestricted external sharing"
  }
}

Timeline: Audit all sites (2-3 hours), remediate over 1-2 weeks

Misconfiguration #7: No Audit Logging or Disabled Audit

What we find: Unified audit logging is disabled, or configured to only log specific actions (missing login attempts, data access, admin changes).

Why it’s critical: Without audit logs, you can’t detect breaches, investigate incidents, or comply with regulations. Attackers know this and operate freely.

Fix it:

  1. Compliance Portal > Audit

  2. Ensure Unified Audit Log is enabled

  3. Select Activities to log (default captures most):

    • User sign-in activities
    • Exchange mailbox activities
    • SharePoint document activities
    • Teams and Yammer activities
    • Admin activities

  4. Audit retention: Set to maximum (one year)

  5. Configure alerts:

    • Compliance Portal > Alerts
    • Create alert for: “Admin Activities in Exchange”
    • Create alert for: “Unusual user activity”
    • Recipients: Security team email

Timeline: 30 minutes to enable; implement monthly audit reviews

Misconfiguration #8: Overly Permissive Admin Roles

What we find: Excessive users assigned to global admin, Exchange admin, or SharePoint admin roles. Contractors and part-time staff retain admin access after projects end.

Why it’s critical: Each admin account is a privilege escalation target. One compromised admin account exposes your entire tenant. Additionally, admins make mistakes affecting all users.

Real incident: Marketing contractor assigned “Exchange Admin” role; after contract ends, account remains admin. Attacker compromises contractor’s personal email; gains full control of your mail environment.

Fix it:

  1. Microsoft 365 Admin Center > Users > Active Users

  2. Click each user assigned to admin roles

  3. Document role purpose and justification

  4. Remove unnecessary roles:

    • Global Admin: Limit to 2-3 people
    • Exchange Admin: Only email administrators
    • SharePoint Admin: Only SharePoint team
    • Security Admin: Security team only
    • Compliance Admin: Compliance officer and team

  5. For elevated temporary access, use Azure AD PIM:

    • Set roles as “Eligible” (requires activation)
    • Require approval workflow
    • Auto-expire after 4 hours

Timeline: Audit current roles (1 hour), implement PIM for future elevated access

Misconfiguration #9: No Retention Policies for Sensitive Workloads

What we find: Email and SharePoint have no retention policies; deleted content is recoverable indefinitely, and dormant content never deletes.

Why it’s critical: Regulatory requirements mandate data retention and deletion. Without policies, you’re storing more data than necessary (increasing breach impact) and failing compliance audits.

Fix it:

  1. Compliance Portal > Retention policies

  2. Create policy: “Delete Sensitive Data After 7 Years”

    • Applies to: Exchange, SharePoint, Teams
    • Retention action: Delete content after 7 years
    • Enable: On

  3. Create policy: “Delete Emails After 1 Year”

    • Applies to: Exchange only
    • Conditions: Deleted items (soft delete first, then hard delete after 1 year)

  4. For sensitive workloads (HR, Finance): Shorter retention (3-5 years)

Timeline: 1 week to configure, implement immediately

Misconfiguration #10: Third-Party App Permissions Not Reviewed

What we find: Users and admins have granted extensive permissions to third-party applications (Salesforce, Slack, Zapier, etc.) without reviewing what data they access.

Why it’s critical: Compromised third-party apps gain access to your Microsoft 365 data. Malicious apps exfiltrate email, calendar, documents, and contacts.

Real incident: Employee installs seemingly legitimate time-tracking app from app store. App requests “read all emails” permission. Once installed, it forwards all incoming emails to attacker email address.

Fix it:

  1. Microsoft Entra ID > Enterprise applications > Permissions

  2. Audit applications with admin consent

  3. For each app, verify:

    • Purpose: What is this app used for?
    • Permissions: Are they necessary?
    • Ownership: Who requested this app?

  4. Remove permissions:

    • Click application > Permissions
    • Click Remove admin consent (may require re-provisioning app)

  5. Create policy restricting new admin consent:

    • Conditional Access > + Create policy
    • Name: “Restrict Admin Consent for Apps”
    • Target: All users
    • Conditions: User action = Consent to apps requesting admin consent
    • Grant: Require approval from security team
    • Enable: On

Timeline: Audit all permissions (1-2 hours), review quarterly

Remediation Priority Matrix

Implement these fixes based on priority:

Immediate (This Week):

  • #1 MFA Enforcement
  • #2 Block Legacy Authentication
  • #7 Enable Audit Logging

Short-term (This Month):

  • #3 Restrict External Guest Access
  • #8 Review and Reduce Admin Roles
  • #5 Implement Conditional Access

Medium-term (This Quarter):

  • #4 Deploy DLP Policies
  • #10 Review Third-Party App Permissions
  • #6 Audit SharePoint Sharing Settings
  • #9 Create Retention Policies

Moving Forward

These ten misconfigurations represent the most common security gaps we find in Microsoft 365 audits. Addressing them significantly strengthens your security posture and closes pathways for breaches.

Many organizations recognize these gaps after a breach has already occurred. Proactive assessment and remediation prevent incidents in the first place.

Ready to audit your Microsoft 365 environment for these misconfigurations? Schedule an assessment at 365securityassessment.com and let our team identify and remediate security gaps before they become incidents.

misconfigurationsaudit findingscommon mistakessecurity assessment
Back to Blog