7 Microsoft 365 Security Misconfigurations We Find Most Often

Microsoft 365 includes powerful security capabilities, but many organisations never fully configure them.

During Microsoft 365 security assessments, the same issues appear repeatedly. Here are the seven we find most often.

1. Multi-Factor Authentication Not Enabled for Everyone

MFA remains one of the most effective protections against account compromise.

Organisations often enable MFA for administrators but leave standard users unprotected. A single compromised standard user account is frequently all an attacker needs to pivot further into your environment.

2. Too Many Global Administrators

Every Global Administrator account represents a high-value target.

Microsoft recommends limiting Global Administrator privileges to only those who genuinely require them — typically two to three accounts for redundancy, not one per IT team member. Excess admin accounts dramatically increase your attack surface.

3. Inactive User Accounts Remain Enabled

Former employees and unused accounts are frequently left active for months or years.

These accounts create unnecessary risk and should be reviewed regularly. An attacker who obtains the credentials of a dormant account may go unnoticed for a long time — there's no active user to notice something is wrong.

4. Guest Users Are Never Reviewed

External collaboration is common, but guest accounts often accumulate over time without proper oversight.

Regular guest access reviews help reduce exposure. Guest accounts that were added for a short-term project two years ago may still have access to sensitive SharePoint sites and Teams channels.

5. Conditional Access Policies Are Missing

Conditional Access is one of the most important security features in Microsoft 365.

Without it, organisations lose valuable protection against risky sign-ins and compromised accounts. Conditional Access allows you to enforce MFA, require compliant devices, block legacy authentication, and restrict access by location — all enforced at the identity layer before a user reaches your data.

6. Security Defaults Are Disabled Without Replacement Controls

Some organisations disable Security Defaults but never implement equivalent Conditional Access policies.

This can unintentionally weaken tenant security. Security Defaults provide a baseline of protection — disabling them is reasonable if you're replacing them with more granular Conditional Access policies, but dangerous if you're simply turning them off.

7. Privileged Accounts Are Used for Daily Work

Administrative accounts should not be used for reading email, browsing the web, or routine office tasks.

Separating privileged and standard accounts reduces attack surface. If an admin account is compromised via a phishing email opened during routine work, the attacker immediately has Global Admin access to your entire tenant.

How to Identify These Issues

Many of these problems can be identified automatically using Microsoft Graph data and tenant security assessments.

Regular reviews help organisations understand their current security posture and prioritise improvements. If you haven't reviewed your Microsoft 365 environment recently, start by assessing:

• MFA coverage
• Administrative privileges
• Guest accounts
• Inactive users
• Conditional Access policies
• Secure Score

Small improvements in these areas can significantly reduce risk.