Skip to content

Why Microsoft 365 Misconfigurations Are Your Real Security Risk

Why Microsoft 365 Misconfigurations Are Your Real Security Risk
6:55

Earlier this year, the cyberattack on M&S made the headlines, costing the retailer an estimated £300m in lost profits. Jaguar Land Rover had to halt its operations for an entire month due to a cyberattack at the beginning of September. And these are just two of the most recent examples of cyberattacks. Even more devastating were the effects of a ransomware attack on Knights of Old, a 158-year-old company that went completely under due to the attack - and with that 730 people lost their jobs.

What sets Knights of Old apart was that they weren't a household name, had robust security systems in place and were even insured up to £1m. 

In our cybersecurity series focused on Microsoft 365, we want to highlight just how powerful the security features already included are - IF you know how to use them.

Have you made sure that your Microsoft 365 security setup keeps hackers out?


Table of Contents

Cybersecurity Tools in M365 Are Vast – But There’s a Catch

The Common Weak Spots We See

What Do Other Security Risks Look Like in Practice?

Why Does It Matter – the Recap

How Can You Stay In Control of M365 Cybersecurity?

Download Our Interactive Guide


Cybersecurity Tools in Microsoft 365 Are Vast – But There’s a Catch

Contrary to popular belief, a Microsoft 365 (M365) environment is not necessarily secured because you’ve enabled Multi-Factor Authentication (MFA) or you’ve hit a good Secure Score. They are just part of the puzzle and misconfigurations and oversights are far more common than you’d think. A false sense of security results in overconfidence in your cybersecurity setup which can, unfortunately, also be your downfall.

While you have vast controls over your security setup in M365, the default configuration is unsafe—think admin accounts without MFA, audit logs disabled or legacy authentication still in place. It’s like closing the window but not locking your front door.

Real-world risk is hidden in the detail. Your Secure Score is merely a useful hygiene checklist, aiming at low-hanging fruit, as the scoring engine is weighted towards “checkbox” settings. What you should be considering is the broader kill-chain, the human element and operational readiness. Ask yourself the question: Can an attacker still phish, move laterally, escalate and persist if every Secure Score recommendation is green? If the honest answer is “yes”, it’s high time for you to look at your configuration in detail.

The Common Weak Spots We See

  1. MFA for admin accounts is not enforced.

Microsoft research shows MFA can stop 99.2% of account compromise attacks. Especially for admins - who have power over security settings in M365 - enabling MFA is absolutely crucial to keep their accounts safe from cybercriminals. However, blanket grant controls such as ‘Require MFA’ lead to excessive MFA prompts, and “approve-all” behaviour. Instead, create Conditional Access policies (Microsoft Entra ID P1 or P2) that only require/ trigger MFA prompts once specific conditions are met.

  1. Conditional Access rules are set too broadly.

You should always apply the principle of least privilege. Do not include emergency access or break-glass accounts in Conditional Access policies in case you misconfigure a policy. Why? If all your administrators happened to be locked out, these accounts will help you to regain access.

The benefit of Conditional Access policies lies in their granularity. If you leave rules to broad, any misconfiguration will also hit everyone at once. Practically speaking, you’re in a riskier situation even for roll-back because you may have to disable the policy entirely. If you leave conditions at their default (think any location, any platform, any client app, any device state), your policy doesn’t distinguish between trusted and high risk context. As a consequence, a threat actor could sign in from Tor - a browser designed to provide anonymity and privacy - or a ransomware-infected device and would be treated the same as a managed laptop on the corporate network. On the other hand, you waste licences and unnecessary MFA prompts in low-risk scenarios, which can irritate users and encourage MFA fatigue. While a blanked MFA approach may pass the audit, users may turn to auto-approve MFA which benefits hackers who are trying to bypass MFA prompts. Access should always be role based.

  1. Disabled audit logs or short retention

Audit logs are crucial for compliance and business purposes, as it documents all activity within Azure/M365 across your organisation such as event names, their description, the time, who created it from where etc. They’re a crucial tool to track user activity for safety purposes and helps security team investigate breaches.

  1. Legacy authentication is still open

    Legacy authentication bypasses Conditional Access policies and doesn’t support modern security controls such as OAuth 2.0, think POP3, IMAP, SMTP, Exchange Active Sync (basic authentication) and certain older Office clients. 

    What's the problem with legacy authentication?

  • Basic credentials only: Username and password are sent in clear text or easily reversible forms.
  • No MFA support
  • Conditional Access policies can only apply to modern authentication flows, so won’t work
  • Difficult to audit or revoke granularly – the real-time information of sign-ins etc. like they are available in modern OAuth-based flows are not available.

The consequences?

  • Scripts can repeatedly attempt username/password combinations without triggering MFA or Conditional Access (credential stuffing).
  • Basic authentication endpoints are often unrestricted, which makes high-volume password guessing possible (brute-force attacks).
  • Attackers who have managed to harvest passwords can access mailboxes directly without triggering second-factor challenges like with MFA.
  • Lack of modern telemetry makes it possible for hackers to sign-in from suspicious locations or devices, as they go unnoticed in sign-in logs.
  • Unrestricted backdoor access when everything else is locked down.

What Do Other Security Risks Look Like in Practice?

Too many global or high-privilege roles

Everyone is in “Global Admin” or “SharePoint Admin” rather than a narrowly scoped role (e.g. “Exchange Recipient Admin” or “Teams Communications Admin”).

Over-broad Microsoft Entra ID app consents

Third-party or custom apps are allowed full read and write access instead of least-privilege scopes.

Uncontrolled group nesting

A security group that grants access to sensitive SharePoint or Exchange resources contains other groups whose membership isn’t regularly audited.

Inherited file-share and Teams channel permissions

Sites or Teams default to “everyone except external users” as owners or members, meaning every new hire or contractor immediately gains site-owner privileges.

Never-reviewed legacy assignments

Service accounts, automation scripts or ex-employees still carry Exchange, Teams or Intune admin licences long after they should have been decommissioned.

Why Does It Matter – the Recap

The truth is, cybercriminals don’t need new vulnerabilities Microsoft will patch with the next update to entice them to attack. While these do pose a risk, threat actors will simply exploit anything that’s been left open. Most successful breaches happen despite tools (albeit misconfigured) being in place.

How Can You Stay In Control of M365 Cybersecurity?

We recommend that you

  • Run configuration reviews every quarter.
  • Cross-check your environment with Microsoft’s security baseline.
  • Validate Secure Score insights but not rely on them.
  • Involve a second set of eyes (internal or outsourced).

Download Our Interactive Guide

Your M365 security posture isn’t about what you have, but how you’ve set it up. Download our guide containing the most important aspects - including video tutorials - below.