Common Microsoft 365 Security Gaps Businesses Overlook

Microsoft 365 is, out of the box, not nearly as secure as most businesses assume it is. The licenses include powerful security tools — but those tools ship disabled or misconfigured by default. Microsoft leaves the configuration to you, and most businesses either don't know what to configure or assume the defaults are fine.

They're not. Here are the gaps we find most consistently when we audit new clients' Microsoft 365 environments.

1. MFA Is Not Enforced for All Users

Multi-factor authentication is the single most effective control against account takeover. Microsoft's own data shows that MFA blocks over 99% of automated credential attacks. And yet in most tenants we inherit, MFA is either not enabled at all, enabled but not enforced (meaning users can skip it), or enforced for most users but exempted for certain accounts — often the most privileged ones.

The gap usually exists for one of three reasons: the business didn't set it up when they got M365, they created exemptions for users who complained about the friction, or they're using per-user MFA (the legacy method) instead of Conditional Access policies, which means enforcement is inconsistent.

The fix: Implement Conditional Access policies that require MFA for all users on all sign-ins, with no permanent exemptions. Disable legacy authentication protocols (IMAP, POP, SMTP AUTH) that bypass MFA entirely. Use Microsoft Authenticator app — not SMS codes, which are vulnerable to SIM swapping.

2. Legacy Authentication Protocols Are Still Enabled

Legacy authentication protocols — IMAP, POP3, SMTP AUTH, Basic Auth — were designed before MFA existed. When they're enabled, they create pathways into your environment that completely bypass MFA. An attacker with a valid username and password can authenticate via IMAP and your MFA policies are irrelevant.

Microsoft has been deprecating Basic Auth across Microsoft 365 for years, but many tenants still have it enabled — either because it was never disabled, or because a specific application or device (like an older printer that sends scan-to-email) still depends on it.

The fix: Disable Basic Auth and legacy protocols via Conditional Access or Authentication Policies. For devices that require SMTP to send email, migrate them to use modern authentication or a dedicated relay service.

3. No Microsoft 365 Backup

Microsoft does not comprehensively back up your Microsoft 365 data. This is one of the most persistent misconceptions we encounter. Microsoft provides infrastructure reliability — your data won't be lost because their datacenters fail. But deleted emails, SharePoint files, and OneDrive content have limited retention windows (30 days by default for most items, up to 93 days with specific configurations). After that, data may be permanently unrecoverable.

More importantly: if ransomware encrypts files on a user's workstation and those encrypted files sync to OneDrive, the encrypted versions overwrite the clean originals. The sync that's supposed to protect you becomes the mechanism of data loss.

The fix: Deploy a third-party Microsoft 365 backup solution. We use Cove Data Protection, which backs up Exchange Online (email and calendar), SharePoint, OneDrive, and Teams daily with point-in-time recovery and retention up to 7 years.

4. Global Administrator Accounts Are Used for Day-to-Day Work

Global Administrator is the highest privilege role in Microsoft 365. An account with Global Admin access can create users, reset passwords, read all email, delete data, and bypass nearly every other control in the tenant. And yet in most tenants we inherit, the Global Administrator account is the same account the owner or IT manager uses for day-to-day email.

This means that if that account is compromised — through phishing, credential stuffing, or session token theft — the attacker has complete control of your Microsoft 365 environment. They can create new admin accounts, disable security controls, and exfiltrate data before anyone notices.

The fix: Create dedicated cloud-only Global Administrator accounts with no associated mailbox, used only for administrative tasks. Day-to-day work should be done from standard user accounts or accounts with the minimum privilege required for the role. Enable Privileged Identity Management (PIM) for just-in-time admin access if your license includes it.

5. Microsoft Secure Score Is Being Ignored

Microsoft 365 includes a built-in security assessment tool called Secure Score that evaluates your tenant configuration against Microsoft's security recommendations and gives you a score out of 100. Most tenants we inherit have a Secure Score in the 30-50 range. A well-configured tenant should be in the 70-80+ range.

Secure Score isn't perfect — some high-point recommendations aren't practical for every environment — but it's a free, continuously updated roadmap of what's misconfigured in your tenant. Most businesses have never looked at it.

The fix: Open the Microsoft Defender portal, navigate to Secure Score, and work through the recommendations systematically. Focus first on high-point items in the Identity and Device categories — these address the most commonly exploited attack vectors.

6. No Alerts for Suspicious Sign-Ins

Microsoft 365 logs every authentication event — location, device, IP address, time. If an attacker uses a compromised credential to sign in from an unusual location, that event is logged. But it doesn't generate an alert by default. Without active monitoring, an attacker can be in your environment for days or weeks before anyone notices.

The fix: Configure Microsoft Entra ID Protection risk policies to automatically block or require step-up authentication for risky sign-ins. Set up alert notifications for high-severity identity events. For clients on our managed plans, we layer Huntress ITDR on top of Microsoft's native alerting — it monitors Microsoft 365 for account takeover indicators, suspicious OAuth app grants, and credential abuse in real time with a 24/7 SOC behind it.