Microsoft 365 is secure out of the box — for 2019. In 2026, the defaults aren’t enough.
When Microsoft rolled out M365, they made conservative choices about default settings. They needed the platform to work for millions of organizations right away, without locking anyone out or breaking existing workflows. That made sense then.
It doesn’t make sense now.
Cyber attacks have changed dramatically. Business email compromise (BEC) is a multi-billion dollar industry. Ransomware gangs target small and mid-sized businesses specifically because they assume the security isn’t tight. And attackers have gotten very good at exploiting exactly the gaps that Microsoft’s default settings leave open.
If your organization uses Microsoft 365 and you haven’t had a security review done in the last 12 months — or ever — there’s a good chance you’re running with settings that would make an attacker’s job easy.
Here are five specific settings that are commonly misconfigured, and what your IT team should do about each one.
The 5 Settings That Put M365 Businesses at Risk
1. MFA Isn’t Turned On for All Accounts — or It’s the Wrong Kind
What it is: Multi-factor authentication (MFA) requires users to verify their identity with a second method beyond just a password — usually a push notification or code sent to a phone. “Security Defaults” in Microsoft 365 enables basic MFA for all users, but many tenants have it disabled, partially deployed, or relying on SMS-based verification that can be bypassed.
Why it matters: Compromised passwords are the #1 entry point for account takeover. Attackers buy stolen credentials in bulk from data breaches and try them against Microsoft 365 — a technique called credential stuffing. Without MFA, one leaked password hands them full access to your email, files, and internal systems. Even with basic MFA enabled, SMS-based codes are vulnerable to SIM-swapping and real-time phishing attacks that intercept the code before you do.
What to do: Ensure MFA is enforced for every single account — including shared mailboxes, service accounts, and admin accounts. For higher-risk users (executives, finance, HR, IT), push your IT team toward phishing-resistant MFA options like Microsoft Authenticator with number matching or FIDO2 hardware security keys. These methods can’t be bypassed by fake login pages. Check your current MFA enrollment status in the Microsoft Entra admin center under Users > All Users > Per-user MFA.
2. External Email Forwarding Rules Aren’t Blocked
What it is: Microsoft 365 allows users — and in many cases, attackers who’ve compromised an account — to set up automatic email forwarding rules that silently copy every incoming email to an external address. By default, many tenants don’t block this.
Why it matters: This is one of the most common techniques in business email compromise. An attacker gains access to an inbox (often using stolen credentials), sets up a forwarding rule to their own account, and then waits. They watch months of email — learning your vendors, your payment processes, your accounting contacts. Then they strike, usually by impersonating someone in a wire transfer or invoice fraud scheme. The victim often doesn’t know their email was being forwarded until it’s far too late. The FBI’s Internet Crime Complaint Center (IC3) reported BEC losses exceeding $2.9 billion in 2023 — making it consistently the costliest cybercrime category tracked.
What to do: There are two places to fix this. In the Exchange Admin Center, go to Mail flow > Remote domains and configure the default remote domain to disable automatic forwarding. You should also create a mail flow rule that rejects auto-forwarding to external addresses outright. Your IT team should simultaneously audit current forwarding rules across all mailboxes — any rule your team didn’t intentionally create is a red flag that deserves immediate investigation.
3. Audit Logging Isn’t Enabled or Monitored
What it is: Microsoft 365 has a built-in unified audit log that records logins, email access, file downloads, admin changes, forwarding rule creation, and hundreds of other events. On older tenants, it may not be enabled. And on nearly every tenant, it isn’t being actively monitored.
Why it matters: You can’t investigate what you can’t see. When a breach happens — and for most businesses, it’s a matter of when, not if — the audit log is the evidence trail. It tells you what the attacker accessed, when, from where, and what they did. Without it, incident response becomes guesswork. Regulators in healthcare and finance also expect audit logs to exist. And some Microsoft 365 plans retain logs for only 90 days by default, which may not be enough for a proper investigation if an attacker was patient.
What to do: Have your IT team verify audit log status in the Microsoft Purview compliance portal under Audit > Start recording user and admin activity. If it’s not enabled, turn it on immediately — you cannot recover historical logs retroactively. Microsoft 365 Business Premium and E3 plans include 90-day retention; E5 or Purview add-ons extend this. Once enabled, alerts should be configured for high-priority events — like impossible-travel logins (someone signing in from Minnesota and then Singapore 20 minutes later) or bulk email deletions.
4. Legacy Authentication Protocols Are Still Allowed
What it is: Legacy authentication protocols — like basic authentication used by older email clients, IMAP, POP3, and SMTP AUTH — connect to Microsoft 365 without supporting modern multi-factor authentication. Microsoft officially retired basic authentication for most Exchange Online protocols in October 2022, but many tenants still have legacy flows enabled through exceptions, older connectors, or inherited configurations.
Why it matters: These older protocols are a backdoor around your MFA controls. Even if you’ve properly enforced MFA, an attacker with a stolen password can use a legacy authentication path to sign in without ever triggering your MFA challenge. Microsoft has documented that the vast majority of password spray attacks specifically target legacy authentication endpoints for exactly this reason — because MFA doesn’t apply there.
What to do: In Microsoft Entra admin center > Security > Authentication methods, review whether any legacy authentication flows are active in your environment. The cleanest fix is a Conditional Access policy that blocks legacy authentication for all users. Before enabling it, your IT team should audit whether any line-of-business applications, older printers, or document scanners rely on these protocols — those need to be updated or replaced first, or they’ll stop working when legacy auth is blocked.
5. No Conditional Access Policies — Sign-Ins From Anywhere Go Unchallenged
What it is: Conditional Access is Microsoft’s policy engine for controlling how and from where users can access your Microsoft 365 environment. It can require MFA only when signing in outside the office, block access from certain countries, enforce device compliance requirements, or step up verification automatically when a login looks risky. It requires Microsoft Entra ID P1 licensing, which is included in Business Premium, E3, and E5 plans.
Why it matters: Without Conditional Access, your M365 tenant has essentially one front door: a username and password. With it, you set the rules for who gets in, from where, and under what conditions. If someone tries to sign in from an anonymous proxy, an unusual country, or a device that doesn’t meet your security baseline, you can challenge or block it automatically. Many organizations we work with across Minnesota had no idea these controls existed — or assumed their previous IT provider had configured them. Usually, they hadn’t.
What to do: If you’re starting from scratch, enable Microsoft’s Security Defaults in the Entra admin center — these apply a baseline set of protections automatically. For more control, work with your IT team to build policies that require MFA for all users, block legacy authentication, restrict admin portal access to compliant devices, and flag or block high-risk sign-in attempts. Review your current policies at Microsoft Entra admin center > Protection > Conditional Access. If that page is empty, that’s your answer.
The Bigger Picture: Five Settings Won’t Save You
These five items are a good starting point. They’re not a security posture.
Real security means someone is regularly reviewing your environment — checking for new forwarding rules, monitoring audit logs for anomalies, reviewing who has admin access, and testing your backup and recovery process. It means your team knows what to do when they get a suspicious email. It means you have an incident response plan before you need one.
A lot of small and mid-sized businesses across Minnesota assume their Microsoft 365 is fine because they’re paying for it and nothing has gone wrong yet. The problem is that attackers are patient. Many compromises go undetected for weeks or months. By the time something visibly breaks — a ransomware infection, a fraudulent wire transfer, a compliance violation — the attacker has been inside long enough to do real damage.
Security isn’t a one-time purchase. It’s an ongoing practice. And it starts with knowing where you actually stand.
Find Out Exactly Where You Stand — Free
K&E Consulting offers a complimentary Microsoft 365 Security Review for businesses in the Twin Cities and across Minnesota.
In about an hour, we’ll look at your real tenant settings — not a generic checklist — and give you a plain-language report on what’s configured correctly, what needs attention, and what’s a priority to fix. No sales pressure. No obligation. Just an honest picture of your current exposure.
If you’ve been wondering whether your Microsoft 365 is as secure as it should be, the honest answer for most businesses is: it could be better. The question is how much better, and how quickly you want to know.
Schedule your free M365 Security Review
K&E Consulting is a managed IT services provider based in Minnesota, serving small and mid-sized businesses throughout the Twin Cities metro and Greater Minnesota. We specialize in Microsoft 365 management, cybersecurity, and IT support for businesses that take their data seriously.