The 7 Microsoft 365 Misconfigurations Behind Most SME Breaches

Why Configuration Failures Dominate

Microsoft 365 is a mature, well-engineered platform with extensive security capabilities. The problem isn't the platform — it's that most businesses deploy it without applying the security controls that actually make it secure. Microsoft's defaults are designed for accessibility, not maximum protection. The security controls are there, but they must be explicitly enabled.

In AMVIA's tenant audits, the same misconfigurations appear repeatedly — in businesses of all sizes, across all sectors. These aren't edge cases. They're the norm for self-managed or lightly managed Microsoft 365 tenants.

Misconfiguration 1: MFA Not Enforced

This is the most common and most consequential gap. Multi-Factor Authentication blocks over 99% of account compromise attacks. Without it, a stolen or guessed password is all an attacker needs to access an account — and from a compromised account, they can read email, exfiltrate files, send phishing email from a trusted address, and pivot to other accounts.

The fix: Enable Security Defaults in Azure Active Directory (free for all paid plans) to enforce MFA for all users. For Business Premium and Enterprise, replace Security Defaults with Conditional Access policies for more granular control. Enforce the Microsoft Authenticator app rather than SMS — it's more phishing-resistant.

Misconfiguration 2: Legacy Authentication Not Blocked

Legacy authentication protocols — Basic Auth over IMAP, POP3, SMTP AUTH without modern authentication — bypass MFA entirely. If a user's account credentials are stolen and legacy authentication is enabled, an attacker can authenticate directly using just the password, with no MFA prompt triggered.

Microsoft has been phasing out legacy auth for years, but many tenants still have it enabled — particularly for shared mailboxes, service accounts, or older email clients.

The fix: Create a Conditional Access policy that blocks legacy authentication protocols. Before applying, review the Microsoft 365 Sign-in Activity report to identify which users or accounts are connecting via legacy protocols. Update or replace legacy clients before blocking.

Misconfiguration 3: Global Admin Accounts Overexposed

Global Administrator accounts have unrestricted access to the entire Microsoft 365 environment. Many businesses use their everyday accounts as Global Admins — the same account used to read email, browse the web, and click on phishing links.

If an admin's everyday account is compromised, the attacker has Global Admin access. They can create new accounts, assign themselves licences, delete data, disable security controls, and exfiltrate the entire tenant.

The fix: Create dedicated admin accounts separate from daily-use accounts. Apply MFA strictly to all admin roles. Minimise the number of Global Admins — most admin tasks can be done with scoped roles (Exchange Admin, SharePoint Admin, etc.). For Business Premium and E5 tenants, implement Privileged Identity Management (PIM) for just-in-time admin elevation.

Misconfiguration 4: External Sharing Too Permissive

Microsoft 365 allows users to share SharePoint files and Teams content with external parties using anonymous links — links that anyone with the URL can access, without signing in. This is convenient but dangerous. Links get forwarded, stored in email, or discovered by bots scanning public cloud storage.

The fix: Review external sharing settings in the SharePoint Admin Centre. For most businesses, restricting sharing to authenticated external users (requiring a Microsoft account or verification to access shared content) significantly reduces exposure. Set link expiry for any anonymous links that must be used. Audit existing sharing activity periodically.

Misconfiguration 5: Inactive Accounts Not Disabled

When staff leave, their Microsoft 365 accounts are frequently left active — sometimes for months. An active account belonging to a former employee is a persistent entry point. If that person's credentials were ever phished, if they shared their password, or if their old device is accessed, that account remains fully usable.

The fix: Establish an offboarding process that includes: immediately disabling the account on the employee's last day, revoking all active sessions (Entra ID > Users > Sign-in sessions > Revoke), and transferring ownership of their data to their manager. Set a calendar reminder to review whether the account needs to be permanently deleted after the data retention period has passed.

Misconfiguration 6: SPF, DKIM and DMARC Not Configured

Email authentication records protect your domain from being spoofed — attackers sending email that appears to come from your company domain. Without DMARC enforcement, anyone can send email that looks like it's from yourcompany.co.uk to your clients, suppliers and staff.

SPF and DKIM records are often partially configured during initial Microsoft 365 setup. DMARC — which provides the enforcement mechanism and reporting — is consistently the most frequently missing component.

The fix: Check your current records using a tool like MXToolbox. Implement DMARC starting in monitoring mode (p=none with reporting addresses) to understand what's sending on your domain, before moving to quarantine or reject enforcement. DKIM should be enabled from the Microsoft Defender portal. This takes a few hours to implement and prevents domain spoofing entirely when done correctly.

Misconfiguration 7: No Backup

Microsoft 365 is not a backup. Recycle bins, version history and retention policies provide limited protection against accidental bulk deletion, deliberate destruction by a departing employee, or ransomware that encrypts files faster than the version history captures clean states.

Businesses that discover this only when they need to recover data from three months ago are in a difficult position.

The fix: Implement a third-party Microsoft 365 backup solution covering Exchange, SharePoint, OneDrive and Teams. AMVIA provides automated daily backup as part of our managed Microsoft 365 service. The cost is a fraction of the cost of a data recovery incident.

The Common Thread

All seven of these misconfigurations are preventable. None of them require advanced technical knowledge to fix — they require awareness that they need to be addressed and time to apply the correct settings. The problem is that businesses deploying Microsoft 365 themselves typically focus on getting the applications working, not on hardening the security configuration.

AMVIA conducts Microsoft 365 security audits for UK businesses and applies configuration hardening as part of our managed IT support service. If your business hasn't had a tenant security review, this is a high-priority action.