All articles
Cloud Security

The 7 Microsoft 365 Security Gaps Most Small Businesses Miss

June 25, 20268 min read

Microsoft 365 is one of the most secure platforms a small business can run on. The catch is that it is secure by design, not by default. Out of the box, Microsoft leaves a lot of the protective settings turned off so that nothing breaks for the average user, and it is up to you (or whoever manages your tenant) to turn them on. Most small businesses never do, because nobody told them they had to.

We see the same handful of gaps in almost every Microsoft 365 environment we review. None of them are exotic. All of them are the kind of thing an attacker checks for first. Here are the seven that matter most, what each one exposes, and how to close it.

1. Multi-factor authentication is not enforced for everyone

This is the single most important control, and it is the one most often left half-done. Plenty of businesses have MFA turned on for the owner and a couple of people who asked for it, but not enforced across every account, every admin, and every login. An attacker only needs one account without MFA. A leaked or guessed password with no second factor is a direct way in.

Close it: enforce MFA for all users with no exceptions, and require it for every administrator account specifically. Modern Microsoft 365 plans support security defaults or Conditional Access policies that make this enforceable rather than optional.

2. Legacy authentication is still allowed

Old mail protocols like IMAP, POP, and basic authentication do not support MFA at all. As long as they are enabled, an attacker can simply use one of those older paths to bypass the MFA you just turned on. It is the back door left open next to the front door you locked.

Close it: block legacy authentication tenant-wide. Almost no modern business needs it, and leaving it on quietly undoes much of your MFA protection.

3. Mailbox auto-forwarding to outside addresses is open

One of the first things an attacker does after compromising a mailbox is set up a rule that silently forwards a copy of every email to an address they control. The real owner notices nothing. Months of invoices, contracts, and client communication leak out without a single alarm. This is also a common path for wire-fraud and invoice-redirect scams.

Auto-forwarding to external domains is one of the highest-signal warning signs of a compromised mailbox, and one of the easiest things to block before it ever happens.

Close it: disable automatic external forwarding at the tenant level, and alert on any new forwarding rule. Legitimate forwarding needs are rare and can be allowed case by case.

4. Too many people are global administrators

It is common to find a small business where three, four, or more accounts have full global admin rights, often because it was easier than figuring out the right permission level at the time. Every one of those accounts is a master key. If any of them is compromised, the attacker owns the entire environment, not just one mailbox.

Close it: reduce global admins to the smallest possible number, give everyone else the least privilege they actually need, and protect the remaining admin accounts with their own dedicated MFA.

5. There is no real backup of your data

This surprises people: Microsoft does not back up your data for you in the way you probably assume. Microsoft keeps the service running and protects against their own outages, but if a user deletes a folder, a mailbox is wiped by ransomware, or files are lost past the retention window, that data can be gone for good. Microsoft operates a shared-responsibility model, and your data is your responsibility.

Close it: put a real third-party backup in place for Microsoft 365 mail, files, and SharePoint, with retention that matches how long you actually need to recover things.

6. External sharing is wide open

By default, SharePoint and OneDrive often allow files and folders to be shared with anyone who has the link, including people outside your organization. Over time that turns into a sprawl of sensitive documents shared more broadly than anyone intended, sometimes with links that still work years later for people who have long since moved on.

Close it: tighten external sharing to what your business actually needs, set links to expire, and review who has access to your most sensitive sites. For practices handling client data, this is also a core part of staying defensible.

7. Audit logging is off, so you cannot see what happened

If the worst does happen, the first question is always: what did they access, and for how long? Without audit logging enabled, you simply cannot answer that. You are left guessing, which makes both recovery and any required breach notification far harder. Many tenants have logging available but never switched on.

Close it: turn on unified audit logging so there is a record of sign-ins, file access, and admin changes. You hope you never need it, and you are very glad it is there if you do.

The pattern behind all seven

Notice what these have in common: none of them are about buying a fancy security product. They are about configuring what you already pay for. Microsoft 365 gives you strong protection; it just does not turn it all on for you. Closing these gaps is mostly a matter of knowing they exist and having someone set them correctly.

There is a compliance upside too. If you are in healthcare, legal, or accounting, the same settings that keep attackers out, MFA, a signed agreement with Microsoft, no open forwarding, real backup, audit logging, are also most of what HIPAA and the FTC Safeguards Rule expect you to have in place. Secure the environment properly and the compliance picture gets much easier almost as a side effect.

Not sure where your tenant stands?

We offer a free 30-minute Microsoft 365 and Google Workspace security review that checks exactly these gaps, MFA, legacy auth, forwarding rules, admin access, backup, sharing, and logging. No pitch, and you keep the findings whether or not we ever work together.

Get a free security review

Frequently asked questions

Is Microsoft 365 secure on its own?

The platform is very secure, but many of its protections are turned off by default so nothing breaks for the average user. Real security comes from configuring those settings, not from the platform alone.

Does Microsoft back up my email and files?

Not in the way most people assume. Microsoft keeps the service running, but recovering data you delete, or data lost to ransomware past the retention window, is your responsibility. A third-party backup fills that gap.

Can I fix these settings myself?

Some of them, yes, especially enforcing MFA and turning on audit logging. Others, like Conditional Access policies and tenant-wide forwarding controls, are easy to get wrong. If you want a second set of eyes, a security review will tell you exactly which gaps are open before you change anything.

Written by Spartan Tek Solutions, IT and security for small practices.

Have a question? Talk to us