When we perform an M365 security assessment, we consistently find the same misconfigurations across law firms, CPA firms, and insurance agencies — regardless of whether they have IT support in place. The problem isn't incompetent IT. It's that Microsoft's defaults prioritize adoption and ease of use, and most deployments are never revisited once users are onboarded.
Here are the five gaps we find most often, and why each one matters.
Legacy Authentication Is Still Enabled
Legacy authentication protocols — think IMAP, POP3, and basic SMTP auth — don't support Multi-Factor Authentication. They bypass Conditional Access policies entirely. If your tenant still allows these protocols and an attacker gets a password (through phishing, credential stuffing, or a dark web leak), they can authenticate directly without triggering any MFA challenge.
Risk: MFA bypass via legacy protocolFix: Block legacy auth via Conditional Access policy
Mailbox Auditing Is Disabled on Most Accounts
Microsoft enables mailbox auditing by default for Exchange Online Plan 2 licenses, but not for all license types. More importantly, the default audit actions logged don't include the most forensically relevant ones — like MailItemsAccessed, which tells you exactly which emails an attacker read after compromising an account. Without this, incident response becomes a guessing game.
Fix: Enable full mailbox auditing via PowerShell, verify E3/E5 coverage
External Email Forwarding Is Unrestricted
One of the first things an attacker does after compromising an M365 mailbox is set an automatic forwarding rule to an external address. This silently copies every incoming email to the attacker — including wire instructions, client communications, and confidential legal matters — indefinitely. By default, M365 allows users to configure these rules without any admin review or restriction.
Risk: Silent data exfiltration via forwarding rulesFix: Block external auto-forwarding via outbound anti-spam policy
Unified Audit Log Is Turned Off
The Unified Audit Log (UAL) is your single most important forensic data source in M365. It captures sign-in events, admin changes, SharePoint access, Teams messages, and more. Some license tiers require it to be manually enabled. We routinely find tenants where it was never turned on — meaning that if an incident occurred, there is no log data to reconstruct what happened.
Risk: Zero forensic visibility if an incident occursFix: Enable via Microsoft Purview Compliance Portal — check retention period too
No Conditional Access Policy for Risky Sign-Ins
Entra ID (formerly Azure AD) has native risk-based Conditional Access capabilities that can automatically require step-up authentication or block sign-ins flagged as high-risk. This catches things like logins from impossible travel locations, anonymous proxies, and known malicious IP addresses. Without it, a login from an unfamiliar country using stolen credentials goes straight through if the password is correct.
Risk: Compromised credentials go undetected at authenticationFix: Configure sign-in risk policy in Entra ID Protection (requires P2 license)
Several of these fixes require Entra ID P1 or P2 licensing (included in M365 Business Premium and E3/E5). If you're on a base M365 Business Basic or Standard plan, you may not have access to Conditional Access at all. Knowing your license tier is the first step before any security hardening work.
The Bigger Picture
These five settings represent the most common gaps — but an M365 tenant has hundreds of configurable security controls. Each one was designed for a reason. An annual security review of your M365 environment should be a standard line item for any professional services firm, the same way you review your insurance coverage or your trust accounting procedures.
If you've never had your M365 tenant assessed, you almost certainly have at least three of these five gaps in place right now. The question is whether you find that out from a consultant — or from an incident.
Need help validating your environment? Book a consultation and Black Tower Cyber can review your exposure, identity controls, and incident readiness before attackers find the gap first.