← Blog

"We have Microsoft 365, so we're covered" — and 4 settings that prove otherwise

Tenant Strike3 min read

Microsoft 365 is secure-capable, not secure-by-default. Out of the box, several settings are left wide open — and attackers know exactly which ones. Here are four to check this week.

If your business runs on Microsoft 365 — Outlook, Teams, SharePoint, OneDrive — you've already made a good security decision. Microsoft pours billions into protecting that platform, and it shows.

But here's the part that trips up a lot of small businesses: Microsoft 365 is secure-capable, not secure-by-default. The powerful protections are there, but many of them are switched off until someone turns them on. Out of the box, the settings lean toward "make it easy to collaborate," not "make it hard to attack." That's a reasonable default for Microsoft — they don't know your business — but it leaves gaps that attackers check first.

You don't need to be technical to understand the four below. You may not have the access to change them yourself, but you can absolutely ask whoever manages your Microsoft account: "Can you confirm how these are set?"

1. Multi-factor authentication — for everyone, with no backdoors

You've probably heard that multi-factor authentication (MFA) — the code or app prompt after your password — is the single best thing you can do. True. The catch is the gaps.

In a lot of small business tenants, MFA is "encouraged" but not actually required for everyone. Worse, some older ways of connecting to email (the kind a 2014-era mail app uses) can skip the MFA prompt entirely. An attacker who buys your password from a data breach will try exactly those older paths first.

Ask: Is MFA required for every account, including admins? Are the old "legacy" sign-in methods blocked?

2. Who can invite guests

By default, any employee can invite an outside guest into your Microsoft 365 environment — into Teams chats, shared files, the works. That's convenient until you remember that a single phished employee account can then quietly add an attacker's account as a "guest" with access to your files.

Ask: Who is allowed to invite guests — everyone, or just admins?

3. "Anyone with the link" sharing

SharePoint and OneDrive can create share links that work for anyone who has the URL — no sign-in, no expiry. Handy for sending a big file to a client. Also handy for an attacker who finds that link in a forwarded email six months later, long after you'd forgotten it existed.

Ask: Can people create "anyone" links? Do those links expire?

4. App consent — the permission screen nobody reads

Ever clicked "Accept" on a screen asking an app for access to your email or files? Attackers run fake apps that ask for exactly that. If your tenant lets any employee approve those requests on their own, one wrong click can hand an outsider ongoing access to a mailbox — no password needed, and MFA won't stop it.

Ask: Can employees approve app permissions themselves, or does an admin review them first?

The pattern here

None of these are Microsoft bugs. They're settings — each one a switch someone has to flip. The hard part isn't fixing them; it's knowing which ones are open across the dozens of admin screens where they hide.

That's the whole reason Tenant Strike exists. It connects to your Microsoft 365 in read-only mode, checks these four settings and about a hundred more, and hands you a plain-English list of what's open and exactly how to close it — with a direct link to the right page. No agents to install, and it never changes anything itself.

You can read about the gaps all day. Seeing your own is a five-minute scan.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.