5 Microsoft 365 Mistakes Your Business May Be Making
Is Your Microsoft 365 Environment as Secure as You Think?
Microsoft 365 is used by businesses around the world for email, file storage, communication, collaboration and device management.
Employees may use Microsoft Outlook, Teams, SharePoint and OneDrive every day without thinking about the security systems operating behind them.
However, purchasing Microsoft 365 licences does not automatically mean that every account, device and file is properly protected.
Microsoft provides a wide range of security features, but many of them still need to be configured, monitored and regularly reviewed.
A small mistake could allow an attacker to access company emails, download SharePoint files, impersonate an employee or retain access long after somebody has left the business.
Here are five common Microsoft 365 mistakes your organisation may be making.
Mistake 1: Relying on passwords alone
Passwords remain one of the most common ways employees access Microsoft 365.
The problem is that passwords can be:
- Guessed
- Reused
- Stolen through phishing
- Exposed in a data breach
- Saved in an insecure browser
- Shared with colleagues
- Entered into a fake Microsoft login page
Even a long and complicated password could be compromised if an employee enters it into a convincing phishing website.
This is why a password should not be the only thing protecting a Microsoft 365 account.
Why multifactor authentication matters
Multifactor authentication, normally shortened to MFA, requires an additional verification method when somebody signs in.
This may involve:
- Approving a notification in Microsoft Authenticator
- Entering a code
- Using a security key
- Using a passkey
- Confirming the sign-in through a trusted device
If a cyber criminal steals the employee’s password, they should still be unable to access the account without completing the additional check.
Microsoft Security Defaults can provide a baseline level of identity protection and require users to register for multifactor authentication. Businesses with suitable licensing can use Conditional Access to introduce more detailed policies based on factors such as the user, device, application, location and sign-in risk.
Common MFA mistakes
Simply enabling some form of MFA does not always mean the environment is properly protected.
Common issues include:
- MFA is enabled for administrators but not ordinary employees
- Some accounts are excluded without a documented reason
- Old authentication methods remain enabled
- Employees repeatedly approve unexpected notifications
- Shared accounts are not properly protected
- Emergency administrator accounts are not monitored
- Security Defaults were disabled before equivalent Conditional Access policies were created
Microsoft advises organisations moving from Security Defaults to Conditional Access to recreate the baseline protections before switching Security Defaults off. The two systems are not intended to operate at the same time.
What should your business do?
Every employee account should be protected with an appropriate form of multifactor authentication.
The business should also:
- Review accounts excluded from MFA
- Block outdated sign-in methods
- Protect administrator accounts more strongly
- Train employees not to approve unexpected login requests
- Use Conditional Access where appropriate
- Consider phishing-resistant authentication for sensitive accounts
- Monitor unsuccessful and suspicious sign-ins
MFA is not a complete cyber security strategy, but it can prevent a stolen password from immediately becoming a successful Microsoft 365 breach.
Mistake 2: Giving too many people Global Administrator access
The Global Administrator role provides an extremely high level of control over Microsoft 365 and Microsoft Entra ID.
A Global Administrator may be able to:
- Create and remove users
- Reset passwords
- Assign administrative roles
- Change security policies
- Manage applications
- Access important administrative settings
- Alter authentication controls
- Elevate access to other Microsoft cloud resources
Microsoft describes Global Administrator as a highly privileged role and recommends limiting the number of people who have it.
However, we regularly see Global Administrator assigned simply because it is convenient.
An employee may only need to create user accounts, manage Exchange mailboxes or reset passwords, but they are given complete control of the environment.
Why excessive administrator access is dangerous
Every administrator account creates an additional opportunity for an attacker.
If a normal employee account is compromised, the attacker may gain access to that employee’s emails and files.
If a Global Administrator account is compromised, the attacker could potentially change security settings, create additional accounts and make it much harder for the business to regain control.
Administrator access can also create risks when:
- An employee changes role
- An external supplier no longer provides support
- A former employee’s account remains active
- Administrator credentials are used for normal email and web browsing
- Several people share one administrator account
- Administrative activity is not monitored
- Use the principle of least privilege
Least privilege means giving each person only the permissions needed to complete their responsibilities.
For example, somebody who needs to reset employee passwords may be assigned a suitable authentication or helpdesk role rather than Global Administrator.
Microsoft provides numerous built-in roles for specific tasks and recommends using the least privileged role that can complete the required work.
Microsoft’s current privileged-role guidance also recommends limiting Global Administrators, using multifactor authentication for administrator accounts and regularly reviewing privileged access.
What should your business do?
Review every account with an administrator role and ask:
- Does this person still need administrative access?
- Do they need this particular role?
- Could a more restricted role be used?
- Is the administrator account separate from their everyday account?
- Is strong MFA enabled?
- Is their administrative activity being monitored?
- Is the account still used by a current employee or supplier?
Administrator permissions should be treated as temporary business access, not something that remains assigned forever because it was once required.
Mistake 3: Allowing access from any device
Microsoft 365 allows employees to work from almost anywhere.
An employee can potentially sign in from:
- A company laptop
- A home computer
- A personal mobile phone
- A customer’s computer
- A shared family tablet
- An unmanaged web browser
This flexibility can be useful, but it also means company information may be accessed from devices the business does not own, secure or monitor.
A successful username, password and MFA challenge may confirm who the user is, but it does not necessarily confirm that the device is safe.
What is the risk of an unmanaged device?
A personal or unmanaged device may:
- Be missing security updates
- Have no suitable antivirus protection
- Be shared with other people
- Lack disk encryption
- Contain malicious browser extensions
- Save company passwords
- Download confidential files
- Synchronise business information into personal storage
- Remain accessible after the employee leaves
The business may not even know that the device has been used.
Microsoft Intune can assess whether enrolled devices comply with company security policies. Microsoft Entra Conditional Access can then require a device to be marked as compliant before it is allowed to access selected resources.
Does every personal device need to be completely blocked?
Not necessarily.
Different organisations may choose different levels of control.
A business could:
- Block all access from unmanaged devices
- Allow access only from compliant company computers
- Permit limited browser access without downloads
- Allow Outlook and Teams on personal phones using protected applications
- Require stronger authentication when the device is not trusted
SharePoint and OneDrive can be configured to block or limit access from unmanaged devices. Limited access can allow employees to view information in a browser while restricting downloads and synchronisation.
The correct approach depends on the type of information held and how employees need to work.
What should your business do?
Start by identifying which devices currently access Microsoft 365.
Then consider:
- Enrolling company devices in Microsoft Intune
- Defining device compliance policies
- Requiring encryption and current security updates
- Blocking unsupported operating systems
- Restricting access from unknown devices
- Protecting company data on personal mobiles
- Preventing downloads to unmanaged computers
- Providing employees with secure company equipment
Policies should be tested carefully before being applied to the entire business.
A badly planned Conditional Access policy could block legitimate employees or administrators. Policies should normally be introduced through testing, reporting and a phased rollout.
Mistake 4: Assuming Microsoft 365 is automatically backed up
Microsoft operates highly resilient cloud services and provides features such as recycle bins, retention settings and version history.
However, these features should not automatically be treated as a complete independent backup and disaster recovery strategy.
Information could still be affected by:
- Accidental deletion
- Malicious deletion
- A compromised administrator
- Incorrect retention settings
- Ransomware affecting synchronised files
- Mass changes to SharePoint or OneDrive
- Data being deleted before the problem is discovered
- An employee account being removed incorrectly
Microsoft now provides Microsoft 365 Backup as a separate backup and recovery service for supported Microsoft 365 workloads. The existence of a distinct backup service highlights that backup and recovery need to be intentionally planned rather than assumed.
Retention is not always the same as backup
Retention policies determine how long certain information should be kept and whether it can be permanently deleted.
Backup is normally designed to create recovery points that allow information to be restored following deletion, corruption or another incident.
Both can be important, but they solve different problems.
A retention policy may help preserve information for legal or regulatory purposes, while a backup service may provide a faster or more practical way to restore a large quantity of deleted data.
What about deleted users?
Microsoft’s data-retention behaviour depends on the workload, licensing and policies that have been configured.
For example, deleted user data may remain recoverable only for a limited period unless appropriate retention controls have been applied. Microsoft recommends confirming that a suitable hold or retention policy is active before deleting a user when mailbox information needs to be preserved as an inactive mailbox.
A business should not discover its recovery limitations for the first time after important information has been deleted.
What should your business do?
Your backup and retention review should answer:
- Which Microsoft 365 services contain important information?
- Are Exchange Online mailboxes protected?
- Are SharePoint and OneDrive included?
- How frequently are recovery points created?
- How long is information retained?
- Can individual files and complete sites be restored?
- Who is allowed to delete backups?
- How is the backup account protected?
- Have recovery procedures been tested?
- How long would a large restoration take?
The right solution will depend on how much information the business can afford to lose and how quickly it needs to recover.
Mistake 5: Failing to remove old users, guests and permissions
Microsoft 365 access can build up over time.
Employees change roles, contractors finish projects and external organisations are invited into Teams or SharePoint sites.
Unless access is regularly reviewed, the environment may contain:
- Former employees
- Old administrator accounts
- Contractors who no longer work with the business
- Guest users from completed projects
- Unused shared mailboxes
- Old application permissions
- Sharing links that remain active
- Employees with access to departments they have left
These accounts and permissions may not cause an immediate problem, but they create unnecessary opportunities for misuse or compromise.
Former employee access
Removing a Microsoft 365 licence is not the only action required when somebody leaves.
A proper offboarding process may need to:
- Block sign-in
- Reset the password
- Revoke active sessions
- Remove administrator roles
- Protect or transfer mailbox data
- Preserve OneDrive information
- Remove mobile-device access
- Review application access
- Recover company equipment
- Remove access to shared passwords
- Delete the account at the correct time
Microsoft provides a dedicated former-employee process covering the steps needed to block access and preserve access to relevant email and OneDrive data.
Simply changing the password may not address every active session, device or connected application.
Guest access
Microsoft 365 makes it easy to collaborate with customers, suppliers and contractors.
A guest may be invited into a Team or SharePoint site for a legitimate project. The problem occurs when that access is never reviewed after the project ends.
Microsoft Entra access reviews can be used to regularly confirm whether guests still need access to groups and applications. Reviews can also be configured as recurring processes rather than one-off exercises.
SharePoint and OneDrive also provide organisation-level external sharing settings that determine how openly information can be shared outside the business.
What should your business do?
Create documented processes for:
- New employees
- Employees changing roles
- Departing employees
- Contractors
- Guest users
- Administrator access
- Shared mailboxes
- External sharing
- Application permissions
Access reviews should take place regularly rather than only after a security incident.
Managers and site owners should be asked to confirm whether each person still needs access.
A bonus mistake: Ignoring Microsoft Secure Score
Microsoft Secure Score provides a measurement of the organisation’s Microsoft security posture and recommends improvement actions based on the environment’s current configuration.
It may identify recommendations relating to:
- Multifactor authentication
- Administrator roles
- Email security
- Device protection
- Identity controls
- Application permissions
- Data protection
Secure Score should not be treated as a guarantee that the business is secure.
A higher score means more recommended actions have been completed, but each recommendation still needs to be considered in the context of the business.
Some settings may be inappropriate for a particular application or working process. Others may require planning before they can be introduced.
The important point is that the recommendations should not simply be ignored.
They provide a useful starting point for identifying missing or weak controls.
Is Microsoft 365 secure?
Microsoft 365 can provide a strong security platform for a small or medium-sized business.
Microsoft 365 Business Premium includes additional security and management services such as Microsoft Defender for Business, Microsoft Defender for Office 365 Plan 1, Microsoft Intune and Microsoft Entra ID P1 capabilities.
However, licences alone do not protect the business.
The services must be:
- Correctly configured
- Applied to the right users
- Deployed across company devices
- Regularly monitored
- Updated when the business changes
- Supported by clear policies and employee training
A business could own excellent security technology while still leaving accounts unprotected, devices unmanaged and former employees active.
How can Hamilton Group help?
At Hamilton Group, we help businesses configure and manage Microsoft 365 securely.
We can assist with:
- Microsoft 365 security reviews
- Multifactor authentication
- Microsoft Conditional Access
- Microsoft Intune
- Device compliance policies
- Microsoft Defender for Business
- Microsoft Defender for Office 365
- Administrator access reviews
- Employee onboarding and offboarding
- SharePoint and OneDrive permissions
- Guest-user reviews
- Microsoft 365 backup
- Email security
- Microsoft Secure Score improvements
- Licensing reviews
- Ongoing Microsoft 365 management
We can review your existing Microsoft 365 environment and identify common risks such as unprotected accounts, excessive administrator access, unmanaged devices, missing backups and old users who still have access.
Microsoft 365 contains some of your organisation’s most important information.
It should be managed as a critical business system rather than simply treated as an email subscription.
Contact Hamilton Group to arrange a review of your Microsoft 365 security, licensing and device-management setup.
Call us on 0330 043 0069 or book an appointment with one of our experts.