When businesses subscribe to Microsoft 365, they often assume their data is protected by default. The reality is quite different. Microsoft ships its tenants with a permissive configuration designed for ease of use — not security. That means external sharing is wide open, audit logging is disabled, and multi-factor authentication is optional. For attackers, an unhardened M365 tenant is one of the easiest entry points into a business network. The good news? Most of these gaps can be closed in minutes from the admin center. The bad news? Most businesses never get around to it. Let's walk through the five critical settings you need to check right now.
Setting One: Multi-Factor Authentication (MFA) Enforcement
MFA is widely considered the single most effective security control available, and Microsoft's own data shows it blocks 99.9% of account compromise attacks. Despite this, many businesses leave MFA optional for users or rely on weak methods like SMS codes that are vulnerable to SIM-swapping and interception.
Here's what you should do instead. Go to the Microsoft Entra admin center and create a Conditional Access policy that requires MFA for all users across all cloud applications. Don't just enable basic MFA settings — Microsoft is retiring those in favor of Security Defaults and Conditional Access policies, which give you much finer control over when and how authentication is required.
For the strongest protection, require the Microsoft Authenticator app or hardware security keys (FIDO2) rather than SMS-based verification. The Authenticator app pushes notifications directly to a device the user physically possesses, making remote phishing attacks significantly harder. Hardware keys provide the highest level of protection by requiring physical presence for every sign-in attempt.
If you have legacy systems or specific users who genuinely cannot use MFA yet, create break-glass emergency accounts with carefully documented procedures. But the goal should be 100% MFA coverage across every user account in your tenant.
Setting Two: External Sharing Restrictions
By default, SharePoint Online and OneDrive for Business allow anyone with a link to view files shared externally. That means any employee can generate a sharing link and post it publicly — and suddenly years of company documents are accessible to anyone on the internet. This is one of the most common ways sensitive data leaks occur in Microsoft 365 environments.
To fix this, navigate to the SharePoint admin center and set external sharing to "Specific people" only. This forces users to invite recipients by email address rather than generating anonymous links. You can also restrict sharing at the site level, disabling guest access entirely for sensitive sites containing HR records, financial data, or intellectual property.
After tightening your sharing settings, audit existing shared links using the SharePoint admin center's sharing reports. Look for links set to "Anyone" and revoke them immediately. Set up periodic reviews so new problematic links don't accumulate over time.
Consider implementing expiration dates on all external sharing links and requiring recipients to authenticate before accessing shared content. These additional layers ensure that even if a link does get exposed, its window of vulnerability is limited.
Setting Three: Audit Log Retention
The Microsoft 365 audit log is your forensic toolkit — it records sign-ins, file access events, admin changes, mailbox operations, and dozens of other activities across your tenant. The problem? On most plans, it only retains data for 90 days, and more importantly, audit logging is turned off by default.
Your first step is to explicitly enable audit logging. Go to the Microsoft 365 Compliance Center, navigate to Audit, and click "Start recording user and admin activity." This single click activates logging across Exchange Online, SharePoint Online, OneDrive, Teams, and other services in your tenant.
Next, upgrade your retention period. If you're on Microsoft 365 E3 or E5 licenses, you get 1-year audit log retention included. For businesses subject to regulatory requirements like HIPAA, PCI DSS, or GLBA, this extended retention is essential — auditors need historical data to verify compliance, and forensic investigations often require looking back months into an incident timeline.
If you're on business-grade plans without extended retention, consider upgrading or exporting audit logs to an external SIEM solution. Without adequate audit trail retention, you're flying blind when something goes wrong — and many compliance frameworks will flag this as a deficiency during audits.
Setting Four: Safe Attachments and Safe Links
Microsoft Defender for Office 365 includes two features that dramatically reduce the risk of email-borne threats: Safe Attachments and Safe Links. Many businesses don't realize these aren't enabled automatically — they require a separate license tier (Defender for Office 365 Plan 1 or Plan 2) and must be configured explicitly.
Safe Attachments works by routing email attachments through cloud-based detonation chambers where they're analyzed in isolated virtual environments. Even if a file looks like a legitimate spreadsheet or document, Safe Attachments will open it, execute any embedded macros or scripts, and check for malicious behavior before delivering it to the recipient. Files flagged as threats are quarantined automatically, and previously delivered emails containing newly identified threats can be recalled from user mailboxes.
Safe Links takes a different approach to protection. It rewrites URLs found in emails and Teams messages, so when a user clicks a link, it first passes through Microsoft's threat intelligence engines for real-time analysis. This catches threats that didn't exist when the email was originally sent — for example, a legitimate website that gets compromised hours after someone received an email pointing to it. Safe Links also provides click-time warnings for suspicious destinations and blocks known phishing sites.
To enable both features, go to the Microsoft 365 Defender portal, navigate to Email & Collaboration policies, and create protection policies that apply Safe Attachments and Safe Links to all users. Make sure to enable the option to scan links at click time and apply policies to both inbound and outbound messages.
Setting Five: Admin Role Least Privilege
Walk into any small-to-midsize business and ask how many Global Administrators their Microsoft 365 tenant has. The answer is usually far too high. Global Admin is the most powerful role in Microsoft 365 — it grants unrestricted access to every service, every setting, and every piece of data in your tenant. If a Global Admin account is compromised, attackers have full control with no barriers.
The principle of least privilege means giving people only the access they actually need. Instead of making everyone a Global Administrator, use role-based admin accounts: Exchange Admin for email management, SharePoint Admin for site configuration, Security Admin for threat response, and Billing Admin for subscription management. Each of these roles limits what an attacker can do if that specific account is compromised.
Audit your current admin assignments regularly. Remove accounts belonging to employees who have left the organization or whose roles no longer require administrative access. Microsoft recommends keeping Global Admin accounts to an absolute minimum — ideally no more than two or three people who truly need that level of access.
For organizations that need just-in-time admin access, consider implementing Privileged Identity Management (PIM) if you have E5 licenses. PIM requires approval workflows for elevated access, sets automatic expiration on admin sessions, and generates detailed audit logs for every privileged action taken.
Finally, use dedicated admin devices that never browse the internet, never open email, and are used exclusively for administrative tasks. If a user browses the web and opens email on the same device they use to manage your M365 tenant, a single phishing click can compromise their admin credentials.
How to Get These Right
You can configure all five of these settings yourself in the Microsoft 365 admin center, and we've given you the roadmap above. But there's a real risk in doing it alone: misconfigurations can lock users out of their accounts, break file sharing workflows, or disable services your team depends on daily. A Conditional Access policy written without proper exclusions can lock out your own IT staff. An overly aggressive sharing restriction can halt collaboration with external partners.
That's where dedicated Microsoft 365 tenant administration comes in. At All Digital Consulting, we continuously monitor your tenant configuration, apply security best practices as they evolve, and ensure your settings adapt as new threats emerge. Our AI-enhanced monitoring catches configuration drift before it becomes a vulnerability — so you don't have to worry about whether your tenant is still secure from last month's review.
We handle the technical complexity so your team can focus on the work that matters. From initial hardening to ongoing compliance monitoring, we make sure your Microsoft 365 environment stays locked down without getting in the way of productivity.
Not Sure Where Your Tenant Stands?
We'll review all five settings (and dozens more) during a free Microsoft 365 security assessment. Contact us to schedule yours — no obligation, just a clear picture of your current security posture and actionable steps to close the gaps.