IronSights
All insights

microsoft 365

Why 40% of Microsoft 365 Security Controls Are Off by Default

Microsoft 365 ships with powerful security tooling — but a significant portion of it is disabled out of the box. Understanding which controls need manual activation is essential for any Australian business running M365.

Ryan BallootBy Ryan Balloot, Managing Director13 February 20231 min read
ByRyan Balloot13 February 20231 min read

is the most widely used cloud productivity platform in Australian business. It is also one of the most consistently misconfigured. Not because it lacks security capability — it has more built-in security tooling than most small businesses will ever use — but because a large proportion of that capability ships switched off.

Controls Off by Default

MFA for All Users

Microsoft does not enforce for all users by default. Security defaults enable MFA for administrator accounts but many standard user accounts have no MFA requirement. This is one of the most common gaps found in M365 security reviews.

Legacy Authentication

Protocols like SMTP auth, IMAP, and POP allow access with only a username and password — bypassing MFA entirely. Many tenancies still have these enabled. Blocking legacy authentication is a prerequisite for effective MFA enforcement.

Unified Audit Logging

The M365 audit log records activity across Exchange, , and Teams. It is essential for incident investigation but is not enabled or retained for a sufficient period in many tenancies.

Safe Links and Safe Attachments

— included in Business Premium — scans URLs and attachments in real time. These features require deliberate configuration and are not active by default even when the licence includes them.

What a Hardened M365 Configuration Looks Like

MFA enforced for all users. Legacy authentication blocked. active. Defender for Office 365 protections enabled. Audit logging on with sufficient retention. Device management through ensuring only compliant devices access corporate data.

How do I assess my current M365 security posture?

The in the Defender portal provides a starting point. A structured M365 security review by a qualified partner provides a more comprehensive and actionable picture, particularly covering the configuration areas Secure Score does not assess.

Keep reading

More from the IronSights team.