Strengthen Your Cyber Resilience
Is Your SharePoint Environment Truly Secure?
Interested in our Cybersecurity Framework?
Microsoft has strengthened default security settings across Microsoft 365 in recent years. However, these improvements are not always applied retrospectively.
Many UK organisations operating tenants configured prior to 2022 – particularly those inherited from previous IT providers – still carry legacy configurations across file sharing, email forwarding, third-party app access, audit logging, and MFA enforcement.
This presents a material governance and risk issue. 43% of UK businesses experienced a cyber breach in the last year, with 5% reporting direct revenue or share value loss and increasing levels of reputational damage, highlighting the operational impact of weak controls
The following five settings represent practical, high-impact areas for review.
1. Default Sharing Links in SharePoint and OneDrive
In many older Microsoft 365 environments, the default sharing setting remains “Anyone with the link”. This allows files to be accessed without authentication, with no visibility over who ultimately receives the data.
While newer tenants default to more restrictive sharing, older configurations often persist unnoticed – particularly at the tenant level or within legacy SharePoint sites.
From a governance perspective, this creates unmanaged data exposure risk. For organisations handling personal or commercially sensitive data, this can directly conflict with UK GDPR obligations around access control and accountability.
Recommendation:
Set the default sharing link to “Specific people”, enforce authentication, and apply expiry policies to legacy links. This ensures data access remains auditable and time-bound.
2. External Email Forwarding Rules
Microsoft now blocks external email forwarding by default. However, legacy rules created before this policy change may still be active.
This is a common but often overlooked risk as a single forwarding rule to a personal account can effectively bypass organisational controls, exporting sensitive communications without detection.
Given that phishing accounts for the vast majority of cyber incidents in UK organisations (over 80%), compromised inboxes combined with forwarding rules significantly increase both breach likelihood and dwell time.
Recommendation:
- Confirm outbound anti-spam policies block external forwarding
- Audit inbox rules across all users
- Monitor for rule creation within audit logs
3. Historical Third-Party Application Access
Microsoft has tightened user consent controls, meaning new app access requests now require administrator approval.
However, historical consents remain in place. Many organisations have accumulated a backlog of third-party applications with persistent access to:
- Email accounts
- Calendars
- SharePoint and OneDrive data
In practice, this creates an unmonitored access layer outside standard identity governance.
This is particularly relevant given the growing complexity of the UK threat landscape and increasing reliance on third-party integrations. Research shows that external access and third-party involvement are a contributing factor in a significant proportion of breaches.
Recommendation:
Review enterprise applications within Microsoft Entra ID and revoke any access that is no longer required or cannot be clearly justified.
4. Audit Log Retention and Evidence Readiness
Microsoft increased standard audit log retention to 180 days in 2023. While this represents an improvement, it may not align with UK regulatory expectations.
Under UK GDPR, organisations are required to demonstrate accountability and respond to data incidents within strict timeframes, including the 72-hour breach reporting requirement to the ICO.
For many organisations, particularly those handling personal, financial, or client data, a six-month audit history is insufficient when investigating incidents or responding to subject access requests and regulatory queries.
Recommendation:
Assess whether audit retention aligns with your risk profile and regulatory obligations. Where necessary, extend retention through appropriate licensing or supplementary controls.
5. MFA Enforcement and Policy Gaps
Multi-factor authentication (MFA) remains one of the most effective controls available, yet adoption is still inconsistent across UK organisations.
Recent UK data indicates that only around 40% of businesses have implemented any form of two-factor authentication, leaving a significant proportion exposed to credential-based attacks.
In older Microsoft 365 tenants, MFA enforcement is often fragmented, particularly where:
- Security Defaults have been disabled
- Conditional Access policies are partially implemented
- Administrative or “break-glass” accounts are excluded
This creates a false sense of security, where gaps exist despite apparent policy coverage.
Recommendation:
- Confirm MFA is enforced across all users
- Validate Conditional Access policies cover all access scenarios
- Ensure admin and emergency access accounts are appropriately secured
A Structured Approach to Implementation
A phased approach is recommended as not all changes carry equal operational impact:
- Highest risk: MFA and Conditional Access review (requires careful validation and testing)
- Higher user impact: Sharing default changes (requires communication)
- Moderate impact: External forwarding controls
- Low impact: Audit log retention and application access reviews