5 Microsoft 365 Settings Worth Checking in Your Tenant

5 Microsoft 365 Settings Worth Checking in Your Tenant

Strengthen Your Cyber Resilience

A successful ransomware attack can disrupt operations, compromise data, and impact stakeholder trust. Learn how VirtueUK helps organisations reduce risk and improve cyber resilience

Is Your SharePoint Environment Truly Secure?

SharePoint makes collaboration easy, but misconfigured permissions, oversharing, and unmanaged access can expose sensitive organisational data. Discover how to reduce risk and improve governance across your Microsoft 365 environment.
Cybersecurity Strategy Pillars graphic. Depicts 6-tiers in a pyramid. From the top, the tiers read: Vision, Mission, Objectives, Strategy, Approach, and Tactics.

Interested in our Cybersecurity Framework?

Visit our article on how to organise an effective cybersecurity strategy to download a copy of our framework.

Microsoft has strengthened default security settings across Microsoft 365 in recent years. However, these improvements are not always applied retrospectively.

Many UK organisations operating tenants configured prior to 2022 – particularly those inherited from previous IT providers – still carry legacy configurations across file sharing, email forwarding, third-party app access, audit logging, and MFA enforcement.

This presents a material governance and risk issue. 43% of UK businesses experienced a cyber breach in the last year, with 5% reporting direct revenue or share value loss and increasing levels of reputational damage, highlighting the operational impact of weak controls

The following five settings represent practical, high-impact areas for review.

1. Default Sharing Links in SharePoint and OneDrive

In many older Microsoft 365 environments, the default sharing setting remains “Anyone with the link”. This allows files to be accessed without authentication, with no visibility over who ultimately receives the data.

While newer tenants default to more restrictive sharing, older configurations often persist unnoticed – particularly at the tenant level or within legacy SharePoint sites.

From a governance perspective, this creates unmanaged data exposure risk. For organisations handling personal or commercially sensitive data, this can directly conflict with UK GDPR obligations around access control and accountability.

Recommendation:

Set the default sharing link to “Specific people”, enforce authentication, and apply expiry policies to legacy links. This ensures data access remains auditable and time-bound.

2. External Email Forwarding Rules

Microsoft now blocks external email forwarding by default. However, legacy rules created before this policy change may still be active.

This is a common but often overlooked risk as a single forwarding rule to a personal account can effectively bypass organisational controls, exporting sensitive communications without detection.

Given that phishing accounts for the vast majority of cyber incidents in UK organisations (over 80%), compromised inboxes combined with forwarding rules significantly increase both breach likelihood and dwell time.

Recommendation:

  • Confirm outbound anti-spam policies block external forwarding
  • Audit inbox rules across all users
  • Monitor for rule creation within audit logs

3. Historical Third-Party Application Access

Microsoft has tightened user consent controls, meaning new app access requests now require administrator approval.

However, historical consents remain in place. Many organisations have accumulated a backlog of third-party applications with persistent access to:

  • Email accounts
  • Calendars
  • SharePoint and OneDrive data

In practice, this creates an unmonitored access layer outside standard identity governance.

This is particularly relevant given the growing complexity of the UK threat landscape and increasing reliance on third-party integrations. Research shows that external access and third-party involvement are a contributing factor in a significant proportion of breaches.

Recommendation:

Review enterprise applications within Microsoft Entra ID and revoke any access that is no longer required or cannot be clearly justified.

4. Audit Log Retention and Evidence Readiness

Microsoft increased standard audit log retention to 180 days in 2023. While this represents an improvement, it may not align with UK regulatory expectations.

Under UK GDPR, organisations are required to demonstrate accountability and respond to data incidents within strict timeframes, including the 72-hour breach reporting requirement to the ICO.

For many organisations, particularly those handling personal, financial, or client data, a six-month audit history is insufficient when investigating incidents or responding to subject access requests and regulatory queries.

Recommendation:

Assess whether audit retention aligns with your risk profile and regulatory obligations. Where necessary, extend retention through appropriate licensing or supplementary controls.

5. MFA Enforcement and Policy Gaps

Multi-factor authentication (MFA) remains one of the most effective controls available, yet adoption is still inconsistent across UK organisations.

Recent UK data indicates that only around 40% of businesses have implemented any form of two-factor authentication, leaving a significant proportion exposed to credential-based attacks.

In older Microsoft 365 tenants, MFA enforcement is often fragmented, particularly where:

  • Security Defaults have been disabled
  • Conditional Access policies are partially implemented
  • Administrative or “break-glass” accounts are excluded

This creates a false sense of security, where gaps exist despite apparent policy coverage.

Recommendation:

  • Confirm MFA is enforced across all users
  • Validate Conditional Access policies cover all access scenarios
  • Ensure admin and emergency access accounts are appropriately secured

A Structured Approach to Implementation

  • A phased approach is recommended as not all changes carry equal operational impact:

    • Highest risk: MFA and Conditional Access review (requires careful validation and testing)
    • Higher user impact: Sharing default changes (requires communication)
    • Moderate impact: External forwarding controls
    • Low impact: Audit log retention and application access reviews