These are the five misconfigurations Niova finds in nearly every M365 audit. All of them can be fixed without external help, using the Microsoft 365 admin centre.

Setting 01

MFA is not enforced for all users

Multi-factor authentication is the single most effective control against account takeover. Microsoft's own data shows MFA blocks over 99.9% of automated attacks. Yet most M365 tenants have it enabled but not required — meaning staff can skip it or disable it themselves.

Fix this by enabling Security Defaults (free, in Entra ID) or by creating a Conditional Access policy that requires MFA for all users on all apps. Security Defaults is the right starting point for most KMOs.

Admin centre → Entra ID → Properties → Manage Security Defaults

Setting 02

Legacy authentication protocols are still enabled

Protocols like SMTP AUTH, POP3, IMAP, and Basic Auth don't support MFA. If they're enabled, an attacker who has stolen a password can authenticate directly — bypassing your MFA entirely. Microsoft has been deprecating these for years, but many tenants still have them active for "compatibility" reasons that stopped being valid long ago.

Unless you have a specific printer or scanner that absolutely requires SMTP AUTH, disable all legacy authentication protocols.

Admin centre → Entra ID → Security → Authentication methods → Legacy auth

Setting 03

External sharing in SharePoint and OneDrive is too open

The default SharePoint sharing setting allows files to be shared with anyone via a link — no login required. That means a document shared internally can be forwarded to anyone outside the organisation and accessed without authentication. For a company handling client data, audit materials, or contracts, this is a serious exposure.

Set external sharing to "New and existing guests" at minimum, which requires external recipients to authenticate. For most KMOs, "Only people in your organisation" is the right default, with exceptions managed per site.

Admin centre → SharePoint → Policies → Sharing

Setting 04

Unified audit logging is disabled

Microsoft 365 can log every sign-in, file access, email forward, and admin change — but only if audit logging is turned on. By default, it is off in older tenants and not always on in newer ones. Without audit logs, you cannot detect a breach, investigate an incident, or demonstrate compliance to an auditor.

Turn it on today. Logs are retained for 90 days on E3 and for 1 year on E5. For NIS2 compliance, 90 days is acceptable but 1 year is strongly recommended.

Microsoft Purview compliance portal → Audit → Start recording user and admin activity

Setting 05

No alert policy for suspicious sign-ins

M365 includes built-in alert policies that notify you when something unusual happens — a user signs in from an impossible location, an inbox rule is created to forward emails externally, or an admin role is elevated. Most tenants have these policies available but no one is receiving the alerts because the notification email was never configured.

Review the default alert policies in the compliance portal and make sure at least one person (ideally your IT contact or Keesha) receives the high-severity alerts by email.

Microsoft Purview → Alert policies → Review and configure notification recipients

These five settings are a floor, not a ceiling. A full M365 hardening review also covers Conditional Access policies, Defender for Office 365 configuration, admin account separation, and guest access governance. But fixing these five moves you from "default exposed" to "meaningfully protected" in under an hour.