Microsoft 365 Security Hardening: Why Default Settings Leave You Exposed

Microsoft ships M365 with security features turned off. Conditional Access policies, Safe Attachments, DLP, advanced anti-phishing, Privileged Identity Management — all available, none enabled by default. The configuration that most organizations run on day one is designed for the broadest compatibility and the easiest onboarding, not for security.

The CIS Microsoft 365 Foundations Benchmark documents over 200 specific configuration recommendations across Entra ID, Exchange Online, SharePoint, Teams, Defender, and Purview. In a typical assessment, organizations fail 40-60% of these controls out of the box. The most common gaps — legacy authentication still enabled, no Conditional Access beyond security defaults, DMARC not enforced, audit log retention under 90 days — are also the most exploitable.

The Stryker wiper attack in March 2026 demonstrated what happens when M365 admin security is left at default. Every control that could have prevented that attack was already available in the platform. None were enabled.

In short: if you have not hardened your M365 environment beyond the defaults, you have security gaps. The question is how many and how severe.

Why M365 Defaults Are Not Enough

Microsoft ships M365 with configurations that ensure the broadest compatibility and easiest user experience. Security is available — but it is not turned on by default. Common examples:

Authentication and Identity

• Security defaults provide basic MFA but lack the granularity of conditional access policies
• Legacy authentication protocols may still be enabled, allowing password-only access that bypasses MFA entirely
• Self-service password reset may not enforce strong verification methods
• Privileged accounts (Global Admin, Exchange Admin) may lack dedicated conditional access policies or PIM enrollment

Email Security

• Anti-phishing policies may be at baseline levels without advanced impersonation protection
• Safe Attachments and Safe Links (Defender for Office 365) require explicit configuration
• DMARC, DKIM, and SPF are not always configured correctly — leaving the organization vulnerable to email spoofing
• External email forwarding may be permitted, creating a data exfiltration vector

Data Protection

• DLP policies are not enabled by default — sensitive data (SSNs, credit card numbers, health records) flows freely through email and Teams
• Sensitivity labels require configuration and deployment to classify and protect data
• External sharing in SharePoint and OneDrive may be more permissive than intended
• Guest access in Teams may grant excessive permissions to external collaborators

Audit and Monitoring

• Unified Audit Log may not be enabled or may not be retained long enough for incident investigation
• Alert policies may be at default thresholds that miss suspicious activity
• Sign-in logs and risk detections (Entra ID Protection) require review and response procedures

What Does an M365 Consultation Cover?

An M365 security consultation evaluates your tenant against recognized security standards — typically the CIS Microsoft 365 Foundations Benchmark — and your organization’s specific requirements.

Assessment Phase

• Tenant configuration review — Systematic evaluation of Entra ID, Exchange Online, SharePoint, Teams, Defender, and Purview settings
• CIS Benchmark alignment — Map current configuration against CIS M365 benchmark controls
• License utilization — Identify security features available in your current licensing that are not being used
• Gap analysis — Document findings with risk ratings, business impact, and remediation guidance

Remediation Phase

• Conditional access policies — Implement risk-based authentication, MFA enforcement, device compliance requirements
• Email security hardening — Configure anti-phishing, Safe Attachments, Safe Links, and email authentication (DMARC/DKIM/SPF)
• Data protection controls — Deploy DLP policies, sensitivity labels, and sharing restrictions appropriate to your data
• Audit configuration — Enable and configure unified audit logging, alert policies, and sign-in monitoring
• Privileged access management — Configure PIM for just-in-time admin access, enforce admin-specific conditional access

Validation Phase

• Re-assessment — Verify each remediation against the original benchmark
• Documentation — Provide updated configuration documentation and compliance evidence
• Knowledge transfer — Walk your team through changes, explain the rationale, and provide guidance for ongoing maintenance

Common M365 Security Findings

Based on assessments across organizations of varying sizes and industries, these are the most frequently encountered issues:

Finding	Prevalence	Risk
Legacy authentication not fully blocked	Very common	MFA bypass, credential stuffing
No conditional access policies (beyond security defaults)	Common	Insufficient access control granularity
External forwarding rules permitted	Common	Data exfiltration
DMARC not enforced (p=quarantine or reject)	Very common	Email spoofing, phishing
Audit log retention under 90 days	Common	Insufficient forensic evidence
No DLP policies configured	Common	Uncontrolled sensitive data sharing
Guest access overly permissive	Common	Unauthorized data access
Global Admin accounts without PIM	Common	Persistent privileged access

Licensing Matters

Many M365 security features require specific licenses:

• Entra ID P1 — Conditional access policies, self-service password reset
• Entra ID P2 — Identity Protection risk policies, Privileged Identity Management
• Defender for Office 365 P1/P2 — Safe Attachments, Safe Links, advanced anti-phishing
• Microsoft Purview — Advanced DLP, sensitivity labels, insider risk management

A good M365 consultation includes a license gap analysis — identifying features you are paying for but not using, and features you need but do not have.

For MSPs Managing Client M365 Tenants

Every gap described in this article exists in your clients’ environments right now. You know it because you manage those tenants. The question is whether you are the one who identifies and remediates these gaps — or whether your client’s auditor, insurance carrier, or a competing compliance firm does it first.

A CIS M365 Benchmark assessment formalizes what you already suspect: default configurations leave clients exposed. The assessment gives you a scored report to present at the next QBR, a remediation roadmap that justifies additional project work, and documented evidence of security posture improvement over time.

At wholesale pricing, a single M365 assessment generates significant margin for the MSP. The remediation work it surfaces generates another $3,000-$10,000 per client. Multiply across your tenant base.

For vCISOs Advising on M365 Security

If M365 hardening is part of your advisory scope, you need assessment data — not assumptions — driving your recommendations. A third-party CIS M365 assessment establishes the quantified baseline: which controls pass, which fail, and what the remediation priority should be.

Present the assessment results to the board alongside your security roadmap. Every recommendation maps to a specific control gap with a documented risk rating. Quarterly reassessments show measurable progress — controls moving from fail to pass, overall compliance percentage increasing. This is how vCISO retainers get renewed: quantified improvement, not activity summaries.

---

Genesis runs CIS M365 Benchmark assessments that test every configuration in this article — and 200+ more. Each finding comes with remediation guidance, not just a red/green scorecard.

For MSPs and vCISOs: One assessment, your branding, your margin. Wholesale pricing means you can resell M365 hardening assessments to clients and keep the difference.

Contact us for wholesale assessment pricing.