The 5 Most Dangerous M365 Misconfigurations (And How to Fix Them)

We've assessed hundreds of Australian small businesses over the past 3 years. The patterns are clear: 80% of SMBs have the same five critical security gaps.

The good news? These aren't complex, expensive problems. They're simple misconfigurations that can be fixed in under 2 hours — often less.

Here are the five most dangerous issues we find (and how to fix them).

#1: External Sharing Set to "Anyone with the Link"

Found in: 73% of assessments
Fix time: 15 minutes
Risk level: CRITICAL

The Problem

Most businesses don't realize that when SharePoint/OneDrive external sharing is set to "Anyone with the link," files shared in 2021 are still accessible today — with no expiry, no password, and no audit trail of who accessed them.

Real example: An accounting firm shared a client's financial statements via OneDrive link in 2022. The link was accidentally forwarded in an email thread. Two years later, that link still works. Anyone with that email can access confidential financial data.

This happens because:

The Fix

1. Change tenant-wide default to "Specific people" (not "Anyone"):

  • SharePoint Admin Center → Policies → Sharing
  • Set "Default sharing link type" to "Specific people"
  • Enable "Limit external sharing by domain" if needed

2. Set default link expiry (30-90 days):

  • Same location → "Advanced settings"
  • Set "These links must expire within" to 30-90 days

3. Audit existing external links:

  • SharePoint Admin Center → Active sites → Sharing
  • Review and revoke old links

Fix time: 15 minutes to change settings, 30-60 minutes to audit existing links

#2: No MFA on Admin Accounts

Found in: 64% of assessments
Fix time: 30 minutes
Risk level: CRITICAL

The Problem

Admin accounts have keys to the kingdom: they can access all user mailboxes, read all files, reset passwords, and delete data. Yet we routinely find businesses with 4-8 admin accounts protected by just a password.

Attack scenario: Hacker gets admin password through phishing email. Within 24 hours: all user passwords reset, mailbox data exported, ransomware deployed, company locked out of their own M365 tenant. Recovery cost: $40,000-$80,000.

Why it happens:

The Fix

1. Enable MFA for ALL admin accounts immediately:

  • Azure AD → Users → Multi-Factor Authentication
  • Select ALL admin accounts → Enable
  • Choose: Microsoft Authenticator app (most secure)

2. Create emergency break-glass account:

  • One admin account with NO MFA (stored in safe)
  • Used ONLY if primary admins are locked out
  • Monitor this account closely

Fix time: 30 minutes to enable MFA for 5-10 admin accounts

#3: Too Many Admin Accounts

Found in: 58% of assessments
Fix time: 45 minutes
Risk level: HIGH

The Problem

The average 30-person business should have 2-3 admin accounts maximum. We regularly find 6-8, including:

Risk: Every extra admin account is another attack surface. If ANY one gets compromised (phishing, weak password, credential stuffing), attacker has full tenant access.

The Fix

1. Audit all admin accounts:

  • Azure AD → Roles and administrators → Global Administrator
  • Review ALL accounts with admin privileges

2. Apply principle of least privilege:

  • Remove admin from anyone who doesn't actively need it
  • Use specific admin roles (Exchange Admin, SharePoint Admin) instead of Global Admin
  • Target: 2-3 Global Admins maximum for SMB

Fix time: 45 minutes to audit and clean up admin roles

#4: Audit Logging Disabled

Found in: 52% of assessments
Fix time: 10 minutes
Risk level: HIGH

The Problem

If audit logging isn't enabled, you have zero visibility into who accessed what, when.

This means:

Privacy Act requirement: You must be able to detect and report breaches within 30 days. Without audit logs, you literally cannot do this.

The Fix

Enable Unified Audit Logging:

  • Microsoft 365 Compliance → Audit
  • Click "Start recording user and admin activity"
  • Set retention to 90 days minimum (1 year for Business Premium/E3/E5)

Note: Audit data only captures activity AFTER it's enabled. Past activity is not logged retroactively.

Fix time: 10 minutes (literally just turn it on)

#5: No Backup Solution for M365 Data

Found in: 67% of assessments
Fix time: 2-4 hours (including testing)
Risk level: HIGH

The Problem

Most businesses think Microsoft backs up their M365 data. Microsoft does not provide backup. They provide:

Ransomware scenario: Attacker encrypts all SharePoint files. Retention policies don't help — the "current version" of every file is encrypted. Recycle bin doesn't help — encrypted files replaced good files. Without backup: all data lost.

You need backup for:

The Fix

Implement third-party M365 backup solution:

Options (prices for ~30 users):

  • Veeam Backup for M365: $12-15/user/month
  • AvePoint Cloud Backup: $8-12/user/month
  • Barracuda Cloud-to-Cloud Backup: $5-8/user/month

What to backup:

  • Exchange Online (emails)
  • SharePoint/OneDrive (files)
  • Teams (chat, files, settings)

Test your backup: Actually restore a file/mailbox to verify it works.

Fix time: 2-4 hours to set up and test (then automated daily)

Not Sure If You Have These Issues?

Our automated M365 security assessment checks for all of these misconfigurations (and 25 more). Get your report in 2-3 business days.

Book M365 Security Assessment - From $499

The Pattern We See

Here's what's interesting: most businesses we assess have 3 out of 5 of these issues. It's not negligence — it's just that M365 security isn't intuitive, defaults aren't always secure, and small businesses don't have dedicated security staff.

The good news? Once you know what to fix, the fixes are straightforward. Total time to address all five issues: 4-6 hours.

That's a few hours of work to close the security gaps that put 80% of Australian SMBs at risk.

Worth it? When the average breach costs $49,600 — absolutely.

← Back to Blog