Back to Security

Microsoft 365 Security Settings: 5 to Check in Your Tenant

Microsoft 365 Security Settings: 5 to Check in Your Tenant

If your Microsoft 365 tenant has been running for more than a couple of years, or it was set up by a previous provider and left alone since, there's a good chance some of your Microsoft 365 security settings haven't been touched since day one.

Microsoft has quietly raised the bar on its default protections over the past few years. Every new tenant now gets a safer starting configuration than tenants did in 2021 or 2022. The catch is that those improved defaults don't retroactively apply to tenants that already exist. A protection Microsoft switched on for new customers in 2024 stays off in yours unless someone goes in and changes it.

The most visible example is file sharing. Plenty of older tenants still generate "Anyone with the link" sharing links by default, meaning anyone who gets hold of the URL can open the file without ever signing in.

That's one setting. Below are five worth putting on your list, roughly in the order we'd tackle them.

 

Why your Microsoft 365 security settings might be years behind

Think of it less as a single misconfiguration and more as accumulated drift. Sharing permissions, forwarding rules, app approvals, and MFA policies all get set once, usually early in a tenant's life, and then nobody revisits them until something goes wrong. None of these settings are exotic. They're just easy to forget, especially if your organisation has changed IT providers or gone through staff turnover in the IT team.

A quick note before the list: a few of these changes need Microsoft 365 Business Premium, E3, or E5 licensing. If a toggle is greyed out in your tenant, that's usually the reason. None of these need to happen in one sitting, and a couple will generate a support ticket or two once staff notice something behaves differently.

1. The default sharing link in SharePoint and OneDrive

When someone shares a file from SharePoint or OneDrive, the link that gets generated has a default scope attached to it. In tenants that predate Microsoft's newer site defaults, that scope is often "Anyone with the link." No sign-in required, no expiry date, and no record of who the link ended up with after the first person forwarded it on.

Newer, Teams-created sites now default to "Only people in your organisation," but older sites and the tenant-wide setting frequently still allow open links. It's not uncommon to find a working link still active months after the employee who created it left the business.

You'll find this control in the SharePoint admin centre under Policies, then Sharing. Changing the tenant default to "Specific people" means every new link requires the recipient to authenticate. You can also set an automatic expiry date on any existing "Anyone" links still in circulation.

Time to fix: about 15 minutes. It won't touch links that already exist until they're regenerated, so pair it with a quick clean-up of anything still open.

 

2. Old external email forwarding rules

Microsoft now blocks automatic forwarding to external addresses by default at the tenant level, enforced through the outbound spam policy. It's part of a broader push toward safer defaults out of the box.

Rules created before that change rolled out, though, can still be quietly running. A staff member who set up a forward-everything-to-Gmail rule two or three years ago may still be sending copies of your business email outside the organisation, depending on exactly how the rule was written and when it was created.

Two things are worth checking. First, in the Microsoft Defender portal, under Email & Collaboration, then Policies & Rules, then Anti-spam policies, confirm the outbound policy has automatic forwarding set to off or system-controlled. Second, run an audit of existing inbox rules across your mailboxes for anything forwarding to an external address. The Purview audit log lets you search specifically for inbox rule creation events.

Time to fix: around 10 minutes to check the tenant-wide setting, longer if you need to review rules mailbox by mailbox.

 

3. Third-party app consents granted before mid-2025

Microsoft switched on admin-managed consent by default in July 2025, which stops users from approving most third-party apps that request access to their mail, calendar, or files without an administrator signing off first.

That protection only applies going forward. Anything a user approved before the policy took effect keeps whatever access it was originally granted, which can include reading mail, calendar entries, and files on that person's behalf. It's usually a mix of tools someone installed for a one-off project years ago and forgot about, plus the occasional app nobody quite remembers approving.

To see what's currently connected, go to Microsoft Entra ID, then Enterprise Applications, then All Applications. Sort by user consent and look through what has access to mail, files, or calendars. Anything unfamiliar or no longer needed can be revoked from the same screen.

Time to fix: 30 to 60 minutes, depending on how long the list turns out to be.

 

4. How long your audit logs are actually kept

Microsoft extended the default retention period for Audit (Standard) logs from 90 to 180 days back in October 2023. If you're on E5 licensing or have added the Purview Audit (Premium) add-on, key workloads like Exchange, SharePoint, OneDrive, and Entra ID get a full year of retention, while everything else stays at 180 days.

For businesses in healthcare, financial services, legal, or any other regulated sector, 180 days might fall short of what you're actually obligated to keep. Depending on your industry and jurisdiction, record-retention requirements are often measured in years rather than months.

Audit retention policies sit in the Microsoft Purview compliance portal, under Audit, then Audit retention policies. Extending beyond 180 days requires E5 or the Purview Audit add-on, but once your licensing supports it, the configuration itself takes about 15 minutes.

 

5. MFA enforcement and Security Defaults

Of everything on this list, MFA enforcement is the one most likely to be inconsistent in an older tenant. Microsoft introduced Security Defaults in late 2019 and now switches it on automatically for new tenants. Since then, Microsoft has also progressively required MFA for admin actions across the 365 admin centre and Azure portal.

Tenants created before Security Defaults existed may have no baseline MFA enforcement at all. There's also a common trap here. When Conditional Access is switched on, which is available on Business Premium and above, Microsoft expects that policy to take over enforcement and will often turn Security Defaults off in the process. If that transition happened quickly, or wasn't followed through properly, you can end up with Security Defaults off and a Conditional Access policy that doesn't actually cover everyone.

Check three things. In the Entra ID admin centre, under Properties, then Manage Security Defaults, confirm whether it's currently on or off. Under Protection, then Conditional Access, confirm a policy is actively enforcing MFA across all users, including admins. Pay close attention to break-glass admin accounts. They're sometimes excluded from Conditional Access on purpose for emergency access, and it's easy to forget they're then left with no MFA protection at all.

Time to fix: roughly an hour, longer if there are several existing Conditional Access policies to map out first.

 

What order should you work through these in?

Some of these changes are invisible to your team. Others change something they do every day, so it's worth sequencing them sensibly rather than switching everything on at once.

Start with audit log retention and the app consent review. Neither one affects how anyone works day to day. Verifying external forwarding comes next; it's silent for almost everyone except the rare person with a legitimate forwarding rule already in place.

The sharing link default is the one most likely to generate a few questions, particularly from anyone used to hitting "share" and pasting a link straight into an email. A short heads-up before you flip that setting saves a few confused support tickets. Save MFA and Conditional Access for last. It's the highest-stakes change on the list and the easiest one to get wrong if it's rushed, so it deserves proper time and testing.

 

Getting a second opinion on your Microsoft 365 security settings

None of these five checks require specialist tools, just time and the right admin access. If your tenant hasn't been reviewed in a while, or you're not sure which of these settings apply to your licensing tier, a straightforward Microsoft 365 health check will tell you where you stand. Affinity MSP runs these reviews for businesses who'd rather have a second set of eyes on the configuration before something slips through. You can read more about our approach to cyber security or get in touch through our contact page if you'd like a tenant review scheduled.

 

Frequently asked questions

Is a newly set up Microsoft 365 tenant automatically safe?

Newer tenants start with stronger defaults than tenants configured a few years ago, but sharing scope, historical app consents, and old inbox rules still need periodic review no matter how old the tenant is.

Does Microsoft still allow "Anyone with the link" sharing?

Many existing tenants still permit it at the tenant level, even though newer Teams-created SharePoint sites default to "Only people in your organisation." Check both the tenant-wide setting and individual site settings to see what your users actually experience.

Has Microsoft turned off external email forwarding by default?

Yes, the outbound spam policy now blocks automatic external forwarding by default at the tenant level. Inbox rules created before that change may still be running and are worth auditing separately.

How long does Microsoft keep 365 audit logs?

180 days for Audit (Standard), as of October 2023. Customers with E5 licensing or the Purview Audit (Premium) add-on get a year of retention for key workloads including Exchange, SharePoint, OneDrive, and Entra ID.

Does Security Defaults cover every user in my organisation?

On a brand-new tenant, yes. On an older tenant where Conditional Access has since been configured, Security Defaults may have been switched off, and your actual MFA coverage depends entirely on how that Conditional Access policy was set up.

 

Source note: This article draws on reporting originally published by The Technology Press, with additional context and analysis from Affinity MSP.

Further reading

Microsoft Learn: SharePoint and OneDrive sharing settings

Microsoft Learn: Security Defaults in Entra ID

Microsoft Purview: Audit log retention policies

Franchesca Michaela Antonio
Franchesca Michaela Antonio
Back to Security