Is your Microsoft 365 environment quietly exposing your business to risk? If your tenant was set up before 2022, or your IT provider hasn’t audited it recently, there’s a reasonable chance the answer is yes. (Symsafe clients, your tenants are constantly kept up to date, so no worries for you!)
Here’s the problem. Microsoft has significantly tightened its default security settings over the past few years. But those changes only apply to new customers. Existing tenants — ones set up years ago, or configured by a previous IT provider and left alone — often still carry legacy settings that create real, measurable risk.
We’re not talking about exotic vulnerabilities. We’re talking about file-sharing links that never expire, email rules quietly forwarding your data outside the business, and employees with no multi-factor authentication protecting their accounts.
None of this requires a sophisticated attacker to exploit. It just requires someone to know where to look.
Here are some of the settings to look check and how to fix them:
The files you shared are probably still accessible
When a staff member shares a document from SharePoint or OneDrive, the system generates a link. In older Microsoft 365 tenants, the default link type is “Anyone with the link” — meaning anyone who receives that URL can open the file without logging in. No authentication. No expiry. No record of who it’s been forwarded to. Yikes.
A former employee who emailed a proposal to their personal address six months ago? That link still works — unless someone manually turned it off.
Switching the default to “Specific people” means every new link requires sign-in. You can also set expiry dates on existing anonymous links so they time out automatically.
Time to fix: approximately 15 minutes. No impact on your team’s day-to-day workflow.
Someone may be forwarding your email right now
Microsoft now blocks automatic email forwarding to external addresses by default. That policy change was a meaningful security improvement. The catch? It applies going forward — not backwards.
Inbox rules created before that change can still be active. An employee who set up a rule years ago to forward every email to a personal Gmail account may still be exporting your business data today, without anyone realising.
This is worth verifying in two places: confirm the tenant-level forwarding policy is correctly set, then audit existing inbox rules across your users for any forward-to-external configurations.
Time to fix: 10 minutes to verify the tenant setting. Allow additional time to review existing rules across all mailboxes — depending on the size of your team.
Old app approvals are still active
In July 2025, Microsoft updated its policy to prevent users from independently approving third-party applications that want access to their files, email, and calendars. New requests now route to an administrator for review.
Again, that policy applies going forward. Apps that were approved before the change still have whatever permissions they were given — including the ability to read emails and files on behalf of your users.
Think about the apps employees connected during a one-off project two years ago, or productivity tools someone installed and forgot about. Those connections are still active until someone reviews and removes them.
Time to fix: A 30–60 minute audit of your Microsoft Entra ID enterprise applications can reveal what currently has access to your business data — and let you revoke anything that shouldn’t be there.
Your audit logs may not be retained long enough
If something goes wrong — a data breach, a compliance query, a dispute — your ability to investigate depends on your audit log retention. Since October 2023, Microsoft’s standard audit retention period is 180 days. That’s an improvement on the previous 90-day default, but it may still fall short of your obligations.
Businesses in healthcare, financial services, and legal services are often subject to record-keeping requirements measured in years, not months. If your Microsoft 365 licence doesn’t include extended audit retention, and you haven’t configured a custom policy, you may find yourself unable to produce the records you’re legally required to keep.
Time to fix: Extended retention is available with an E5 licence or the Microsoft Purview Audit add-on. The configuration itself takes about 15 minutes, once your licence is confirmed.
Multi-Factor Authentication: Are you actually covered?
MFA is the single most effective control against account compromise. Microsoft has been progressively mandating it for administrator accounts, and new tenants now have it enforced by default through a feature called Security Defaults.
Older tenants are a different story.
A common trap: when an IT provider enables Conditional Access policies (available on Business Premium and above), Microsoft expects them to manage MFA enforcement through that policy and turns Security Defaults off. If that transition wasn’t completed carefully, you can end up with Security Defaults disabled and a Conditional Access policy that doesn’t cover every user.
The result is users — and sometimes even administrators — with no MFA protecting their accounts.
This is the highest-stakes item on this list. It’s also the one most likely to cause disruption if it’s changed without proper planning.
Time to fix: Budget roughly an hour, and do it properly.
Where to Start
Not all of these changes need to happen at once. A sensible sequence:
- Start here (no user impact): Audit log retention and historical app consent review. These are invisible to your team.
- Then: Verify the external email forwarding policy. Silent unless someone has a legitimate forwarding rule in place — which is uncommon.
- Then: Update the SharePoint sharing default. Communicate the change to your team first, as it will affect how links are generated.
- Last: Tackle MFA and Conditional Access. This requires careful planning and enough time to do it right.
Unsure where your Microsoft 365 tenant stands? Symsafe offers a Microsoft 365 security review to identify configuration gaps and provide a clear remediation plan.
1300 002 001 | info@symsafe.com.au
TL;DR
If your Microsoft 365 tenant is more than two or three years old — or hasn’t been audited recently — there’s a real chance it carries legacy settings that create security risk.
Five areas worth checking: file-sharing link defaults, external email forwarding rules, historical third-party app consents, audit log retention periods, and MFA enforcement.
None of these are complex to address, but they do require someone to look. If you’re not sure where your tenant stands, it’s worth finding out before something goes wrong.
This article was crafted in collaboration our AI sidekick, Toolip 🤖
