TenantHawk
Security7 min read

Common Microsoft 365 security misconfigurations

Conditional Access gaps, MFA holes, over-privileged apps, and guest access issues — what to look for and how to fix them.

Conditional Access drift

Conditional Access is powerful but easy to undermine. Policies get exceptions for "just this one vendor" or "until the project ends" — and those exceptions rarely get removed.

Review every policy for users or groups excluded from MFA requirements, locations trusted without justification, and legacy authentication allowances.

  • Policies that exclude entire departments from MFA
  • Named locations that cover whole countries or public IP ranges
  • Legacy auth protocols still allowed for any user population
  • Policies in report-only mode that were never switched to enforce

MFA and legacy authentication

Password-only sign-in remains one of the most common root causes of tenant compromise. Even with Security Defaults or CA policies, gaps appear when legacy protocols bypass modern auth.

  • Users or admins without registered MFA methods
  • SMTP, IMAP, POP, or other legacy protocols still enabled tenant-wide
  • Service accounts using password auth instead of certificates
  • Break-glass accounts without documented, tested access procedures

Privileged roles and admin sprawl

Global Administrator should be rare. Standing privileged access increases blast radius when any one account is phished.

  • More than four to five Global Administrators without a documented reason
  • Guest users holding any admin role
  • Permanent Privileged Identity Management assignments instead of time-bound activation
  • Unused admin accounts that remain enabled after role changes

Over-permissioned applications

Third-party and internal app registrations often request broad Graph permissions at install time and are never reviewed again.

  • Apps with Directory.ReadWrite.All, Mail.ReadWrite, or similar high-impact scopes
  • Client secrets with no owner or rotation schedule
  • Unused enterprise applications still granted consent
  • Multi-tenant apps from vendors no longer under contract

Guest access and external collaboration

B2B collaboration is essential for business but defaults that are too open create data exposure.

  • Guest users inactive for 90+ days still enabled
  • Anyone links or anonymous sharing enabled where not required
  • Guests invited to security-sensitive groups or teams
  • External access settings that differ from your documented policy

Fix priority

Tackle legacy auth and MFA gaps first — they are the highest-risk, fastest-win items. Then reduce Global Admin count and review app permissions. Guest cleanup can run in parallel with hygiene work.

Tenant Hawk flags these issues automatically during a read-only scan and ranks them by severity so you know where to start.

Try it on your tenant

Run a free health scan in under 5 minutes

Tenant Hawk connects read-only to Microsoft 365 and Entra, scores your tenant across security, cost, reliability, and hygiene, then gives you a prioritized fix-it list.

Start free scanSee how it works

Read-only access · no credentials stored · no credit card