Conditional Access drift
Conditional Access is powerful but easy to undermine. Policies get exceptions for "just this one vendor" or "until the project ends", and those exceptions rarely get removed.
Review every policy for users or groups excluded from MFA requirements, locations trusted without justification, and legacy authentication allowances.
- Policies that exclude entire departments from MFA
- Named locations that cover whole countries or public IP ranges
- Legacy auth protocols still allowed for any user population
- Policies in report-only mode that were never switched to enforce
MFA and legacy authentication
Password-only sign-in remains one of the most common root causes of tenant compromise. Even with Security Defaults or CA policies, gaps appear when legacy protocols bypass modern auth.
- Users or admins without registered MFA methods
- SMTP, IMAP, POP, or other legacy protocols still enabled tenant-wide
- Service accounts using password auth instead of certificates
- Break-glass accounts without documented, tested access procedures
Privileged roles and admin sprawl
Global Administrator should be rare. Standing privileged access increases blast radius when any one account is phished.
- More than four to five Global Administrators without a documented reason
- Guest users holding any admin role
- Permanent Privileged Identity Management assignments instead of time-bound activation
- Unused admin accounts that remain enabled after role changes
Over-permissioned applications
Third-party and internal app registrations often request broad Graph permissions at install time and are never reviewed again.
- Apps with Directory.ReadWrite.All, Mail.ReadWrite, or similar high-impact scopes
- Client secrets with no owner or rotation schedule
- Unused enterprise applications still granted consent
- Multi-tenant apps from vendors no longer under contract
Guest access and external collaboration
B2B collaboration is essential for business but defaults that are too open create data exposure.
- Guest users inactive for 90+ days still enabled
- Anyone links or anonymous sharing enabled where not required
- Guests invited to security-sensitive groups or teams
- External access settings that differ from your documented policy
Fix priority
Tackle legacy auth and MFA gaps first. They are the highest-risk, fastest-win items. Then reduce Global Admin count and review app permissions. Guest cleanup can run in parallel with hygiene work.
Tenant Hawk flags these issues automatically during a read-only scan and ranks them by severity so you know where to start.