Microsoft 365: The Most Overlooked Security Settings for Small Firms

Microsoft 365: The Most Overlooked Security Settings for Small Firms

Matt Kinsey — Cyber Risk, Compliance & AI Governance for Law & CPA FirmsGeneral

The quiet misconfigurations that expose your email, files, and clients to major cyber risk

Most small firms assume that because they use Microsoft 365, their email and files are automatically secure. After all, Microsoft is a global powerhouse with billions invested in security.

But here’s the uncomfortable truth:

Microsoft gives you the toolbox — not the finished security system.

Most of the security features that protect small firms from cyberattacks are not enabled by default.
And because professional service firms rely heavily on email, Teams, SharePoint, and OneDrive, a single overlooked setting can expose thousands of files, sensitive client data, or even entire inboxes.

In today’s threat landscape — especially with phishing, credential theft, and business email compromise skyrocketing — these gaps create real financial, operational, and compliance risks.

Below are the most commonly overlooked Microsoft 365 security settings that small firms think they have, but don’t.

🔐 1. Multi-Factor Authentication (MFA) Not Enforced for All Users

Many firms enable MFA for partners and managers… but skip:

  • Administrative staff
  • Interns or seasonal employees
  • Shared mailboxes
  • Temporary users
  • Remote contractors

Attackers don’t care whose inbox they break into.
They just need one password.

Small firms are frequent victims because:

  • Staff often reuse passwords
  • Old accounts linger in the system
  • Shared mailboxes lack protections
  • Login alerts are ignored

If one account is compromised, attackers get full access to email threads, client files, invoices, and wire instructions.

🛑 2. Legacy Authentication Still Enabled

Legacy authentication is the “back door” of the cloud — and Microsoft warns firms to disable it.

This older login method:

  • Does NOT support MFA
  • Is easy for hackers to brute-force
  • Allows attackers to bypass modern controls

And yet, many small firms still have it enabled because:

  • Older devices require it
  • Old email clients use it
  • No one reviewed the default settings

This is one of the leading causes of Business Email Compromise (BEC), especially in law, CPA, and title agencies.

🗂️ 3. SharePoint & OneDrive Sharing Permissions Too Broad

Most firms don’t realize their default sharing permissions are set to:

Anyone with the link can view.

For professional services, this is catastrophic.

Common risks include:

  • Client files accessed without authentication
  • Sensitive documents downloaded and shared externally
  • Former employees retaining access
  • Vendors or consultants unintentionally receiving internal folders

Every share link becomes a security liability if not properly controlled.

Small firms rarely audit their sharing settings — attackers count on that.

🔍 4. Mailbox Audit Logging Not Turned On

Microsoft 365 does not always turn on mailbox auditing by default.

Without audit logs, you cannot see:

  • Whether a cybercriminal accessed your inbox
  • What folders they opened
  • What rules they created
  • Which emails they forwarded
  • Whether they exfiltrated client data

In a phishing or wire fraud incident, not having audit logs can be the difference between resolving a breach and not knowing what was stolen.

📨 5. Inbox Rules Not Monitored (The #1 Indicator of a Breach)

Attackers frequently create hidden inbox rules to:

  • Forward messages to an external account
  • Hide emails from the victim
  • Delete security alerts
  • Filter emails containing “invoice,” “payment,” or “wire”

Many firms operate for weeks or months without noticing these rules.

Often, this is the precursor to:

  • Invoice fraud
  • Wire fraud
  • Client impersonation
  • Data theft

Monitoring for unusual inbox rules is one of the most effective early-warning systems — and yet almost no small firms do it.

⚠️ 6. Admin Roles Given to Too Many People

Many small firms assign global admin rights to:

  • The owner
  • A manager
  • An IT hobbyist
  • A previous IT vendor
  • A staff member who “needed access once”

This gives them:

  • Access to every mailbox
  • Access to every SharePoint site
  • Authority to change security settings
  • Ability to reset passwords

Global admin access should be limited to one or two tightly secured accounts — never everyday users.

🔄 7. No Conditional Access Policies

Conditional Access is one of the most powerful security features in Microsoft 365.

It allows you to enforce:

  • MFA requirements
  • Location-based restrictions
  • Device compliance checks
  • Blocked access for risky sign-ins
  • Restrictions on legacy authentication

Most small firms don’t use it because “it seems complicated.”
The result: wide-open access to email and files from anywhere in the world.

Attackers love this.

🗝️ 8. Unsecured Guest Access in Teams & SharePoint

Guest access is helpful for:

  • Clients
  • Outside consultants
  • Temporary staff

But guests often retain access long after the engagement ends.

Without proper controls, guests can:

  • See shared folders
  • Access Teams channels
  • Download confidential documents
  • View internal communications

Guest accounts are one of the most overlooked security gaps in small firms.

🚨 9. No Alerts for Suspicious Sign-Ins

Microsoft provides risk-based alerts for:

  • Impossible travel (logins from two countries within minutes)
  • Password spray attacks
  • Multiple failed logins
  • Login attempts from unfamiliar locations
  • Sign-ins from anonymous IP addresses

But these are disabled or ignored in many small tenant environments.

Small firms often discover a breach after financial damage has already occurred, not when the attacker first attempts entry.

🛡️ 10. Lack of Data Loss Prevention (DLP) Policies

Professional service firms regularly handle:

  • Financial statements
  • Client PII
  • Tax returns
  • Legal documents
  • Settlement statements
  • Medical data

Without even basic DLP rules, sensitive files can:

  • Be emailed externally
  • Be saved to personal devices
  • Be uploaded to unauthorized cloud storage
  • Be shared without encryption

A single misdirected email can become a breach.

🧭 What Small Firms Should Do Next

Security doesn’t have to be complicated.
But it does have to be intentional.

Small firms should focus on:

✔️ Enforcing MFA for every account

✔️ Disabling legacy authentication

✔️ Restricting SharePoint/OneDrive sharing

✔️ Monitoring inbox rules

✔️ Auditing admin permissions

✔️ Using Conditional Access policies

✔️ Reviewing guest accounts regularly

✔️ Enabling audit logs and sign-in alerts

✔️ Implementing basic DLP controls

These are not “nice to haves.”
They are the foundation of modern cloud security.

Small professional service firms are increasingly targeted by attackers because they rely heavily on Microsoft 365 — but rarely configure it properly.

Taking action today protects your:

  • Revenue
  • Client trust
  • Compliance posture
  • Reputation
  • Long-term business stability