5 Microsoft 365 Security Gaps We Find in Every NC Business

We run a 5-phase security assessment on every Microsoft 365 tenant we evaluate. It checks users, devices, policies, apps, and Exchange configuration against frameworks like CISA, CIS, and Microsoft's own security baselines.

Here's what we find. Every. Single. Time.

No Conditional Access Policies (or broken ones)

Conditional Access is the front door of your M365 security. It controls who can sign in, from where, on what devices, and under what conditions. Yet most small businesses have either zero CA policies or a handful that were set up once and never updated.

The most common issue: a policy that should require MFA from outside the office network, but the trusted location list hasn't been updated since the office moved. So MFA is effectively never triggered.

Fix: Audit your CA policies quarterly. At minimum, enforce MFA for all users from all locations, block legacy authentication, and require compliant devices for sensitive apps.

MFA Exceptions for "Important People"

We regularly find that the CEO, CFO, or a senior partner has been excluded from MFA requirements because they complained it was inconvenient. These are the exact accounts attackers target — high-privilege, high-value, and now unprotected.

In one assessment, we found a CFO account with global admin rights, no MFA, and a password that hadn't been changed in 14 months.

Fix: No exceptions. Period. Use the Microsoft Authenticator app with number matching — it's fast and secure. If someone truly can't use a phone, issue a FIDO2 security key.

Legacy Authentication Still Enabled

Legacy auth protocols (POP3, IMAP, SMTP AUTH, ActiveSync without modern auth) bypass MFA entirely. An attacker with a stolen password can sign in via IMAP and access the entire mailbox — MFA never triggers.

Microsoft has been deprecating legacy auth for years, but we still find it enabled in about 70% of tenants we assess.

Fix: Block legacy authentication via Conditional Access. Before you do, check the Entra ID sign-in logs to identify any apps or devices still using legacy protocols so you can migrate them first.

Mail Forwarding Rules Nobody Knows About

One of the first things an attacker does after compromising a mailbox is create a forwarding rule — sending a copy of all incoming email to an external address. We find unknown forwarding rules in about 40% of assessments.

Most are legitimate (an employee forwarding to a personal email) but some are leftover from previous compromises that were never fully cleaned up.

Fix: Audit mail transport rules and inbox forwarding rules monthly. Block auto-forwarding to external domains via a transport rule. TenantIQ's Exchange management module makes this a one-click check.

No Monitoring of Admin Actions

When was the last time someone checked who made changes to your Entra ID configuration? Who added a new global admin? Who modified a conditional access policy? Who created an app registration with high-privilege permissions?

Most businesses have unified audit logging enabled (it's on by default) but nobody is actually looking at it.

Fix: Set up alerts for high-risk admin actions: new global admin assignments, CA policy changes, new app registrations, and bulk user modifications. TenantIQ's baseline compliance scanning does this automatically and creates tickets when settings drift.

The Good News

Every one of these gaps is fixable. Most take under an hour. The hard part isn't the fix — it's knowing the gaps exist in the first place.

That's why we offer a free Microsoft 365 security assessment for North Carolina businesses. We run our 5-phase assessment against your tenant, show you exactly what's exposed, and give you a prioritized remediation plan.

No sales pitch, no commitment. Just a clear picture of where you stand.

Get your free M365 security assessment

Find out which of these 5 gaps exist in your tenant. Takes 15 minutes, covers 84 security checks.

Schedule Free Assessment →