The uncomfortable reality
43% of UK cyber attacks target small businesses. The average cost of a breach for an SME now exceeds ยฃ15,000. And in the majority of cases we investigate, the business had Microsoft 365 โ they just hadn't configured it properly. Paying for the licence is not the same as being secure.
Microsoft 365 Business Premium includes some of the most powerful security tools available for small businesses. The problem is that most of them are not switched on by default. You have to configure them โ and most businesses either don't know they exist or don't have someone with the expertise to set them up.
Here are the 10 gaps we find most frequently when we do a security review.
The 10 most common Microsoft 365 security gaps
1
MFA not enforced for all users
Critical
Multi-Factor Authentication (MFA) is the single most effective control against account compromise. Over 99% of Microsoft 365 account takeovers involve accounts without MFA. Yet we regularly find businesses where MFA is either not enabled at all, or enabled but not enforced โ meaning users can bypass it.
โ How to fix it
In Microsoft Entra admin centre, create a Conditional Access policy that requires MFA for all users on all cloud apps. Do not rely on Security Defaults alone โ they don't enforce MFA for all sign-in scenarios. On Business Premium, this is straightforward to implement correctly.
2
No Conditional Access policies configured
Critical
Conditional Access is the gatekeeper for your Microsoft 365 environment. Without it, anyone with a valid username and password can access your data from anywhere in the world. It's one of the most powerful security controls in Business Premium and one of the most commonly left unconfigured.
โ How to fix it
At minimum, implement: require MFA for all users, block legacy authentication protocols, require compliant devices, and block sign-ins from high-risk locations. These four policies alone dramatically reduce your attack surface.
3
Devices not enrolled in Intune
Critical
If you don't know which devices are accessing your Microsoft 365 environment, you can't protect them. Unenrolled devices have no compliance policies enforced, cannot be remotely wiped if lost or stolen, and have no visibility in your security dashboard. This is extremely common even in businesses that are paying for Business Premium.
โ How to fix it
Enrol all company devices in Microsoft Intune. Create compliance policies (minimum OS version, BitLocker enabled, Defender running) and configure Conditional Access to block access from non-compliant devices. This gives you full visibility and control over your device estate.
4
Legacy authentication not blocked
Critical
Legacy authentication protocols (like basic auth used by older email clients) cannot support MFA. Attackers specifically target these protocols because even if MFA is enabled, legacy authentication bypasses it entirely. If legacy auth is not blocked, your MFA implementation has a significant hole in it.
โ How to fix it
Create a Conditional Access policy that blocks all legacy authentication protocols. First check which users or apps are currently using legacy auth (available in Entra sign-in logs) to avoid disrupting legitimate workflows before blocking.
5
Defender for Business not configured
High
Microsoft Defender for Business is included in Business Premium but requires onboarding. Many businesses have it available and haven't activated it โ either still running third-party antivirus they're paying for separately, or running with no endpoint protection at all on some devices.
โ How to fix it
Onboard all devices to Defender for Business via the Microsoft Defender portal. Configure baseline security policies, enable attack surface reduction rules, and set up email alerts for any threats detected. If you're paying for third-party AV separately, you can likely remove it once Defender is properly configured.
6
Global Administrator accounts used for daily tasks
High
Global Administrator is the most powerful role in Microsoft 365. Many businesses have their IT person โ or even the business owner โ using a Global Admin account for day-to-day work. If that account is compromised, the attacker has complete control of your entire Microsoft 365 environment.
โ How to fix it
Create separate Global Admin accounts used only for administrative tasks, with no email or daily use. Day-to-day accounts should use the minimum permissions needed. Enable Privileged Identity Management (available in Business Premium) to require approval and justification for elevated access.
7
SharePoint and OneDrive sharing too permissive
High
Default SharePoint sharing settings often allow files to be shared with anyone who has a link โ including people outside your organisation. We regularly find businesses where sensitive documents, financial data, or client files are accessible via an "Anyone with the link" share that was created years ago and never reviewed.
โ How to fix it
In the SharePoint admin centre, set the default sharing to "Only people in your organisation" or "Specific people" at minimum. Run a sharing report to identify all externally shared files and review them. Enable expiry dates on external shares where they're genuinely needed.
8
No anti-phishing or safe links policies
High
Phishing is the number one vector for business email compromise. Business Premium includes Microsoft Defender for Office 365 with advanced anti-phishing, safe links (which checks URLs in real time), and safe attachments โ but these require configuration and are not enabled by default.
โ How to fix it
In the Microsoft Defender portal, enable the preset security policies (Standard or Strict) for anti-phishing, safe links, and safe attachments. Enable anti-impersonation protection for your key people and domains. This significantly reduces the risk of successful phishing attacks reaching your users.
9
No audit logging enabled
Medium
If something goes wrong โ a breach, an account compromise, data exfiltration โ audit logs are what allow you to understand what happened and when. Many businesses have audit logging disabled or not configured, meaning that in the event of an incident, they have no forensic trail to work with.
โ How to fix it
In the Microsoft Purview compliance portal, ensure unified audit logging is enabled. Configure audit log retention (Business Premium supports up to 180 days). Set up alerts for high-risk events such as impossible travel sign-ins, bulk file downloads, and new inbox forwarding rules.
10
No Self Service Password Reset configured
Medium
Without Self Service Password Reset (SSPR), users who forget their password have to call someone to reset it for them. This creates delays and โ more importantly โ creates a social engineering opportunity where attackers call the helpdesk pretending to be a user. It also means account recovery relies on whoever holds the admin password.
โ How to fix it
Enable SSPR in Entra ID with at least two verification methods required (authenticator app, email, phone). This empowers users to recover their own accounts securely while reducing the social engineering risk of helpdesk-based resets.
How do you score?
Count how many of the above you have properly configured and use this as a rough guide:
0โ3
Significant risk. Immediate action needed.
4โ7
Partial protection. Key gaps remain.
8โ10
Good baseline. Consider EDR and training.
Beyond the basics โ what else should you have?
Once you have the 10 items above in place, the next layer of protection is Huntress EDR (Managed Detection and Response with 24/7 SOC coverage), Dark Web Monitoring for your business credentials, and Cyber Awareness Training for staff. These are available as optional add-ons through SRX IT Solutions.
The honest truth about DIY security configuration
Every item on this list is technically possible to implement yourself โ Microsoft's documentation is comprehensive. The challenge is that each one has nuances, interdependencies, and potential for misconfiguration that can create new problems if not done correctly.
Blocking legacy authentication without first checking which apps use it can break workflows. Implementing Conditional Access without testing can lock users out. Configuring Intune compliance policies without understanding the impact can prevent legitimate devices from accessing email.
This is exactly why businesses engage an MSP to manage their Microsoft 365 environment โ not because they couldn't technically do it themselves, but because doing it correctly, testing it properly, and maintaining it over time requires specialist knowledge and ongoing attention.
Want us to check your Microsoft 365 security?
Book a free Microsoft 365 Health Check. We'll review all 10 items above โ and more โ and give you an honest assessment of your security posture. No obligation, no sales pressure.
Book Your Free Health Check โKey takeaways
- Paying for Microsoft 365 does not mean you are secure โ configuration is everything
- MFA enforcement, Conditional Access, and Intune enrolment are the critical baseline
- Blocking legacy authentication is essential if MFA is to be effective
- SharePoint sharing settings are often far too permissive in SME environments
- Defender for Business, anti-phishing, and audit logging require active configuration
- A free health check is the fastest way to find out where your gaps are
About SRX IT Solutions
We are a Microsoft 365 security and Copilot AI specialist based in Birmingham. We help SMEs get their Microsoft 365 environment properly secured and managed. Learn more about our services โ