When you set up a new Microsoft 365 tenant, Microsoft gets you running quickly with sensible defaults. The problem is that "sensible" and "secure" aren't the same thing. The default configuration of Microsoft 365 leaves several critical security controls either disabled, set to minimum, or completely missing โ and most RGV businesses never change them.
1. Multi-Factor Authentication (MFA) Is Not Enabled by Default
This is the most important and most overlooked gap. By default, users in a new Microsoft 365 tenant can log in with just a username and password. Stolen credentials โ obtained through phishing, data breaches, or password spraying โ are the leading cause of Microsoft 365 account takeovers.
Microsoft's own data shows that MFA blocks over 99.9% of automated account compromise attacks. It should be the first thing you enable. Microsoft provides it free โ there's no excuse not to use it. We enforce MFA on every M365 tenant we manage on day one.
2. Audit Logging Is Off
By default, Microsoft 365 audit logging is disabled in many tenant configurations. Audit logs are how you investigate what happened during a security incident โ who logged in from where, which emails were accessed, what was deleted or forwarded. Without audit logging enabled, you're flying blind during an incident response.
3. Anti-Phishing Protection Is at Minimum Settings
Microsoft 365 includes anti-phishing protection in all business plans, but the default policy settings are set conservatively to minimize false positives. That means impersonation protection for your executives is off by default, lookalike domain detection sensitivity is low, and safe links click-time protection may not be applied to internal emails.
We configure Microsoft's anti-phishing policies to Strict or Standard preset โ dramatically increasing protection without meaningfully increasing false positives for most organizations.
4. Legacy Authentication Protocols Are Enabled
Older authentication protocols like SMTP AUTH, IMAP, and POP don't support MFA. That means even if you've enforced MFA for all users, an attacker who obtains a password can still authenticate using these older protocols and bypass your MFA entirely. Blocking legacy authentication is one of the most impactful security changes you can make after enabling MFA.
5. Global Admins Are Doing Regular Work
Microsoft 365 global administrator accounts have unrestricted access to everything in your tenant. Using a global admin account for daily email and work is like using the root account on a Linux server for browsing the web. Create dedicated, role-appropriate accounts for daily use. Reserve global admin credentials for actual administrative tasks and protect them with separate strong passwords and hardware MFA keys.
Microsoft Secure Score โ available free in every M365 tenant at security.microsoft.com โ grades your security configuration and gives you a prioritized list of improvements. If your score is below 50%, you have significant gaps to address. We've seen RGV tenants in the 20s.
All five of these gaps are fixable in an afternoon by someone who knows what they're doing. If your Microsoft 365 tenant hasn't been hardened since it was set up, it's worth a review.
Protect your RGV business โ starting today.
IT Umbrella Group offers free, no-obligation IT assessments for McAllen and Rio Grande Valley businesses. Let's talk about what you need.
Get a Free Assessment Learn More: Microsoft 365 Support