Is Your Microsoft 365 Setup Actually Secure? What Most London SMEs Get Wrong

It all looked right. The logins worked, email started flowing, the files moved across without a hitch, and Microsoft 365 was declared ready to go.

That moment, when everything works and nobody touches the settings again, is exactly where the risk begins.

Microsoft 365 is one of the most capable platforms a small business can run on. It’s also one of the most heavily targeted, and the version most London SMEs are actually running isn’t configured to defend itself the way its owners assume it is.

Let’s explore the common misconfigurations and how Microsoft 365 security can be kept in good shape with the right managed IT in London behind it.

Why Default Microsoft 365 Settings Are Not the Same as Secure Settings

A Microsoft 365 licence gives you the tools to be secure, but it does not switch them all on for you.

Microsoft operates a shared responsibility model. That means they keep the platform itself running and patched, but everything inside your tenant is yours to configure. This includes who can log in, how they prove it’s them, what can be shared externally, and which old protocols stay open.

Default settings are built for a smooth start. Hardening the environment tends to add small frictions, so it rarely happens on its own. A few things are commonly left in their out-of-the-box state:

  • Multi-factor authentication (MFA) not enforced for every user
  • Legacy authentication protocols still enabled, which let attackers sidestep MFA entirely
  • External sharing is left permissive, so files can leave the business more easily than anyone intends
  • Audit logging switched off or switched on and never reviewed

None of these announce themselves, which is precisely why the gaps go unnoticed.

The Most Common Misconfigurations SMEs Don’t Know They Have

These issues show up repeatedly across London businesses, but they’re rarely the result of carelessness. They’re usually the natural consequence of a setup that was done once and never revisited.

From April 2026, the UK’s Cyber Essentials scheme made MFA mandatory across every cloud service that supports it, Microsoft 365 included.

Under the updated v3.3 requirements, a single in-scope account without MFA is now an automatic fail. The change, set by the NCSC and administered by IASME, reflects how routinely unprotected cloud logins are still being exploited.

The usual suspects include the following:

  • Too Many Global Admins: Admin accounts can change security settings and reach everyone’s data, so each one is a prize target. Many tenants have far more than they need, sometimes shared between staff.
  • MFA Gaps: MFA is often enabled for some people but not all, or not required for the admin accounts that matter most.
  • Over-Permissive Sharing and Guest Access: External sharing and guest links accumulate over time, and few businesses can say exactly what is currently shared or with whom.
  • Inactive Accounts Left Enabled: Leavers’ logins stay live, giving attackers a valid account that nobody is watching.
  • Incomplete Email Authentication: SPF, DKIM and DMARC are often half-configured, which leaves your domain open to spoofing and impersonation.
  • “Set and Forget” Configuration: A tenant judged secure three years ago may be exposed today, because features, threats and best practice have all moved on.

What Attackers Look For in a Poorly Configured Microsoft 365 Tenant

Attackers think in terms of effort. Microsoft 365 is appealing because so many tenants look almost identical, so a technique that works against one often works against hundreds.

Automated tooling sweeps thousands of targets at once, which is how a small London business ends up caught in the same net as a large one. Attackers often probe for:

  • A login without MFA, which can be cracked with bulk password guessing
  • Legacy authentication that stays open and ignores MFA altogether
  • Over-privileged accounts that hand them the keys to the whole tenant if compromised
  • Inbox and forwarding rules they can add to syphon off email once inside

The reassuring part is that the most common entry point is also the most preventable. Identity attacks are usually password-based, so properly enforced MFA shuts out the vast majority of them.

How Proactive IT Management Keeps Microsoft 365 Secure on an Ongoing Basis

Security drifts over time as your staff, tools and work processes change. That’s why it’s so important to regularly review your Microsoft 365 environment.

Proactive managed IT in London turns security into an ongoing discipline. In practice, that means:

  • Enforcing and maintaining MFA and conditional access across every account
  • Reviewing admin roles and permissions so privilege stays tight
  • Monitoring sign-ins for unusual activity, such as logins from places your staff have never been
  • Keeping external sharing and guest access controlled as teams change
  • Running independent, tested backups, because Microsoft 365 does not protect your data from accidental deletion or ransomware

At 4TC, we work with businesses across London and Hertfordshire to keep Microsoft 365 secure as standard practice, so the environment stays hardened as the business grows and changes.

A Simple Self-Audit Checklist for Business Owners

You don’t need to be technical to get a rough sense of where you stand. Run through these questions:

  • Is MFA switched on for every user, including all admins?
  • Do you know how many global admin accounts you have? It should be a small handful.
  • Is legacy authentication disabled?
  • Do you know what can currently be shared externally, and with whom?
  • Are former employees’ accounts fully disabled, not just hidden?
  • Is your Microsoft 365 data backed up independently of Microsoft?
  • Has anyone reviewed your tenant’s security settings in the past 12 months?

If you hesitated on any of these, that is your starting point.

Not sure if your Microsoft 365 setup is as secure as it should be? Get in touch with the team at 4TC for a no-obligation review.

FAQs

  1. Is Microsoft 365 secure by default?
    Not fully. While Microsoft secures the underlying platform, Microsoft 365 security inside your own tenant, including MFA, sharing rules and admin permissions, is your responsibility to configure. Default settings prioritise a smooth setup, so several protections stay switched off until someone turns them on.
  2. What is the single most important step to secure Microsoft 365?
    Enforcing MFA for every user, admins included, and disabling legacy authentication so it cannot be bypassed. This prevents the most common attack against Microsoft 365 accounts. Sensible admin permissions and controlled external sharing come next.
  3. How does managed IT in London help secure Microsoft 365?
    Managed IT in London gives you a consistent process for hardening your tenant and keeping it that way. That includes enforcing MFA and conditional access, monitoring sign-ins, reviewing permissions and running independent backups.
  4. How often should a business running Microsoft 365 in London review its security settings?
    At least once a year as a baseline, and whenever there is a meaningful change such as new starters, leavers or newly adopted apps. Threats and Microsoft’s own features change continually, so a tenant configured a few years ago may now be exposed without anyone realising.