EN
EN
Book an introduction
Blog

Microsoft 365 security audit: protect your business from invisible risks

Discover the 5 most common M365 misconfigurations among SMBs and use our checklist to check your cloud environment today.
Professionele serverruimte met blauwe verlichting als symbool voor Microsoft 365 cloud security audit

TL;DR Many SMBs use Microsoft 365 with the default settings, but they do not provide sufficient protection. Incomplete MFA, active legacy protocols, uncontrolled external sharing, permanent admin rights and hidden forwarding rules are the five most common misconfigurations. A professional Microsoft 365 security audit identifies these risks and provides a concrete roadmap to secure your cloud environment.

Your business runs on Microsoft 365. Email, documents, Teams meetings, customer data: everything is in the cloud. That’s convenient, but it also makes configuring your M365 environment your first line of defense. Yet many Flemish SMEs are still working with Microsoft’s default settings. Settings that do not sufficiently take into account the specific risks of your organization. A targeted Microsoft 365 security audit makes the difference between a seemingly secure environment and a truly secure one. In this article, you will discover which misconfigurations we encounter most often, what you can check yourself and when a professional audit offers added value.

Why a cloud security audit is different from a traditional audit

In a classic cybersecurity audit, you look at firewalls, servers and network segmentation. In a cloud environment, the focus shifts to identities and configurations. The traditional network perimeter no longer exists: your employees log in from home, on the road or at customer sites. Security does not depend on a physical wall, but on how your M365 tenant is set up. One wrong setting in Entra ID (formerly Azure AD) or Exchange Online can open the door to attackers, without a firewall changing anything.

The 5 most common Microsoft 365 misconfigurations

Analyses of incidents in the Benelux show that a handful of specific misconfigurations are responsible for the vast majority of successful breaches. These are the five we encounter most often.

1. Incomplete MFA enforcement.

Multi-factor authentication may be “on,” but is it for all users? At many companies, admin accounts or executives are excepted via a group. Attackers use automated tools that test thousands of password combinations per hour (credential stuffing). One account without an MFA is enough to get in.

Solution: enforce MFA for all users, prioritizing admin roles. Use number matching in the Authenticator app to prevent MFA fatigue.

2. Active legacy protocols.

Older e-mail protocols such as POP3 and IMAP do not support MFA. If these protocols are still active in your tenant, attackers can bypass MFA entirely. Legacy endpoints are often the first port of attack for automated botnets.

Solution: block legacy authentication completely via Conditional Access policies. Check for legacy e-mail clients or multifunction printers that use these protocols.

3. Uncontrolled external sharing

SharePoint and OneDrive folders accessed via “Anyone” links pose a structural risk. Sensitive documents can inadvertently end up externally through a shared link that never expires. In practice, we see share links remaining active for months or years, long after the original purpose has expired.

Solution: limit external sharing to trusted domains. Set an expiration date on share links and perform periodic reviews of guest access in your tenant.

4. Permanent admin rights

If admin accounts always have the highest privileges, you greatly increase the impact of any takeover. One compromised admin account gives an attacker complete control over your environment: mailboxes, files, user management and more.

Solution: implement Privileged Identity Management (PIM) for just-in-time permissions. Admins activate their elevated permissions only when needed, for a limited period of time.

5. Hidden forwarding rules

Attackers who gain access to a mailbox often set invisible rules that forward emails to an external address. This allows them to commit bill fraud by intercepting and manipulating payment requests. These rules remain active without the user noticing.

Solution: disable external forwarding at the tenant level and actively monitor for the creation of new inbox rules via the audit log.

Microsoft Secure Score: your free starting point

Microsoft offers a built-in tool with Secure Score that measures your security status based on your M365 configuration. It’s a good starting point: you get a score out of 100 and concrete recommendations to improve it.

But Secure Score has significant limitations. Research shows that 63% of organizations have a Secure Score below 50%, averaging between 30% and 45%. That sounds alarming, and it is. But a high score does not automatically mean you are secure.

Secure Score checks whether a feature is enabled, but not whether the configuration is effective for your specific situation. MFA may be “on” while the entire board is excepted. Part links can appear limited while outdated exceptions undermine the rules. An automated score lacks that nuance.

What does a professional M365 security audit add?

Where Secure Score stops, a professional audit begins. At Cyberplan, we vet your M365 environment at more than 50 configuration points that Secure Score does not. The difference is in four areas.

Context-specific assessment. An auditor assesses whether your institutions fit your business model. A manufacturing company with 80 employees has different risks than a software company with 20 developers and many external collaborations.

Exceptions and loopholes. We actively look for exceptions in Conditional Access rules, forgotten test accounts with elevated privileges, and OAuth apps that have gained unnoticed wide access to your data.

Processes and human factor. How is the offboarding of employees proceeding? Are licenses and access rights revoked in a timely manner? Secure Score doesn’t measure this. We do.

Hybrid risks. Many M365 companies operate with a combination of local Active Directory and cloud identities. Vulnerabilities in the local infrastructure can spill over into your M365 tenant. A professional audit assesses the full chain.

The result is a concrete report with prioritized recommendations: which risks are critical, what can you fix yourself and where guidance is needed. Curious about the difference between an audit and a pen test? We’ve written a separate article about that.

Does M365 configuration fall under NIS2?

Short answer: yes, for companies covered by the NIS2 Directive. Article 21 requires organizations to take appropriate technical and organizational measures to secure their network and information systems. Microsoft 365 is the central information system for most SMEs.

The CCB’s CyberFundamentals (CyFun) framework concretizes this requirement. At the Basic level, you already need to demonstrate MFA and basic identity protection. At the Important level, Conditional Access, audit log monitoring and encryption are added. A Microsoft 365 security audit provides direct evidence of compliance at these levels.

That makes an M365 audit not just a technical exercise, but also a compliance tool. Wondering what a cybersecurity audit costs and what you get in return? Read more about it in our overview article.

Checklist: 10 M365 settings to check today

Want to do your own initial assessment? Go through these ten points and note where you have doubts or where the setting is incorrect.

  1. MFA for all users. In Entra ID, check for accounts without an MFA, including admin and service accounts.
  2. Legacy authentication blocked. Go to Conditional Access and verify that POP3, IMAP and other legacy protocols are disabled.
  3. External sharing limited. In the SharePoint management center, check whether “Anyone” links are disabled and whether partial links have an expiration date.
  4. No permanent Global Admins. Check how many users permanently have the Global Admin role. Ideally, there should be a maximum of two emergency accounts.
  5. Forwarding rules limited. In Exchange Online, verify that external email forwarding is disabled by default at the tenant level.
  6. Audit logging enabled. Verify that the Unified Audit Log is active and that the retention period is at least 90 days.
  7. Conditional Access active. Check for policies that block login attempts from unusual countries and enforce device compliance.
  8. Guest access reviewed. Check which remote guest users have access to your Teams environment and SharePoint sites. Remove inactive guests.
  9. OAuth apps checked. In Entra ID, see which third-party apps can access your M365 data. Delete apps you don’t recognize.
  10. Password policy updated. Set passwords to “never expire” (in accordance with Microsoft and NIST advice) in conjunction with mandatory MFA. Predictable password rotation leads to weaker passwords.

Are you in doubt about one or more of these points? Then a professional Microsoft 365 security audit is a logical next step. Schedule a no-obligation consultation and find out where your environment stands.

Frequently asked questions about Microsoft 365 security

What is the average Secure Score of an SME?

Most organizations score between 30% and 45%. Research shows that 63% of companies have a score below 50%. A score below 30% means that essential controls such as MFA and blocking legacy protocols are missing.

Can I check my M365 security myself?

Partially. Microsoft Secure Score and the checklist in this article give a first impression. But an automated score lacks context: exceptions in your Conditional Access rules, forgotten test accounts and OAuth apps with broad permissions are things you discover only in a manual audit.

Does Microsoft 365 configuration fall under NIS2?

Yes, if your company is covered by NIS2. It requires appropriate technical measures for network and information systems. For most SMEs, Microsoft 365 is the central information system. CCB’s CyFun framework specifies which M365 controls are required by security level.

What does a Microsoft 365 security audit cost?

The investment depends on the size of your environment and the number of users. An M365 audit for an SME with 50 to 150 users typically takes one to two weeks. Through the VLAIO SME Portfolio, you can receive up to a 45% subsidy on cybersecurity consulting, significantly lowering the net investment. Learn more about audit costs and subsidies.

How often should I have an M365 security audit performed?

At least annually, and additionally after major changes to your environment such as a migration, acquisition or new license structure. Microsoft regularly makes changes to default settings and security features. What was secure last year is not automatically so today.

Want to know how secure your Microsoft 365 environment really is? Our ethical hackers and auditors vet your tenant on more than 50 configuration points, including the risks Secure Score doesn’t see. Schedule an introductory call and get a concrete picture of your M365 security. Or first, see exactly what our cybersecurity audits entail.