MFA without real enforcement on privileged accounts.
What we see: the admin has MFA "enabled" but as an option, not a requirement. If an attacker arrives with the password (typically via phishing or a leak), the session starts without a second factor because the policy never demands it.
Why it happens: Microsoft activates Security Defaults on new tenants, but at the first Conditional Access adjustment administrators disable them without replacing them with explicit policies. MFA ends up "available" instead of "mandatory."
- Go to
Entra ID › Protection › Conditional Access - Create a policy:
Require MFA for all adminsapplied to the roles Global Administrator, Privileged Role Administrator, Conditional Access Administrator and similar - Exclude only one "break-glass" account with a long password stored in a physical vault
- Test with a secondary admin before enforcing on everyone
Conditional Access missing or too permissive.
What we see: users can sign in from any country, any device, any time, with no additional challenge. This is especially dangerous when the company only operates in Mexico but the tenant accepts logins from Vietnam, Russia or Nigeria at 3 AM.
Why it happens: configuring Conditional Access takes planning. It's easier to "leave it open" than to map legitimate flows. But a few baselines cover 90% of the risk.
- Block countries where you don't operate (named locations + block policy)
- Require MFA outside the corporate network (trusted IPs)
- Block legacy protocols (POP, IMAP, SMTP auth — common vectors for credential stuffing)
- Require compliant device for access to corporate SharePoint/OneDrive
- Sign-in risk: block high-risk sign-ins automatically (requires Entra ID P2)
Backups not verified or tested.
What we see: "We have backups in OneDrive" or "Microsoft backs up everything." Both statements are partially false and dangerous. Microsoft has short default retention policies (30 days for Exchange, 93 days for OneDrive) and doesn't protect against deletion by ransomware or malicious internal action.
What you need: a backup system separate from the tenant, with an immutable copy and tested restore.
- Implement a backup solution specific to M365 (Veeam Backup for Microsoft 365, Datto SaaS Protection, AvePoint)
- Minimum coverage: Exchange Online, OneDrive, SharePoint, Teams
- Minimum retention: 1 year. Ideally 3–7 years for regulated industries
- Immutable backup (cannot be deleted, even during ransomware)
- Monthly restore test — a backup that's never tested is not a backup
Global Admin roles without Just-in-Time.
What we see: the IT team has 3-5 accounts with Global Administrator permanently active "because it's more convenient." Each is a critical target. If one of those accounts is compromised, the attacker has the entire tenant.
The principle: no one should have permanent Global Admin except the break-glass account. For everyone else, the role is activated on demand with MFA + justification.
- Activate Privileged Identity Management (PIM) in Entra ID (requires P2 license)
- Convert permanent roles to eligible instead of active
- Configure activation with: MFA + justification + ticket + max 8 h duration
- For tenants without P2: use separate
name.admin@accounts for exclusive administrative use, with usage monitoring
Defender in audit mode, not enforced.
What we see: Microsoft Defender for Office 365 is activated but the anti-phishing, anti-malware and safe links policies are in "report but don't block" mode. It detects threats and logs them in the report, but the emails still reach the user's inbox.
Why it happens: when Defender is first activated, policies come in audit mode to avoid false positives. If no one hardens them later, they stay that way. The IT team sees pretty metrics in the report but the risk remains intact.
- Apply the Standard or Strict security preset depending on your risk appetite (recommended: Standard as a minimum)
- Configure Safe Links to rewrite URLs in email and Office
- Enable Safe Attachments with detonation sandbox
- Configure Anti-phishing with impersonation protection for your domain + key vendor domains
- Review the Microsoft Secure Score monthly — target: > 70%
SharePoint with legacy public sharing.
What we see: documents shared by email with "anyone with the link" 3 years ago are still publicly accessible. No one knows who has those links. They don't expire. If a former employee saved any, it still works.
The risk: silent exposure of sensitive information that not even the file owner remembers having shared.
- Set the global sharing level to "Authenticated people only" as default (SharePoint Admin Center)
- Policy of automatic expiration for anonymous links (30/60 days max)
- Generate a report of existing "Anyone links" and review them one by one
- For sensitive sites: disable external sharing completely and use private channels
- Enable Sensitivity Labels to automatically classify and protect
No legal retention on critical mailboxes.
What we see: when an employee leaves, their mailbox is deleted along with their account. If months later a legal dispute, tax audit or internal investigation requires their emails — there's no way to recover them.
The legal requirement: in Mexico, the Ley General de Sociedades Mercantiles and SAT rules require retention of accounting and tax communication for at least 5 years. For regulated industries (financial, healthcare, education) it can reach 10 years. Most other LATAM countries and the US have comparable retention requirements.
- Enable Retention Policies in Purview with durations matched to your industry
- For employees who leave: convert the mailbox into a Shared Mailbox (free, no license required) before deleting the account
- Enable Litigation Hold on executive accounts and areas with legal risk (procurement, sales, HR)
- Audit quarterly that the policies are being applied (Compliance Manager)