5 Microsoft 365 Settings Worth Checking in Your Tenant

Free A concentrated professional working at a computer in a modern office setting. Stock Photo

Here’s a fun exercise: go ask whoever set up your Microsoft 365 tenant when they last reviewed the default settings. If the answer is “when we set it up” or a blank stare — you’re not alone. Most Bradenton businesses we talk to are running on configurations that are three, five, even seven years old. Microsoft has quietly tightened security defaults for new tenants, but those changes don’t roll back to yours automatically.

Old settings stay put. Inbox rules created in 2020? Still running. Sharing links from before the pandemic? Still active. Here are five settings worth checking — especially if your tenant was set up by a previous IT provider or hasn’t been audited recently.

Quick note: some of these require Microsoft 365 Business Premium, E3, or E5 licensing. If a toggle is grayed out, that’s probably why. And a couple of these changes will prompt questions from your team, so don’t try to flip everything at once.

1. Your Default Sharing Link Is Probably Too Open

When someone at your firm shares a file from SharePoint or OneDrive, the link they create has a default scope. In older tenants, that scope is often “Anyone with the link” — meaning anyone with the URL can open the file. No login required. No expiration. No way to know who it got forwarded to.

Think about what that means for a CPA firm or financial advisor here in Tampa Bay. Client tax returns, financial statements, engagement letters — all potentially accessible to anyone who stumbles across the right link.

The fix is in the SharePoint admin center under Policies > Sharing. Switch the tenant default to “Specific people,” which forces every new link to require authentication. You can also set a maximum expiration for any remaining “Anyone” links so they time out on their own.

Time to fix: about 15 minutes. Existing links aren’t affected until they’re regenerated.

2. External Email Forwarding Rules You Forgot About

Microsoft now blocks automatic email forwarding to external addresses by default through the outbound spam policy. Good news.

Bad news: forwarding rules created before that change can still be running. If someone on your team set up a rule a few years ago to forward every email to their personal Gmail? That rule might still be quietly exporting your data right now.

Check two things. In the Microsoft Defender portal, go to Email & Collaboration > Policies & Rules > Anti-spam policies > Anti-spam outbound policy. Make sure “Automatic forwarding rules” is set to “Off” or “Automatic – System-controlled.” Then audit existing inbox rules across your users for any forward-to-external setups. The Purview audit log lets you search for inbox rule creation events.

Time to fix: 10 minutes for the tenant setting, longer to review existing rules across all mailboxes.

3. Those Random Apps Your Team Approved Years Ago

Microsoft now routes new third-party app consent requests to an admin for review through a managed user consent policy. Users can no longer just click “Allow” and grant some random app access to their files and email.

But apps that were approved before this change? They still have whatever permissions they were given. That productivity tool someone installed during a client project in 2021 and forgot about? It may still have read access to their mail, calendar, and files.

To clean this up, go to Microsoft Entra ID > Enterprise Applications > All applications. Sort by user consent and look at what currently has access to mail, files, or calendars. Anything you don’t recognize or no longer need — revoke it right there.

Time to fix: 30 to 60 minutes, depending on how many historical apps have piled up.

4. Your Audit Logs Might Not Go Back Far Enough

Microsoft extended default audit log retention to 180 days (up from 90) in October 2023. With E5 licensing or the Purview Audit Premium add-on, you get one year of retention for Exchange, SharePoint, OneDrive, and Entra ID activity. Other activity types stay at 180 days.

For law firms, accounting practices, and financial advisors in Manatee County and across Florida, 180 days often isn’t enough. HIPAA, the FTC Safeguards Rule, and most state bar rules around client data assume you can produce records on request — and the relevant timeframe is usually measured in years, not months.

Check your settings in the Microsoft Purview compliance portal under Audit > Audit retention policies. Extending beyond 180 days requires the right licensing. The configuration itself takes about 15 minutes once you’ve confirmed your license supports it.

5. MFA Might Not Be Covering Everyone You Think

Multi-factor authentication is the area most likely to be inconsistent in older tenants. Microsoft introduced Security Defaults in late 2019, and new tenants now get MFA automatically. Microsoft has also been progressively requiring MFA for admin actions throughout 2024 and 2025.

Here’s the trap: when an admin enables a Conditional Access policy (available with Business Premium and above), Microsoft may turn Security Defaults off, expecting you to handle MFA through the new policy. If that transition was rushed, you can end up with Security Defaults off and a Conditional Access policy that doesn’t cover every user. Gap city.

Check three places. In Entra ID under Properties > Manage Security Defaults, see whether it’s on or off. Under Protection > Conditional Access, confirm a policy is enforcing MFA for all users, including admins. Pay special attention to break-glass admin accounts — they’re sometimes excluded from Conditional Access for emergency use and left with no MFA at all.

Time to fix: about an hour, longer if you’ve got several Conditional Access policies to untangle.

What Order Should You Tackle These In?

Some of these changes are invisible to your team. Others will change their daily workflow.

Start quiet: Audit log retention (#4) and the app consent review (#3) have zero user-facing impact. Do these first.

Then the low-risk check: Verifying external forwarding (#2) is silent unless someone has a legitimate rule — which is rare.

Communicate before you flip: The sharing default change (#1) will generate questions from anyone used to quick copy-paste sharing. Give your team a heads-up first.

Save the big one for last: The MFA and Conditional Access review (#5) is the highest-stakes change and the one most likely to lock people out if rushed. Budget the time to do it right.

Frequently Asked Questions

Is my tenant safe if it was set up recently?

Newer tenants get better defaults, but sharing scope, historical app consents, and inbox rules still need to be reviewed regardless of when you started.

What’s the current default for “Anyone with the link” sharing?

Many existing tenants still allow it. Newer Teams-created SharePoint sites default to “Only people in your organization,” but you need to check both the tenant-level and site-level settings.

Did Microsoft turn off external email forwarding by default?

Yes. The outbound spam policy now blocks automatic external forwarding. But existing rules created before the change may still be active.

How long are audit logs kept by default?

180 days for standard audit logs (as of October 2023). One year for key workloads with E5 or the Purview Audit Premium add-on.

Does Security Defaults cover all my users?

On new tenants, yes. On older tenants with Conditional Access policies, Security Defaults may have been turned off — and MFA coverage depends entirely on how those policies were configured.

Sources and Further Reading

Not sure when your tenant was last reviewed? Or whether any of these settings need attention? We help accounting firms, law offices, and financial practices across Bradenton and Tampa Bay clean up exactly this kind of thing. Book a free 15-minute call and we’ll tell you which of these five to check first for your setup.

Share This:

Facebook
LinkedIn
X
Email

Ever wonder if your organization’s systems are safe from being hacked?

Contact us to schedule a free security assessment:

Recent Posts