Microsoft 365 Tenant Check
The 10 Biggest Security Vulnerabilities In The Microsoft 365 Tenant
by Sebastian Lorenz | Date: May 13, 2026

Companies often assume that IT security is automatically guaranteed when using Microsoft 365. However, the reality of day-to-day operations paints a different picture: the most critical vulnerability is not the platform itself, but the configuration within the Microsoft 365 tenant.
Failing to perform a Microsoft Tenant Check can result in security vulnerabilities remaining undetected for years. This is exactly where our structured Microsoft Tenant Audit comes in. We identify the 10 biggest security vulnerabilities in Microsoft 365 tenants, including specific recommendations for action using the Microsoft Tenant Check.
1. Lack of Multi-Factor Authentication (MFA)
The lack of multi-factor authentication (MFA) is one of the biggest vulnerabilities in the configuration of Microsoft 365. If MFA is not enabled in the M365 tenant, a compromised password is enough to gain full access. Hackers exploit this very vulnerability to gain access to user accounts in the Microsoft 365 tenant. A lack of MFA protection is therefore one of the most common causes of security incidents.
Common MFA issues in a Microsoft 365 tenant:
- MFA is not enabled and required for all users
- Exceptions exist for MFA usage
- Legacy authentication is active and bypasses MFA requirements
Microsoft Tenant Check For Missing Multi-Factor Authentication:
The Microsoft Tenant Check Basic verifies whether multi-factor authentication is enabled in the Microsoft 365 tenant and identifies users without MFA configuration. Admin accounts, in particular, are checked for multi-factor authentication.
With the Microsoft Tenant Check Premium, multi-factor authentication in the Microsoft 365 tenant is analyzed in detail. The Premium Check detects exceptions, checks for the addition of security keys, and evaluates whether legacy authentication can bypass MFA in the Microsoft 365 tenant.

2. Inadequate Conditional Access Policies
The absence or inadequate configuration of these features is another critical vulnerability in Microsoft 365 security. If conditional access policies are not configured in the tenant, users can log in regardless of their location, device, or security risk. This Microsoft Entra ID zero-trust strategy prevents hackers from easily accessing the Microsoft 365 tenant with stolen credentials. Without these restrictions (conditional access), a key security mechanism for an M365 configuration is missing. Often, these policies are set to “report only” instead of being properly enabled.
Common Access Errors In The Microsoft 365 Tenant:
- No conditional access in the Microsoft 365 tenant
- Conditional access policies not active for all M365 users
- Admin accounts are not fully protected
- No blocking of unsafe countries
- No device access verification with restrictions
Microsoft Tenant Check For Conditional Access:
The Microsoft Tenant Check Basic verifies whether conditional access policies exist in the Microsoft 365 tenant and whether basic rules are active.
A Microsoft Tenant Check Premium also checks the conditional access policies in the tenant to ensure that admin accounts are secured. It evaluates the blocking of unsafe countries and analyzes the correct implementation of device checks.
For effective security in the tenant, you should implement specific conditional access policies, such as mandatory multi-factor authentication for all users, protection of admin accounts, blocking of unsafe countries, and restricting access to non-compliant devices. Microsoft Tenant Check Premium not only identifies missing conditional access policies but also assists in implementing these policies to improve the security of your M365 configuration.
3. Too Many Global Administrators
Having too many global administrator accounts results in too many instances of unrestricted access to the entire Microsoft 365 tenant. If there are too many global administrators, the risk of inadvertently granting full access to a compromised account increases. This is precisely why the number of administrators is one of the most critical checks in every Microsoft tenant check and every Microsoft tenant audit.
Common Admin Errors In The Microsoft 365 Tenant:
- A high number of user accounts with administrative privileges
- Global administration is not reviewed regularly
- Former users still have admin privileges
- Lack of separation between user accounts and admin access
Microsoft Tenant Check For Global Admins:
The Microsoft Tenant Check Basic assesses the number of global admin accounts in the Microsoft 365 tenant and identifies any unusual deviations in the configuration.
A Microsoft Tenant Check Premium also analyzes how these accounts are used, detects obsolete accounts, and evaluates whether the number of accounts in the Microsoft 365 tenant aligns with best practices.
In addition to reducing the number of global administrators in the Microsoft 365 tenant, you should assign smaller, targeted admin roles. Additionally, Privileged Identity Management (PIM) should be implemented in the Microsoft 365 tenant.
Why use PIM in M365? This limits admin rights to a specific timeframe (e.g. 8 hours instead of indefinitely), and the extended access is automatically revoked after a defined period. This measure is also included in the Microsoft Tenant Check Premium.
4. Legacy Authentication Enabled
Legacy Authentication is a well-known yet common vulnerability in Microsoft 365. If Legacy Authentication is enabled in the tenant, hackers can log in using outdated protocols and thereby bypass modern security measures such as multi-factor authentication. This active Legacy Authentication in the Microsoft 365 tenant is specifically exploited, as many attacks occur precisely through these old access methods. Without disabling Legacy Authentication, a critical security vulnerability remains.
Common Authentication Issues In The Microsoft 365 Tenant:
- M365 Legacy Authentication not disabled
- Outdated protocols in use (e.g. IMAP, POP, SMTP Auth)
- No rules in place to block Legacy Authentication
- Other applications accessing Legacy Authentication
Microsoft Tenant Check For Legacy Authentication:
Microsoft Tenant Check Basic quickly determines whether legacy authentication is disabled in the Microsoft 365 tenant. It identifies active connections to M365.
Microsoft Tenant Check Premium supplements the findings from the Basic Check with a list of affected users and applications. The Premium Check assesses which protocols are still using legacy authentication in the tenant.
5. Weak Email Security
One of the most common attack vectors in Microsoft 365 is weak email security. If this is not configured correctly in the Microsoft 365 tenant, phishing emails, other fraudulent content, and malware can reach your employees’ inboxes unimpeded. Hackers specifically exploit unpatched vulnerabilities in the Microsoft 365 tenant to trick users into revealing their credentials or to inject malicious code. Without strong email security, your M365 integration remains vulnerable overall.
Common Email Issues In A Microsoft 365 Tenant:
- Anti-phishing policies are not enabled in the Microsoft 365 tenant
- Safe links and safe attachments are not enabled in the tenant
- SPF, DKIM, and DMARC have not been configured or have been configured incorrectly
- Microsoft Defender has not been set up or is only partially set up (license-dependent)
Microsoft Tenant Check For Weak Email Security:
The Microsoft Tenant Check Basic verifies whether email security settings, such as anti-phishing policies and authentication methods, are present in the Microsoft 365 tenant.
The Microsoft Tenant Check Premium examines email security in the Microsoft 365 tenant in much greater detail. Configurations for anti-phishing policies, safe links, and safe attachments are analyzed. The Premium Check also includes verification of the correct implementation of SPF, DKIM, and DMARC in the tenant.

6. Uncontrolled External Sharing
If external sharing in the Microsoft 365 tenant is not clearly regulated, data may be shared with unauthorized individuals in an uncontrolled manner. This uncontrolled external sharing within the tenant can result in sensitive information becoming accessible outside the organization. Without clear sharing policies, a significant attack surface is created.
Common Sharing Errors In The Microsoft 365 Tenant:
- Anonymous external sharing allowed in the tenant
- No expiration dates for external sharing in the tenant
- External users are not regularly reviewed
- External user accounts have no expiration date
- Global activation of sharing without restrictions
Microsoft Tenant Check For Uncontrolled External Sharing:
The Microsoft Tenant Check Basic assesses the status of external sharing permissions in the Microsoft 365 tenant. It also checks the status of anonymous external sharing.
With the Microsoft Tenant Check Premium, external sharing in the tenant is analyzed in detail. Expiration dates, usage by external users, and risks posed by uncontrolled external sharing in the M365 tenant are checked.
7. Orphaned User Accounts
Orphaned user accounts represent an often underestimated risk in Microsoft 365 security. If these accounts are no longer actively used but still exist, unnecessary access opportunities remain. These accounts are often no longer monitored and can be specifically exploited by hackers.
Common User Account Issues In A Microsoft 365 Tenant:
- Orphaned user accounts in the tenant that have not been deactivated
- Guest accounts remain active unnecessarily
- No regular account reviews in the M365 tenant
Microsoft Tenant Check For Orphaned User Accounts:
With the Microsoft Tenant Check Basic, all user accounts in the Microsoft 365 tenant are checked, and inactive accounts as well as outdated guest accounts are identified.
The Microsoft Tenant Check Premium also detects particularly high-risk accounts and highlights specific actions needed to address orphaned user accounts in the tenant.
8. Lack of Monitoring and Logging
If monitoring is not enabled in the Microsoft 365 tenant, attacks and suspicious activity will go undetected. Without log files, there is no visibility into who is accessing which data and when. Ultimately, a lack of monitoring and logging leads to security incidents being detected too late, severely compromising the security of your M365 instances.
Common Monitoring Errors In The Microsoft 365 Tenant:
- M365 monitoring and logging not enabled
- Audit logging not enabled in the tenant
- Log file analysis not possible
- No alerts set up for suspicious activity
Microsoft Tenant Check For Missing Monitoring and Logging:
A Microsoft Tenant Check Basic verifies that audit logging is enabled in the Microsoft 365 tenant. The Microsoft Tenant Check Premium, on the other hand, analyzes log usage, reviews alerts, and determines whether monitoring and logging are actively used in the tenant to detect security incidents.
Comparing Tenant Check Basic And Premium
Which Tenant Check is right for your business? From threat landscapes and requirements to an early warning system in Microsoft 365. A detailed breakdown of the features.
What is the process for an M365 Tenant Check? A consultation with the AM GmbH is a great first step toward greater M365 security. But read on to find out what goes into the analysis, in-depth assessment, and final report.

9. Microsoft Secure Score Is Not Being Used
The Microsoft Secure Score often goes unused, even though it is a central component of Microsoft 365 security. If the score is not checked regularly in the tenant, security vulnerabilities remain undetected. Without using the Microsoft Secure Score, the M365 tenant lacks a clear assessment of the current security status. As a result, security is not actively improved, and existing risks persist.
Common Secure Score Issues In The Microsoft 365 Tenant:
- Microsoft Secure Score is not checked regularly
- Actions recommended by the Secure Score are not implemented
- The score is not viewed as a helpful performance metric
- No prioritization of actions from the Microsoft Secure Score
Microsoft Tenant Check For The Unused Secure Score:
The Microsoft Tenant Check Basic only verifies whether the Microsoft Secure Score is present in the tenant and whether basic measures are being followed.
In addition, the Microsoft Tenant Check Premium includes an evaluation of the Microsoft Secure Score as well as the implementation of the recommended measures. The Premium Check also highlights potential improvements to the Microsoft Secure Score.
10. Lack Of Governance
A fundamental vulnerability in the Microsoft 365 tenant is a lack of governance. Without clear rules for users, permissions, data, and usage, you lose the necessary control. A lack of governance in the tenant leads to uncontrolled development of structures and the creation of security vulnerabilities.
Typical Governance Errors In The Microsoft 365 Tenant:
- No defined governance in the Microsoft 365 tenant
- No policies, outdated policies, or only unclear policies in place
- Lack of technical implementation of defined policies
- No regular review of governance in the tenant
Microsoft Tenant Check For Lack Of Governance:
The basic setup of appropriate rules and structures is part of the Microsoft Tenant Check Basic. It checks whether basic governance is in place in the Microsoft 365 tenant and whether policies are defined.
However, you can only receive a detailed assessment with the Microsoft Tenant Check Premium. This analyzes governance in the tenant for policy implementation and identifies vulnerabilities.

Conclusion: Enhanced Security In Microsoft 365 With Tenant Checks
Most security vulnerabilities in a Microsoft 365 tenant arise not from missing features, but from inadequate configuration and a lack of oversight. This is precisely where a structured Microsoft Tenant Check comes in: it identifies security vulnerabilities and highlights specific risks.
A regular Microsoft Tenant Audit ensures that security in the tenant is not only checked once but is also maintained at a high level over the long term. Companies that want to improve their Microsoft 365 security sustainably should therefore rely on a continuous Microsoft Tenant Check. We’d be happy to advise you!
Your Contact Person
Fabien Schumacher
Head of the Sales Business Unit
As a long-time sales manager at the AM GmbH, Fabien is your personal point of contact for all things Microsoft 365. He coordinates the setup and testing of M365 tenants at the AM GmbH. With Fabien, you receive expert advice from a single source, ensuring that potential security vulnerabilities in your IT infrastructure are identified and addressed more quickly.

