Mon – Fri  9AM – 5PM|Client Portal
ITstuffed
Microsoft

5 Microsoft 365 Settings Worth Checking If Your Tenant Is More Than Two Years Old

Microsoft 365 keeps getting more secure by default, but only for new customers. If your business has been using Microsoft 365 for a few years, your settings are probably still where they were when your tenant was first set up. Microsoft does not push new defaults back into existing tenants. That means older configurations, some of them genuinely risky, can sit quietly in the background while everything looks fine on the surface.

This matters because the gap between what Microsoft now considers a safe default and what many established tenants are actually running can be significant. A few settings in particular are worth checking if your tenant is more than two or three years old, was set up by a previous IT provider, or has not been reviewed since you signed up.

The first is your default file sharing link in SharePoint and OneDrive. When someone shares a file, the link they generate has a default scope. In many older tenants, that scope is still set to "Anyone with the link" - meaning anyone who receives the URL can open the file without signing in, with no expiry date and no record of who it was forwarded to. A staff member who shared a client document with their personal email before leaving your business may still have a working link right now. Changing the tenant default to "Specific people" means every new link requires the recipient to authenticate before they can open anything.

The second is external email forwarding. Microsoft now blocks automatic forwarding to external email addresses by default, but that policy only applies going forward. Any inbox rules created before the change was introduced may still be active. It is worth checking that your outbound spam policy is set correctly, and then auditing existing inbox rules across your team's mailboxes. If someone set up a rule years ago to forward everything to a personal Gmail account, that rule may still be running. This is the kind of quiet, ongoing exposure that email-based attacks targeting professional practices are specifically designed to exploit.

Third, there is the question of historical third-party app consents. Microsoft now routes new app permission requests through an admin for approval, which is the right approach. But apps that were granted access before that change still have whatever permissions they were given - including the ability to read email, calendars, and files. Some of those apps may belong to staff who left years ago or to tools used for a one-off project that no one remembers. Reviewing what currently has access to your business data, and revoking anything you do not recognise, is a straightforward but important step. This is the kind of thing covered in a broader review of how your business manages cybersecurity.

Fourth is audit log retention. Microsoft's standard audit logs are kept for 180 days. If your business operates in a regulated field - legal, healthcare, financial services - that may fall well short of what you are expected to be able to produce under the NZ Privacy Act 2020 or your professional obligations. Extending retention beyond 180 days requires a higher licence tier, but the configuration itself takes around 15 minutes once that is in place.

Fifth, and most important, is how multi-factor authentication - the step that requires a second verification beyond your password - is enforced across your team. Older tenants may have no baseline enforcement at all. A common trap is that an admin enabled a conditional access policy at some point, which caused Microsoft to turn off the automatic security defaults, but the policy itself does not actually cover every user. The result is a gap that is easy to miss and expensive to discover after the fact. Weak or inconsistent MFA enforcement is one reason credential attacks that target every account at once can succeed even in businesses that believe they are protected.

None of these need to be changed at once, and some will generate questions from your team when they do take effect. The audit log and app consent review have no impact on day-to-day work, so start there. Checking the forwarding policy is similarly quiet. The sharing default will eventually prompt questions from staff who notice links behaving differently. The MFA review is the one that needs the most care, because getting it wrong can lock people out.

If you are not sure when your tenant was last reviewed, or whether any of these settings have drifted from where they should be, an experienced IT engineer can work through them methodically. It is the kind of audit that takes a few hours and tends to turn up at least one thing worth fixing. For professional services businesses in Canterbury, managed IT support that includes regular configuration reviews is how this gets caught before it becomes a problem rather than after.

IT Stuffed ran a full systems cyber security audit for us, which was very eye-opening! They helped us implement the necessary changes and gave us some strategic advice on future steps. Daniel and the team are incredibly dedicated, great communicators and a real pleasure to deal with.

Ruby Williams

Our organisation engaged IT Stuffed a bit over a year ago and we have been very happy with their services to date. We value them being a local small business and appreciate their friendly yet professional interactions. They do not fluster easily and that has a calming effect on people with IT challenges. When faced with a cyber-attack a year ago we greatly appreciated the immediate and ongoing support we received from IT Stuffed. Happy to recommend this service.

Maggy Tai Rākena

ITstuffed offers a 15-minute IT Fit Check if you want a quick conversation about whether your Microsoft 365 setup is worth a closer look. Book a time here.