5 Microsoft 365 Settings Worth Checking in Your Tenant

Microsoft has tightened several default settings in Microsoft 365 over the past few years, giving newer tenants stronger protection from the start. However, older tenants may still have legacy configurations in place, including outdated user permissions, inbox rules, and sharing links that were created before these updates.

If your Microsoft 365 tenant is more than a few years old, was set up by a previous IT provider, or has not been audited recently, these five settings are worth reviewing. Keep in mind that some updates may require Business Premium, E3, or E5 licensing, and changes should be implemented strategically to avoid disrupting existing workflows. Reliable help desk and user support can also help employees adjust to security updates that impact account access, file sharing, and daily operations.

1. Review Your SharePoint & OneDrive Sharing Permissions

Your default sharing settings determine who can access company files after a link is created.

When employees share documents through SharePoint or OneDrive, Microsoft creates a link with a specific access level. Older Microsoft 365 tenants may still default to “Anyone with the link”, allowing anyone with the URL to open the file without signing in. 

That means shared documents can remain accessible long after they were originally sent. 

A former employee who emailed a proposal to their personal account months ago could still have access unless the link were manually removed. 

What to Check in Microsoft 365

The default sharing link settings can be reviewed in: SharePoint Admin Center → Policies → Sharing 

Consider updating the tenant default to “Specific people” so new shared links require authentication.

You can also set expiration dates for existing public links to reduce long-term exposure. 

Estimated Review Time: 15 minutes

User Impact: No impact on existing links until they are regenerated

2. Check External Email Forwarding Rules 

Automatic forwarding rules can quietly send business data outside your organization.

Microsoft now blocks automatic forwarding to external email addresses by default through outbound spam protection. However, older rules created before this update may still exist.

For example, an employee who previously forwarded all emails to a personal Gmail account could still be exporting company information depending on how the rule was created.

What to Check in Microsoft Defender

Navigate to: 

  • Microsoft Defender Portal → Email & Collaboration → Policies & Rules → Anti-Spam Policies → Anti-Spam Outbound Policy 

Confirm that Automatic Forwarding Rules are set to:

  • Off
  • Automatic - System Controlled 

You should also audit existing inbox rules to identify any users forwarding messages outside the organization.

Estimated Review Time:

10 minutes for tenant settings, longer for reviewing individual mailboxes.

3. Audit Historical Third-Party Application Access

Old application permissions can remain active long after employees stop using them. While Microsoft has introduced stronger user consent policies to limit third-party access, previous approvals may still allow outdated apps to access emails, calendars, files, and user information.

Reviewing historical app permissions helps identify old tools, completed projects, or unrecognized applications that may still have access to company data.

How to Review Existing App Permissions

Go to:

  • Microsoft Entra ID → Enterprise Applications → All Applications

Review applications with existing user consent and remove permissions for tools that are no longer needed.

Estimated Review Time:

30-60 minutes, depending on the number of applications connected.

4. Verify Microsoft 365 Audit Log Retention Settings

Audit logs help businesses investigate security incidents, track activity, and meet compliance requirements. In October 2023, Microsoft increased standard audit retention from 90 days to 180 days, while E5 licensing or Microsoft Purview Audit Premium allows businesses to extend retention even further.

While 180 days may work for some organizations, industries like healthcare, financial services, legal, and other regulated fields may require longer access to historical records to meet compliance obligations.

How to Review Existing App Permissions

Navigate to:

  • Microsoft Perview Compliance Portal → Audit → Audit Retention Policies

Confirm your retention settings align with your organization’s security and compliance requirements.

Estimated Review Time:

About 15 minutes after confirming licensing.

5. Review MFA Enforcement & Security Defaults

Multi-factor authentication remains one of the most important protections against unauthorized access. Microsoft introduced Security Defaults in 2019 and has continued expanding MFA requirements across Microsoft 365 environments.

However, older tenants may still have inconsistent MFA enforcement, leaving potential security gaps across certain accounts.

A common issue occurs when organizations enable Conditional Access policies, which may turn Security Defaults off. If the new policy does not properly cover every user, some employees or administrators could be left without MFA protection. Proper server and endpoint management helps ensure devices, users, and access policies stay protected across your organization.

What to Review in Microsoft Entra ID 

Check:

  • Properties → Manage Security Defaults

Then review:

  • Protection → Conditional Access

Make sure MFA policies apply to employees, administrators, critical accounts, and emergency access accounts.

Estimated Review Time:

Around one hour, depending on your existing Conditional Access setup.

A Practical Approach to Rolling Out Microsoft 365 Updates

Start with audit log retention (#4) and historical app consent reviews (#3) since these updates typically have no user-facing impact and help identify existing security gaps.

Next, review external forwarding rules (#2). This process is usually silent unless a user has an active external forwarding rule that needs to be addressed.

After that, update your sharing defaults (#1). This change may generate questions from employees who are used to creating open sharing links, so communicate expectations before adjusting the tenant settings.

Save MFA and Conditional Access reviews (#5) for last. These changes have the highest impact and should be carefully planned to avoid accidentally locking users or administrators out of their accounts.

Ready to Strengthen Your Microsoft 365 Security?

We help organizations review and strengthen their Microsoft 365 environments with security strategies that align with their business needs. From access management and security settings to cloud protection and ongoing support, our team can help you maintain a secure and efficient Microsoft 365 setup.

Contact us today to learn how our Managed IT Services, Cloud Solutions, and IT Support Services can help protect your business and keep your technology running securely.

Additional Blogs

Black horizontal banner with a stepped outline on a white background.

Keep Your Devices LIT

Your computers and servers should be the heroes of your workday, not the villains slowing you down. With LIT Tech Solutions watching your endpoints, you’ll see fewer crashes, stronger defenses, and a team that gets to focus on work instead of wrestling with tech.

See How Smooth I.T. Can Be. >>>

SCHEDULE A
CONSULTATION TODAY

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

CANCEL