
Microsoft has tightened several default settings in Microsoft 365 over the past few years, giving newer tenants stronger protection from the start. However, older tenants may still have legacy configurations in place, including outdated user permissions, inbox rules, and sharing links that were created before these updates.
If your Microsoft 365 tenant is more than a few years old, was set up by a previous IT provider, or has not been audited recently, these five settings are worth reviewing. Keep in mind that some updates may require Business Premium, E3, or E5 licensing, and changes should be implemented strategically to avoid disrupting existing workflows. Reliable help desk and user support can also help employees adjust to security updates that impact account access, file sharing, and daily operations.
Your default sharing settings determine who can access company files after a link is created.
When employees share documents through SharePoint or OneDrive, Microsoft creates a link with a specific access level. Older Microsoft 365 tenants may still default to “Anyone with the link”, allowing anyone with the URL to open the file without signing in.
That means shared documents can remain accessible long after they were originally sent.
A former employee who emailed a proposal to their personal account months ago could still have access unless the link were manually removed.
The default sharing link settings can be reviewed in: SharePoint Admin Center → Policies → Sharing
Consider updating the tenant default to “Specific people” so new shared links require authentication.
You can also set expiration dates for existing public links to reduce long-term exposure.
Estimated Review Time: 15 minutes
User Impact: No impact on existing links until they are regenerated
Automatic forwarding rules can quietly send business data outside your organization.
Microsoft now blocks automatic forwarding to external email addresses by default through outbound spam protection. However, older rules created before this update may still exist.
For example, an employee who previously forwarded all emails to a personal Gmail account could still be exporting company information depending on how the rule was created.
Navigate to:
Confirm that Automatic Forwarding Rules are set to:
You should also audit existing inbox rules to identify any users forwarding messages outside the organization.
Estimated Review Time:
10 minutes for tenant settings, longer for reviewing individual mailboxes.
Old application permissions can remain active long after employees stop using them. While Microsoft has introduced stronger user consent policies to limit third-party access, previous approvals may still allow outdated apps to access emails, calendars, files, and user information.
Reviewing historical app permissions helps identify old tools, completed projects, or unrecognized applications that may still have access to company data.
Go to:
Review applications with existing user consent and remove permissions for tools that are no longer needed.
Estimated Review Time:
30-60 minutes, depending on the number of applications connected.
Audit logs help businesses investigate security incidents, track activity, and meet compliance requirements. In October 2023, Microsoft increased standard audit retention from 90 days to 180 days, while E5 licensing or Microsoft Purview Audit Premium allows businesses to extend retention even further.
While 180 days may work for some organizations, industries like healthcare, financial services, legal, and other regulated fields may require longer access to historical records to meet compliance obligations.
Navigate to:
Confirm your retention settings align with your organization’s security and compliance requirements.
Estimated Review Time:
About 15 minutes after confirming licensing.
Multi-factor authentication remains one of the most important protections against unauthorized access. Microsoft introduced Security Defaults in 2019 and has continued expanding MFA requirements across Microsoft 365 environments.
However, older tenants may still have inconsistent MFA enforcement, leaving potential security gaps across certain accounts.
A common issue occurs when organizations enable Conditional Access policies, which may turn Security Defaults off. If the new policy does not properly cover every user, some employees or administrators could be left without MFA protection. Proper server and endpoint management helps ensure devices, users, and access policies stay protected across your organization.
Check:
Then review:
Make sure MFA policies apply to employees, administrators, critical accounts, and emergency access accounts.
Estimated Review Time:
Around one hour, depending on your existing Conditional Access setup.
Start with audit log retention (#4) and historical app consent reviews (#3) since these updates typically have no user-facing impact and help identify existing security gaps.
Next, review external forwarding rules (#2). This process is usually silent unless a user has an active external forwarding rule that needs to be addressed.
After that, update your sharing defaults (#1). This change may generate questions from employees who are used to creating open sharing links, so communicate expectations before adjusting the tenant settings.
Save MFA and Conditional Access reviews (#5) for last. These changes have the highest impact and should be carefully planned to avoid accidentally locking users or administrators out of their accounts.
We help organizations review and strengthen their Microsoft 365 environments with security strategies that align with their business needs. From access management and security settings to cloud protection and ongoing support, our team can help you maintain a secure and efficient Microsoft 365 setup.
Contact us today to learn how our Managed IT Services, Cloud Solutions, and IT Support Services can help protect your business and keep your technology running securely.
