Microsoft Office 365 Security Concerns and How to Address Them

Microsoft Office 365 (now called Microsoft 365) enables collaboration and data sharing via solutions such as SharePoint Online, MS Teams and OneDrive. These applications enjoy widespread use but share a barrier to adoption — security concerns.

Fortunately, cloud providers have more resources dedicated to security than the average business. Even though you are ultimately responsible for protecting your sensitive data, there are robust native security capabilities to address Microsoft Office 365 security concerns. Moreover, there are third-party solutions that can help you ensure strong security posture across the entire infrastructure, not just Microsoft 365.

This article explains the top Microsoft Office 365 security concerns and details how you can address them:

Top Microsoft 365 Security Concerns

Microsoft does an outstanding job securing their cloud services. However, cloud users must take responsibility for configuring and managing secure access and file sharing to minimize the risk of data leakage. Here are the top security concerns.

Unauthorized or External File Sharing

Microsoft 365 enables your users to collaborate with people outside of your organization in applications like Teams and SharePoint, as well as by sharing files and folders directly. We talked about external sharing in Microsoft 365, and in Teams in particular, in detail in other articles.

Any time files are shared outside of an organization, they become vulnerable. With Microsoft 365, a user can share a single file, or they can share an entire folder, which grants access to all the files currently in that folder and all its subfolders, as well as any new ones created there.

Privilege Abuse

Users often wind up with more permissions than they need to do their jobs. Excessive rights increase your risk of a data breach because users can accidentally or deliberately expose or steal more data than they should. Similarly, malicious software or hackers who take over a user’s account are enabled to access more data and systems than necessary.

Microsoft 365 doesn’t make it easy to restrict permissions based on business unit or country, or for remote or satellite offices. It’s also tricky to granularly grant admins rights to perform only specific functions, like resetting user passwords.

Global Administrator Account Breaches

Hackers and cybercriminals often target administrative accounts in their attacks in order to gain access to elevated privileges. The centralized administration model in Microsoft 365 allows all administrators to have global credentials, which grant access to every user’s account and content. If hackers manage to take over a global admin account, they can change critical settings, steal valuable data and leave backdoors to enter again.

To reduce the risk of these powerful accounts being compromised, you can set up multi-factor authentication (MFA) in the Security and Compliance Center. Keep in mind that MFA is not enabled by default for global administrators.

Disabled Audit Logs

Audit recording is not enabled by default in Microsoft 365; an administrator must manually turn auditing on. Similarly, to audit email mailboxes, an administrator must turn on mailbox auditing.

Understand that the audit log shows only events that occurred after auditing was enabled.

Short Log Retention Periods

Microsoft 365 stores audit logs for a short time, from just 90 days to a maximum of one year. Many compliance standards require storing audit logs for far longer than that. For example, HIPAA requires logs to be retained for six years. GDPR does not specify a retention period, but it requires organizations to be able to investigate breaches, which can take well over a year to surface. By that time, the native audit logs are gone.

How to Overcome Microsoft 365 Cloud Security Concerns

The first step in protecting the data you store in Microsoft 365 is to use the security features that its Security and Compliance Center provides. In particular, the Microsoft Secure Score Test scans and monitors your Microsoft  365 identities, applications, devices, data and infrastructure and suggests improvements. You receive points for:

  • Configuring the recommended security features
  • Performing security-related tasks, such as viewing reports
  • Addressing recommendations by using third-party applications

Microsoft 365 also offers built-in data loss prevention (DLP) and email encryption. The DLP tools include multi-factor authentication, dedicated administrator accounts, and malware and ransomware protection for email. Email encryption adds another layer of protection.

Here are other key steps you should take to improve security in Microsoft 365:

Enable Multi-Factor Authentication

Multi-factor authentication requires users to provide two or more methods of identification to access resources, such as a password plus a one-time code sent to their device. MFA is the single most powerful mitigation technique you can use to protect against credential theft.

How to enable MFA:

  1. In the Admin Center, select Users > Active users.
  2. In the Active Users section, select Multi-factor authentication.
  3. On the MFA page, select user if you are enabling one user, or you can perform a Bulk update.
  4. Under Quick steps, select Enable.
  5. In the pop-up window, choose Enable multi-factor authentication.

Classify Your Data

Classifying documents helps organizations understand the location and value of their content, so they can apply appropriate security controls. For example, you can identify and tag files that must not be shared with external users and then disable external sharing for that sensitive information.

The Data classification section of the Admin Center provides some classification functionality. However, look to a third-party solution like Netwrix Data Classification for pre-built classification taxonomies, highly accurate results, complete automation of the discovery and classification process, support for multiple on-prem and cloud data repositories, and automated remediation workflows.

Set Up Automatic Data Remediation Workflows

Lighten your workload while enhancing security by automating data protection and management routines. In Netwrix Data Classification, you can set up automatic workflows to move files to safe locations and redact confidential content within documents. This data remediation reduces the risk of data breaches and fines for non-compliance.

Minimize Privileges

To reduce the risk of privilege abuse and minimize the reach of compromised accounts, follow the principle of least privilege for every account in Microsoft 365. In addition:

  • Regularly identify and revoke excessive permissions
  • Disable third-party storage services
  • Set expiration dates on links
  • Use global administrator accounts only when the are required for the task at hand

Enable Unified Audit Logging

Use third-party solutions like Netwrix Auditor to gain visibility into activity across your Microsoft 365 environment, including critical changes like privilege escalation and access events like reading SharePoint content. Regularly review which users access documents to ensure no unauthorized use slips through the cracks.

Enable Mailbox Auditing

Enable mailbox auditing to monitor activity in Exchange Online. Mailbox auditing was not enabled by default before January 2019, so if your implementation predates that, you need to go in and turn it on, as follows:

  1. Open the Security & Compliance Center.
  2. Click Search & investigation
  3. Click Audit log search
  4. Click Start recording user and admin activity

In particular, monitor all changes to permissions and settings, as well as non-owner mailbox access. However, recall that the native logs are stored for only a limited time (from 90 days or up to a year, depending on the log), and be aware that the Microsoft 365 creates a single audit trail that is difficult to search and analyze for discrete events.

Use Malware Protection

Microsoft 365 includes some malware protection. You can further strengthen security by blocking file types common to malware.

Defend Against Ransomware

Use Microsoft 365 mail flow rules to block extensions commonly used for ransomware insertion, warn users about email attachments that might be infected, and eliminate auto-forwarding of email. These options can be set within the Exchange Administrative Center.

Encrypt Email

Microsoft  365 Message Encryption is turned on by default. It allows users to send and receive encrypted email messages, both within and outside the organization. Message Encryption works with Outlook, Yahoo, Gmail and other email services. Encryption ensures only the intended recipient can view email content. You have several options available to control how and when email may be viewed, labeled and forwarded.

Use Other Tools

Microsoft 365 offers several additional security features to take advantage of, including:

  • Advanced Threat Protection (ATP), which includes:
    • ATP Safe Attachments, for blocking malicious attachments in phishing emails
    • ATP Safe Links, for time-of-click verification of URLs in messages and documents
  • The ability to disable legacy email protocols or limit them to specific users
  • Cloud App Security, which includes threat detection based on user activity logs; discovery of shadow IT apps that have similar functionality to Microsoft 365; control over app permissions in Microsoft 365; and application access and session controls


To address Microsoft 365 security concerns, your organization should implement a comprehensive strategy to mitigate the most critical vulnerabilities. Many organizations implement third-party solutions to help them:

  • Gain deep visibility into their cloud or hybrid environment
  • Use a single console to manage access to both cloud and on-premises data sources
  • Spot and investigate threats that could result in data loss
  • Achieve, maintain and prove regulatory compliance
Jeff is a Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that can dramatically improve your system administration experience.