5 Microsoft 365 Settings Worth Checking in Your Tenant

Free A concentrated professional working at a computer in a modern office setting. Stock Photo

Microsoft has tightened several default settings in Microsoft 365 over the past few years. Newer tenants get more protection out of the box than tenants set up before 2022 or so. The problem is that legacy configurations stay in place. A setting changed for new tenants in 2024 doesn’t retroactively change in yours, and historical user consents, inbox rules, or sharing links granted before the change are still active.

Here are five settings worth checking in your tenant, especially if it’s more than two or three years old, was set up by a previous IT provider, or has not been audited in a while.

A few caveats before we start. Some of these settings require Microsoft 365 Business Premium, E3, or E5 licensing to change, so if a toggle is grayed out, your license tier is most likely the reason. A couple of these changes will generate support tickets from your team because they change how something already works. None of them need to be flipped all at once.

1. The default sharing link in SharePoint and OneDrive

When someone in your organization shares a file from SharePoint or OneDrive, the link they generate has a default scope. In tenants set up before Microsoft tightened the new-site defaults, that scope is often “Anyone with the link,” which means anyone who receives the URL can open the file without signing in. No expiration. No record of who else the link was forwarded to.

Newer Teams-created sites now default to “Only people in your organization.” Older sites and the tenant-level setting often still allow Anyone links. A departing employee who emailed a proposal to their personal account six months ago still has a working link, unless someone manually revoked it.

The default sharing link type sits in the SharePoint admin center under Policies > Sharing. Switching the tenant default to “Specific people” forces every new link to require authentication. You can also set a maximum expiration for any remaining “Anyone” links so they time out automatically.

Rough time to change: 15 minutes. This has no impact on existing links until they’re regenerated.

2. External email forwarding rules

Microsoft now blocks automatic email forwarding to external addresses at the tenant level by default, through the outbound spam policy. This rolled out as part of Microsoft’s secure-by-default effort.

Forwarding rules created before that change can still be active, though, and tenants with custom outbound spam policies configured years ago may not reflect the current default. A user who set up a rule a few years ago to forward every email to a personal Gmail address may still be exporting your data, depending on how their rule was constructed and whether it predates the policy.

Verify two things. In the Microsoft Defender portal, under Email & Collaboration > Policies & Rules > Anti-spam policies > Anti-spam outbound policy, confirm the “Automatic forwarding rules” setting is set to “Off” or “Automatic – System-controlled.” Then audit existing inbox rules across your users for any forward-to-external configurations. The Microsoft Purview audit log lets you search for inbox rule creation events.

Rough time: 10 minutes to verify the tenant setting, longer to review existing rules across all mailboxes.

3. Historical third-party app consents

A Microsoft-managed user consent policy was enabled by default in July 2025, preventing users from consenting to most third-party applications that request access to their files and sites. New consent requests now route to an admin for review.

The change applies going forward. Apps that were granted user consent before the policy took effect still have whatever permissions they were given, including the ability to read mail, calendars, and files on behalf of the user. Some of those apps may be tools an employee installed years ago and no longer uses, or apps installed during a one-off project that nobody remembers approving.

To review what’s already there, go to Microsoft Entra ID > Enterprise Applications > All applications. Sort by user consent and look at what currently has access to mail, files, or calendars. Anything you don’t recognize or no longer need can be revoked from the same screen.

Rough time: 30 to 60 minutes for the review, depending on how many historical apps are in the list.

4. Mailbox and tenant audit log retention

The default audit log retention period in Microsoft 365 changed in October 2023. Audit (Standard) logs are now retained for 180 days, up from the previous 90 days. Customers with E5 licensing or the Microsoft Purview Audit (Premium) add-on get one year of retention for Exchange, SharePoint, OneDrive, and Entra ID audit records, with other activity types staying at 180 days.

If you’re in healthcare, financial services, legal, or any other regulated industry, 180 days may not match your retention obligations. HIPAA, the FTC Safeguards Rule, and most state bar rules around client data assume you can produce records on request, and the relevant period is often measured in years, not months.

Audit retention policies live in the Microsoft Purview compliance portal under Audit > Audit retention policies. Extending retention beyond 180 days requires E5 or the Purview Audit add-on. The configuration itself takes about 15 minutes once you’ve confirmed your license supports it.

5. MFA enforcement and Security Defaults

MFA enforcement is the area most likely to be inconsistent in older tenants. Microsoft introduced Security Defaults in late 2019, and the feature now enforces MFA automatically on new tenants. Microsoft has also been progressively making MFA mandatory for admin actions in the Microsoft 365 admin center and Azure portal through 2024 and 2025.

Tenants created before Security Defaults rolled out may have no baseline enforcement. There’s also a common configuration trap. When an admin enables a Conditional Access policy, which is available with Business Premium and above, Microsoft expects you to take over MFA enforcement through that policy and may turn Security Defaults off. If the transition was done quickly, you can end up with Security Defaults off and a Conditional Access policy that doesn’t cover every user.

Check three places. In the Entra ID admin center under Properties > Manage Security Defaults, confirm whether Security Defaults is on or off. Under Protection > Conditional Access, confirm a policy is actively enforcing MFA for all users, including administrators. Pay particular attention to break-glass admin accounts, which are sometimes excluded from Conditional Access for emergency access reasons and left with no MFA as a result.

Rough time: about an hour, longer if Conditional Access has been configured with several existing policies you need to map.

A sensible order to roll the changes

Some of these changes are silent to your users. Others change how something they do every day works.

Audit log retention (#4) and the historical app consent review (#3) carry no user-facing impact. Start there.

Verifying external forwarding (#2) is silent unless someone has a legitimate forwarding rule, which is rare. Do this next.

The sharing default (#1) will eventually generate user questions, particularly from anyone used to clicking “share” and pasting the link into an email. Communicate the change before you flip the tenant setting.

The MFA and Conditional Access review (#5) is the highest-stakes change and the one most likely to lock people out if it’s done badly. Save it for last and budget the time to do it properly.

Frequently asked questions

Are my Microsoft 365 settings still vulnerable if my tenant was set up recently?

New tenants get more protection out of the box than tenants set up a few years ago. Even so, certain settings, including sharing scope, app consents granted by users, and historical inbox rules, need to be reviewed in any tenant regardless of age.

What is the current Microsoft 365 default for “Anyone with the link” sharing?

At the tenant level, many existing tenants still permit “Anyone with the link” sharing. Newer Teams-created SharePoint sites default to “Only people in your organization.” Verify both the tenant-level setting and the site-level setting if you want to know what your users see in practice.

Did Microsoft turn off external email forwarding by default?

Yes. Microsoft’s outbound spam policy now blocks automatic external forwarding by default at the tenant level. Existing inbox rules created before that change may still be active and worth auditing.

How long are Microsoft 365 audit logs kept by default?

180 days for Audit (Standard), as of October 2023. One year for key workloads (Exchange, SharePoint, OneDrive, Entra ID) if you have E5 or the Microsoft Purview Audit (Premium) add-on.

Does Security Defaults cover all my users?

On a new tenant, yes, including MFA enforcement. On an older tenant that has had Conditional Access policies enabled, Security Defaults may have been turned off, and MFA coverage now depends on how Conditional Access has been configured.

Sources and further reading

If you’re not sure when your tenant was last reviewed, or whether any of these settings need attention, your IT provider should be able to walk through them with you. And if you don’t have an IT provider, feel free to reach out to us and we’ll help you sort it.

Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

What Immutable Backup Means on Your Cyber Insurance Form

Free Close-up of hands analyzing insurance policy paperwork with pen on table. Stock Photo

Cyber insurance applications include a question that catches a lot of small business owners off guard: “Do you maintain immutable, air-gapped, or offline backups of your critical business data?”

Carriers added that question to renewal forms because ransomware operators worked out that the fastest way to force a payout is to wipe the backups first and encrypt everything else after. CISA, the FBI, and the Internet Crime Complaint Center have all documented this pattern as one of the most common moves in current ransomware playbooks. A business whose backup copies can be deleted using the same admin credentials an attacker just stole has no recovery path other than paying the ransom.

This post covers what immutable backup means, three common backup setups that do not qualify, the questions to send your IT provider before you sign the form, and what to do if your honest answer is no.

Immutable backup, defined

An immutable backup is one that cannot be modified or deleted for a fixed period of time, including by you, by your IT provider, and by anyone using stolen admin credentials.

The stolen credentials piece is what carriers care about. Most backup systems can be wiped by anyone with admin access. Immutability means the backup platform itself enforces the lock at the storage layer, and no credentials, however privileged, can override it during the retention window. Some platforms call this object lock, write-once-read-many, or WORM storage. The terminology varies between vendors, but the underlying control is the same.

Three common backup setups that do not qualify

Three setups come up regularly that don’t satisfy the immutability question, even though business owners often assume they do.

A NAS or external drive in your office

A network-attached storage device sitting in your server room is reachable from your network by design. If ransomware spreads across your environment, it can reach the NAS. An attacker with domain admin credentials can wipe what’s on it. An external drive that someone plugs in once a week and leaves connected has the same exposure.

These devices have a role in a broader backup strategy. On their own, they do not satisfy the immutability question.

Microsoft 365 retention treated as a backup

Microsoft 365 includes data retention features, and some businesses use them as their backup solution. They are not a backup in the sense the form is asking about. An attacker with global admin access to your tenant can delete data and purge retention holds.

Under Microsoft’s shared responsibility model, customers retain responsibility for backup and protection of their own data, separate from what Microsoft provides at the platform level.

If your only protection for Microsoft 365 data is what Microsoft provides natively, the honest answer to the immutability question is no.

A cloud backup with immutability switched off

This is the most common gap. Many reputable backup platforms include immutability as a feature, but the setting is not always enabled by default. The capability exists, and someone needs to turn it on. Your business may be paying for a backup solution that looks credible on paper while the immutability toggle sits in the off position. You cannot tell from the outside without checking.

Three questions to send your IT provider before you sign the form

Copy these into an email and send them before you check the box.

Question one: “Are our backups immutable, and if so, how long is the immutability window?”

Carrier guidance has tightened in the past two years. Most insurers want a window of at least 14 days as a floor, with 30 days increasingly cited as the preferred minimum. Attackers sometimes sit in a network for weeks before triggering ransomware, which means a backup from yesterday may already be compromised. The window needs to be long enough to give you clean restore points from before the attacker arrived.

Question two: “If our domain admin account or Microsoft 365 global admin account were stolen tomorrow, could that account be used to delete our backups?”

The correct answer is no. If the answer is yes, or if your provider is not sure, your backups are not immutable in the way the form means.

Question three: “Can you send me a screenshot or vendor documentation showing that immutability is enabled on our account?”

A provider who can send something concrete has done the work. If they come back with verbal reassurance and nothing to show, treat that as a no until they can demonstrate otherwise.

What a qualifying setup looks like

For your backup to honestly satisfy the question on the form, a few things need to be true at the same time.

The backup platform needs immutability turned on, not only available as a feature. Several major vendors including Veeam, Datto, Rubrik, and Acronis offer the capability, along with most cloud storage providers that support S3-compatible object lock. A vendor name on the invoice does not, by itself, answer the question. The setting has to be turned on, scoped properly, and tied to credentials that aren’t shared with the rest of your environment.

The backup credentials need to sit outside your regular administrative accounts. If the same login that manages your Microsoft 365 environment also controls your backup platform, a compromised admin account can reach both. A qualifying setup uses isolated credentials outside your day-to-day identity environment.

The retention window needs to be long enough. A 24-hour backup that overwrites itself daily does not help if an attacker has been in your environment for a week. CISA’s #StopRansomware Guide lists immutable, tested backups as a baseline control, and most insurers now align with that position.

Restores also need to be tested. A backup nobody has tried to restore in the past 12 months is not something you can rely on when it matters. Most carriers now ask for the date of your last successful restore test, and they want to see one.

What to do if your honest answer is no

Declare what you have on the form, and use the renewal process as the reason to fix what isn’t there.

The first step is to ask your IT provider whether immutability can be enabled on your existing platform. In many cases the platform already supports it, and turning it on is a configuration change rather than a new product purchase. If the platform supports it and nobody has switched it on, that conversation can usually be resolved in a few days.

If your provider does not know what you’re asking, or cannot give a clear answer to the three questions above, that response is itself important information. This area needs attention before your next renewal date, even if other parts of your IT setup are handled well.

One thing to avoid: do not check yes on the form to dodge a premium hike. Cyber insurance applications function as warranty documents. If a forensic investigation after a claim finds your backups did not match what you declared, the carrier can rescind the policy. Coverage is then treated as if it never existed, and any prior payouts under the same policy term can be clawed back. Misrepresentation discovered after a claim is one of the most expensive mistakes a small business can make on an insurance form.

Checking no on the form will likely cost you something at renewal, either in premium or in coverage terms. That’s a known cost, and it’s manageable. Take the hit on the application, and use the months between now and your next renewal to close the gap.

Frequently asked questions

What does immutable backup mean in plain English?

A backup that nobody can change or delete for a set period of time, even with administrator credentials. The storage platform enforces the lock at the system level, so user permissions cannot override it.

Is Microsoft 365’s built-in retention a backup?

No. Native retention can be bypassed by a global admin or by anyone who steals one. Microsoft’s shared responsibility model places backup of your data on the customer, separate from retention.

How long should the immutability window be?

Most insurers and security frameworks point to a minimum of 14 days. 30 days is increasingly the preferred floor, and some carriers want longer. A longer window gives you more confident recovery if an attacker has been inside your environment for an extended period.

Can my IT provider just turn immutability on?

Often, yes. If your backup platform supports the feature and it has not been enabled, this is a configuration change rather than a new purchase. Ask for written confirmation once it’s done.

What happens if I check yes on the form when I shouldn’t?

The carrier can rescind the policy after a claim, which voids coverage retroactively. Any prior payouts under the same policy term can also be clawed back. Misrepresentation is one of the most common reasons cyber claims are denied.

Sources and further reading

If you’re not sure where your backups stand, that’s worth raising with your IT provider before your next renewal date. They should be able to walk you through the configuration and give you a clear answer to the three questions above. And if you don’t have an IT provider, feel free to reach out to us and we’ll help you sort it.

Featured Image Credit

This Article has been Republished with Permission from The Technology Press.