Article Summary: Microsoft has improved many Microsoft 365 security defaults over the past few years, but older tenants do not always benefit from those changes automatically. If your Microsoft 365 environment was set up before 2022, inherited from a previous IT provider, or left untouched for a while, it may still have older settings in place. These five areas are worth reviewing: file sharing, external email forwarding, third-party app consent, audit log retention, and MFA enforcement. 

Microsoft 365 may look secure from the outside, but older settings can quietly stay in place for years. 

That is especially true if your tenant was set up before 2022, inherited from another IT provider, or has not been reviewed in a while. Microsoft has improved many default security settings over time, but those changes do not always apply retroactively. Sharing links, inbox rules, app permissions, audit settings, and MFA policies created years ago may still be active today. 

In this article, we’ll walk through five Microsoft 365 settings that are worth checking in any older or previously managed tenant. You’ll learn where outdated settings commonly create risk, what each setting controls, and why reviewing them can help protect company data, reduce security gaps, and give you better visibility when something goes wrong. 

These are not changes that need to happen all at once. Some are quick checks. Others may require planning, licensing, or communication with your team. But reviewing them now can help you avoid bigger problems later. 

  1. File Sharing Defaults That May Be Too Open

File sharing is one of those everyday tasks that can quietly create risk when the defaults are too open. When someone shares a file from SharePoint or OneDrive, Microsoft 365 creates a link with a default sharing scope. In older tenants, that default is often “Anyone with the link.” 

That means anyone who receives the URL can open the file without signing in. There may be no expiration date, and there is no clear record of who else the link was forwarded to. 

For a business, this can turn into a real problem. A proposal, client document, financial file, or internal plan may remain accessible long after the original reason for sharing it has passed. Newer Teams-created sites now default to “Only people in your organization.” But older sites and tenant-level settings may still allow Anyone links. If a departing employee emailed a document link to a personal account months ago, that link may still work unless someone manually revoked it. 

This setting can be reviewed in the SharePoint admin center under Policies > Sharing. Changing the tenant default to “Specific people” means new links require authentication. A maximum expiration can also be set for any remaining “Anyone” links so they eventually time out. 

  1. Email Forwarding Rules That Can Move Data Outside Your Business

Automatic email forwarding can be convenient, but it can also move business data outside your control without much visibility. Microsoft now blocks automatic email forwarding to external addresses at the tenant level by default through the outbound spam policy. This was part of Microsoft’s secure-by-default effort. 

But older forwarding rules may still be active. And if your tenant has custom outbound spam policies from years ago, those settings may not reflect Microsoft’s current default. That means a user who once created a rule to forward all email to a personal Gmail account may still be sending company information outside the organization, depending on how the rule was created and whether it predates the policy. 

There are two things to verify. 

First, in the Microsoft Defender portal under Email & Collaboration > Policies & Rules > Anti-spam policies > Anti-spam outbound policy, the “Automatic forwarding rules” setting should be reviewed and confirmed as “Off” or “Automatic – System-controlled.” 

Second, existing inbox rules across user mailboxes should be reviewed for any forward-to-external configurations. The Microsoft Purview audit log lets you search for inbox rule creation events. 

  1. Old App Permissions That May Still Have Access

Third-party app access is easy to overlook because it often starts with one user clicking “Allow.” A Microsoft-managed user consent policy was enabled by default in July 2025. This prevents users from consenting to most third-party applications that request access to their files and sites. New consent requests now route to an admin for review. 

That helps going forward. But it does not automatically clean up older app permissions. Apps approved before that policy took effect may still have the access they were originally granted. That can include access to read mail, calendars, and files on behalf of the user. 

Some of those apps may be legitimate tools. Others may be old project tools, one-time integrations, or apps nobody has used in years. If nobody reviews them, they can continue sitting in the tenant with access they no longer need. 

Existing app access can be reviewed in Microsoft Entra ID > Enterprise Applications > All applications. Apps can be sorted by user consent and reviewed for access to mail, files, or calendars. Anything unfamiliar or no longer needed can be revoked from the same screen. 

  1. Audit Logs That May Not Go Back Far Enough

Audit logs matter most when something goes wrong. If there is a security issue, suspicious sign-in, deleted file, changed mailbox rule, or compliance request, audit logs help show what happened. But they only help if the records still exist. 

Microsoft changed the default audit log retention period in October 2023. Audit (Standard) logs are now retained for 180 days, up from the previous 90 days. Customers with E5 licensing or the Microsoft Purview Audit (Premium) add-on get one year of retention for Exchange, SharePoint, OneDrive, and Entra ID audit records. Other activity types remain at 180 days. 

For many businesses, 180 days may be enough for basic visibility. But if you are in healthcare, financial services, legal, or another regulated industry, that may not match your retention obligations. HIPAA, the FTC Safeguards Rule, and many state bar rules around client data assume records can be produced on request, and those periods are often measured in years, not months. 

Audit retention policies are managed in the Microsoft Purview compliance portal under Audit > Audit retention policies. Extending retention beyond 180 days requires E5 or the Purview Audit add-on. Once licensing is confirmed, the configuration itself takes about 15 minutes. 

  1. MFA Gaps in Older Microsoft 365 Tenants

MFA is one of the most important protections in Microsoft 365, but older tenants are often inconsistent. Microsoft introduced Security Defaults in late 2019. Today, the feature enforces MFA automatically on new tenants. Microsoft has also been progressively making MFA mandatory for admin actions in the Microsoft 365 admin center and Azure portal throughout 2024 and 2025. 

But tenants created before Security Defaults rolled out may not have that same baseline protection. 

There is also a common configuration gap. When an admin enables Conditional Access, available with Business Premium and above, Microsoft expects MFA enforcement to be handled through Conditional Access. Security Defaults may be turned off. If that transition was not planned carefully, the tenant can end up with Security Defaults off and Conditional Access policies that do not cover every user. 

That creates a false sense of security. MFA may be enabled in some places, but not consistently across the organization. 

There are three places to check. 

In the Entra ID admin center under Properties > Manage Security Defaults, they should confirm whether Security Defaults is on or off. 

Under Protection > Conditional Access, they should confirm that MFA is actively enforced for all users, including administrators. 

Break-glass admin accounts should also be reviewed. These accounts are sometimes excluded from Conditional Access for emergency access reasons, but they should not be left with no MFA protection. 

Conclusion

Not every setting has the same impact on users. Some changes are quiet. Others affect how people share files, access systems, or sign in. Start with the settings that do not interrupt daily work. Audit log retention (#4) and the historical app consent review (#3) are good first steps because they do not change how users work. 

Next, verify external forwarding (#2). This is usually silent unless someone has a legitimate forwarding rule, which is rare. After that, review the sharing default (#1). This may create questions from users who are used to clicking “share” and pasting a link into an email. Communicate the change before adjusting the tenant setting. 

Save MFA and Conditional Access (#5) for last. It is the highest-stakes change and the one most likely to lock people out if it is handled poorly.  

If your Microsoft 365 tenant has not been reviewed in a while, this is a good time to take a closer look. Atekro can help you understand what is already in place, where older settings may be creating risk, and what should be adjusted to better protect your business. 

FAQs

Are my Microsoft 365 settings still vulnerable if my tenant was set up recently? 

New tenants usually have stronger defaults than tenants created several years ago. Even so, settings like sharing scope, user-approved app consents, and historical inbox rules are still worth reviewing in any tenant. 

What is the current Microsoft 365 default for “Anyone with the link” sharing? 

Many existing tenants still permit “Anyone with the link” sharing at the tenant level. Newer Teams-created SharePoint sites default to “Only people in your organization.” To understand what users actually see, check both the tenant-level setting and the site-level setting. 

Did Microsoft turn off external email forwarding by default? 

Yes. Microsoft’s outbound spam policy now blocks automatic external forwarding by default at the tenant level. However, inbox rules created before that change may still be active and should be reviewed. 

How long are Microsoft 365 audit logs kept by default? 

Audit (Standard) logs are retained for 180 days as of October 2023. With E5 licensing or the Microsoft Purview Audit (Premium) add-on, key workloads such as Exchange, SharePoint, OneDrive, and Entra ID receive one year of retention. 

Does Security Defaults cover all my users? 

On a new tenant, Security Defaults provides baseline MFA enforcement. In an older tenant where Conditional Access has been enabled, Security Defaults may have been turned off, so MFA coverage depends on how Conditional Access policies were configured. 

Not sure if your IT is truly supporting your growth?

Let’s have a conversation and see if we’re the right partner for you.

  • Talk through your current challenges and goals
  • Get an outside perspective on what’s working, and what’s not
  • Understand how we typically help businesses like yours

Love This Article? Share It!

Related Posts

STAY IN THE LOOP

Subscribe to our free newsletter.

By selecting "Get the Atekro news", I agree that Atekro will process my personal information in accordance with the Atekro Privacy Policy.