Introduction
Microsoft 365 is the backbone of most small business operations — email, file storage, video calls, and collaboration all run through it. But most small businesses set it up once and never look at it again. That’s a problem.
After years of managing enterprise Microsoft 365 environments, I’ve seen the same security gaps show up repeatedly — even in businesses that think their setup is fine. Here are the five most common mistakes, and what you should do about them.
Mistake 1: Multi-Factor Authentication Is Not Enabled for All Users
This is the single most common — and most dangerous — gap. MFA (multi-factor authentication) blocks over 99% of account compromise attacks according to Microsoft’s own data. Yet many small businesses either haven’t enabled it, or have only enabled it for some users.
It only takes one unprotected account for an attacker to gain access to your email, files, and internal systems. A compromised Microsoft 365 account can lead to business email fraud, data theft, and ransomware — all from a single weak password.
What to do: Enable MFA for every user in your Microsoft 365 tenant. Use Microsoft Authenticator rather than SMS where possible. If you’re on a Business Premium plan, enable Security Defaults or Conditional Access policies.
Mistake 2: Former Employee Accounts Are Still Active
When someone leaves a business, their Microsoft 365 account often stays active — sometimes for months. This means their login credentials still work, they can still access company email and files, and if their password was ever shared or compromised, an attacker has an open door.
I regularly find accounts belonging to staff who left over a year ago, still licensed and still accessible. In regulated industries this is also a compliance issue.
What to do: When an employee leaves, immediately block sign-in to their account, revoke active sessions, and remove or reassign their license. Set up an offboarding checklist that includes Microsoft 365 account deactivation as a required step.
Mistake 3: Everyone Is a Global Administrator
Global Administrator is the highest permission level in Microsoft 365. It gives full control over everything — user accounts, billing, security settings, all data. Many small businesses give this role to multiple people “just in case.”
The problem is that every Global Admin account is a high-value target. If any one of them is compromised, the attacker has complete control of your entire Microsoft 365 environment. There’s no limit to the damage they can do.
What to do: Limit Global Administrator accounts to a maximum of two — ideally one for day-to-day use and one as an emergency break-glass account. Use more limited roles (like User Administrator or Exchange Administrator) for staff who only need access to specific areas.
Mistake 4: External Sharing in SharePoint and OneDrive Is Wide Open
Microsoft 365’s default sharing settings are designed for collaboration — which means they’re often more permissive than a small business realises. Files in SharePoint and OneDrive can frequently be shared with anyone who has a link, no sign-in required.
This means sensitive documents — financial reports, client data, contracts — can end up accessible to anyone on the internet if a sharing link is forwarded or posted publicly, even by accident.
What to do: Review your SharePoint and OneDrive sharing settings in the Microsoft 365 admin center. Set external sharing to require sign-in at minimum, and restrict anonymous link sharing unless there’s a specific business need for it.
Mistake 5: Microsoft Defender for Business Is Not Configured
Many Microsoft 365 Business Premium subscribers don’t realise they already have Microsoft Defender for Business included in their plan. It’s a powerful endpoint security tool that protects against malware, ransomware, and phishing — but it does nothing if it’s never set up.
Leaving Defender unconfigured is like having a security system installed but never turning it on. The hardware is there, but you’re getting no protection.
What to do: If you’re on Microsoft 365 Business Premium, go to security.microsoft.com and check whether Defender for Business is active and your devices are onboarded. If you’re not on Business Premium, consider whether the upgrade cost is justified by the security improvement — for most businesses it is.
How Many of These Apply to Your Business?
If you recognise one or more of these mistakes in your own Microsoft 365 setup, you’re not alone — these are the most common issues found in small business M365 environments. The good news is that all of them are fixable.
A Microsoft 365 configuration review covers all of these issues and more, delivering a written report with risk ratings and a step-by-step remediation plan your team can act on immediately.
If you’d like to know exactly where your Microsoft 365 environment stands, book a free 30-minute discovery call. No commitment, no sales pitch — just a clear conversation about your setup.