The Top 5 M365 Security Gaps MSPs Find in New Customer Tenants

Most MSPs don’t have a security problem because they are missing tools; but because the tools they already have aren’t properly configured.

Microsoft 365 includes a wide range of powerful security features designed to protect identities, data, and access. Over time, however, tenant configurations change: users are added, permissions are expanded, policies are adjusted, and temporary “duct tape” solutions become permanent.

For MSPs onboarding a new customer, one of the biggest challenges is quickly understanding where and how these security gaps exist. Tenants may appear secure at first glance, but a deeper review often reveals configuration issues that increase risk.

Here are five of the most common M365 security gaps MSPs discover.

‍

1. MFA is enabled but not fully enforced.

MFA is one of the most important and powerful security controls available in M365. However, enabling MFA does not always mean every account is protected. For example, common issues include…

• Users excluded from MFA policies
• Incomplete user enrollment
• Legacy authentication still enabled
• Admin accounts without stronger authentications requirements
• Old exceptions that were never removed

The key question is not “Is MFA enabled”, instead should be “Is MFA consistently enforced across every account that needs protection?"

A secure environment requires more than simply turning on a feature, it requires ensuring that the configuration is applied correctly.

‍

2. Weak conditional access policies

Conditional access gives MSPs control over who, how, and when M365 resources can be accessed. When configured correctly, these policies help enforce security requirements such as…

• Requiring MFA
• Protecting administrator accounts
• Blocking risky sign-ins
• Restricting access based on device and location

However, many tenants have incomplete or inconsistent conditional access policies. For example:

• Missing policies
• Policies that do not apply to all users/broad exclusions
• Under-protected privileged accounts

For MSPs managing multiple tenants, maintaining consistent conditional access policies can become difficult without a repeatable process and/or “golden” standard.

‍

3. Dormant accounts that still have access

Inactive accounts are a common security blind spot. In fact, this is the reason that Octiga was founded!

A former employee of your tenant may still have an active account. A test account created months ago may never have been removed. A temporary account created for a project may still have access long after the project has ended. These accounts increase the attack surface that threat actors can take advantage of.

During a tenant review, MSPs should look for…

• Inactive user or test accounts
• Former employee accounts
• Unused administrator accounts
• Guest users that no longer need access
• Service accounts with unnecessary permissions

Reducing unused accounts is one of the simplest ways to harden your M365 tenants.

‍

4. Mailbox vulnerabilities

Email remains one of the most targeted areas in M365 tenants. A compromised mailbox can provide attackers with access to sensitive files, confidential information, and financial data. Common mailbox security vulnerabilities include:

• External forwarding rules/Suspicious inbox rules
• Excessive mailbox permissions
• Unmonitored mailbox access
• Admin accounts with mailboxes

Attackers often use mailbox rules and forwarding settings to maintain access, hide their activity, or even move information outside of the organization. Regular mailbox security reviews can help identify these risks before they become incidents.

5. Excessive permissions

Over time, user permissions tend to grow. Someone needs temporary access, a user changes roles, or an administrator account is created. However, these permissions are not always reviewed afterward. This created a common security issue; users and administrators have more access than they really need.

MSPs should regularly review the following:

• Global administrators
• Privileged roles
• Group memberships
• Shared mailbox permissions/sign-ins
• External access

Following the principle of “least privilege” reduces the impact of a compromised account, helping protect your clients’ data.

‍

In conclusion, the challenge MSPs face is not finding security gaps once. Most MSPs know how to perform a M365 security audit/review. The bigger challenge is doing it consistently across every customer environment.

Security posture may change constantly, users may change roles, new accounts are created, permissions change, and policies evolve. A one-time audit may provide a snapshot of these changes, but continuous visibility provides ongoing protection.

Octiga helps MSPs identify M365 security gaps, standardize tenant configurations, and monitor customer environments from a single dashboard, making your security consistent across your entire clientbase.

‍

Start an Octiga trial today and investigate your own Microsoft 365 tenants to see where security gaps may exist.