Microsoft

5 Microsoft 365 Settings Worth Checking in Your Tenant

Zachary Kitchen

Microsoft has tightened several default settings in Microsoft 365 over the past few years. Newer tenants get more protection out of the box than tenants set up before 2022 or so. The problem is that legacy configurations stay in place. A setting changed for new tenants in 2024 doesn’t retroactively change in yours, and historical user consents, inbox rules, or sharing links granted before the change are still active.

Here are five settings worth checking in your tenant, especially if it’s more than two or three years old, was set up by a previous IT provider, or has not been audited in a while.

A few caveats before we start. Some of these settings require Microsoft 365 Business Premium, E3, or E5 licensing to change, so if a toggle is grayed out, your license tier is most likely the reason. A couple of these changes will generate support tickets from your team because they change how something already works. None of them need to be flipped all at once.

1. The default sharing link in SharePoint and OneDrive

When someone in your organization shares a file from SharePoint or OneDrive, the link they generate has a default scope. In tenants set up before Microsoft tightened the new-site defaults, that scope is often “Anyone with the link,” which means anyone who receives the URL can open the file without signing in. No expiration. No record of who else the link was forwarded to.

Newer Teams-created sites now default to “Only people in your organization.” Older sites and the tenant-level setting often still allow Anyone links. A departing employee who emailed a proposal to their personal account six months ago still has a working link, unless someone manually revoked it.

The default sharing link type sits in the SharePoint admin center under Policies > Sharing. Switching the tenant default to “Specific people” forces every new link to require authentication. You can also set a maximum expiration for any remaining “Anyone” links so they time out automatically.

Rough time to change: 15 minutes. This has no impact on existing links until they’re regenerated.

2. External email forwarding rules

Microsoft now blocks automatic email forwarding to external addresses at the tenant level by default, through the outbound spam policy. This rolled out as part of Microsoft’s secure-by-default effort.

Forwarding rules created before that change can still be active, though, and tenants with custom outbound spam policies configured years ago may not reflect the current default. A user who set up a rule a few years ago to forward every email to a personal Gmail address may still be exporting your data, depending on how their rule was constructed and whether it predates the policy.

Verify two things. In the Microsoft Defender portal, under Email & Collaboration > Policies & Rules > Anti-spam policies > Anti-spam outbound policy, confirm the “Automatic forwarding rules” setting is set to “Off” or “Automatic – System-controlled.” Then audit existing inbox rules across your users for any forward-to-external configurations. The Microsoft Purview audit log lets you search for inbox rule creation events.

Rough time: 10 minutes to verify the tenant setting, longer to review existing rules across all mailboxes.

3. Historical third-party app consents

A Microsoft-managed user consent policy was enabled by default in July 2025, preventing users from consenting to most third-party applications that request access to their files and sites. New consent requests now route to an admin for review.

The change applies going forward. Apps that were granted user consent before the policy took effect still have whatever permissions they were given, including the ability to read mail, calendars, and files on behalf of the user. Some of those apps may be tools an employee installed years ago and no longer uses, or apps installed during a one-off project that nobody remembers approving.

To review what’s already there, go to Microsoft Entra ID > Enterprise Applications > All applications. Sort by user consent and look at what currently has access to mail, files, or calendars. Anything you don’t recognize or no longer need can be revoked from the same screen.

Rough time: 30 to 60 minutes for the review, depending on how many historical apps are in the list.

4. Mailbox and tenant audit log retention

The default audit log retention period in Microsoft 365 changed in October 2023. Audit (Standard) logs are now retained for 180 days, up from the previous 90 days. Customers with E5 licensing or the Microsoft Purview Audit (Premium) add-on get one year of retention for Exchange, SharePoint, OneDrive, and Entra ID audit records, with other activity types staying at 180 days.

If you’re in healthcare, financial services, legal, or any other regulated industry, 180 days may not match your retention obligations. HIPAA, the FTC Safeguards Rule, and most state bar rules around client data assume you can produce records on request, and the relevant period is often measured in years, not months.

Audit retention policies live in the Microsoft Purview compliance portal under Audit > Audit retention policies. Extending retention beyond 180 days requires E5 or the Purview Audit add-on. The configuration itself takes about 15 minutes once you’ve confirmed your license supports it.

5. MFA enforcement and Security Defaults

MFA enforcement is the area most likely to be inconsistent in older tenants. Microsoft introduced Security Defaults in late 2019, and the feature now enforces MFA automatically on new tenants. Microsoft has also been progressively making MFA mandatory for admin actions in the Microsoft 365 admin center and Azure portal through 2024 and 2025.

Tenants created before Security Defaults rolled out may have no baseline enforcement. There’s also a common configuration trap. When an admin enables a Conditional Access policy, which is available with Business Premium and above, Microsoft expects you to take over MFA enforcement through that policy and may turn Security Defaults off. If the transition was done quickly, you can end up with Security Defaults off and a Conditional Access policy that doesn’t cover every user.

Check three places. In the Entra ID admin center under Properties > Manage Security Defaults, confirm whether Security Defaults is on or off. Under Protection > Conditional Access, confirm a policy is actively enforcing MFA for all users, including administrators. Pay particular attention to break-glass admin accounts, which are sometimes excluded from Conditional Access for emergency access reasons and left with no MFA as a result.

Rough time: about an hour, longer if Conditional Access has been configured with several existing policies you need to map.

A sensible order to roll the changes

Some of these changes are silent to your users. Others change how something they do every day works.

Audit log retention (#4) and the historical app consent review (#3) carry no user-facing impact. Start there.

Verifying external forwarding (#2) is silent unless someone has a legitimate forwarding rule, which is rare. Do this next.

The sharing default (#1) will eventually generate user questions, particularly from anyone used to clicking “share” and pasting the link into an email. Communicate the change before you flip the tenant setting.

The MFA and Conditional Access review (#5) is the highest-stakes change and the one most likely to lock people out if it’s done badly. Save it for last and budget the time to do it properly.

Frequently asked questions

Are my Microsoft 365 settings still vulnerable if my tenant was set up recently?

New tenants get more protection out of the box than tenants set up a few years ago. Even so, certain settings, including sharing scope, app consents granted by users, and historical inbox rules, need to be reviewed in any tenant regardless of age.

What is the current Microsoft 365 default for “Anyone with the link” sharing?

At the tenant level, many existing tenants still permit “Anyone with the link” sharing. Newer Teams-created SharePoint sites default to “Only people in your organization.” Verify both the tenant-level setting and the site-level setting if you want to know what your users see in practice.

Did Microsoft turn off external email forwarding by default?

Yes. Microsoft’s outbound spam policy now blocks automatic external forwarding by default at the tenant level. Existing inbox rules created before that change may still be active and worth auditing.

How long are Microsoft 365 audit logs kept by default?

180 days for Audit (Standard), as of October 2023. One year for key workloads (Exchange, SharePoint, OneDrive, Entra ID) if you have E5 or the Microsoft Purview Audit (Premium) add-on.

Does Security Defaults cover all my users?

On a new tenant, yes, including MFA enforcement. On an older tenant that has had Conditional Access policies enabled, Security Defaults may have been turned off, and MFA coverage now depends on how Conditional Access has been configured.

Sources and further reading

If you’re not sure when your tenant was last reviewed, or whether any of these settings need attention, your IT provider should be able to walk through them with you. And if you don’t have an IT provider, feel free to reach out to us and we’ll help you sort it.

Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

Zachary Kitchen
Zachary Kitchen is the founder and CEO of Digital Crisis, where he helps law firms and businesses protect sensitive data, prevent downtime, and get more from their technology. With experience supporting over 7,000 organizations, he specializes in practical cybersecurity and IT strategies that improve day-to-day efficiency, not just security on paper.

Get Your Free Cybersecurity Guide

Protect your business with expert tips. Fill out the form to download our comprehensive guide and enhance your cybersecurity.

This field is for validation purposes and should be left unchanged.

By downloading you’re confirming that you agree with our Terms and Conditions.

What business owners are saying about us...

Read testimonials from satisfied clients who trust Digital Crisis for their IT needs. Discover how we’ve helped businesses like yours.

Quote icon

When Our Server Crashed, I Expected Downtime For Days, They Had Us Back in Hours

As a small law firm, we needed reliable IT support that wouldn’t break the budget—but still delivered at the highest level. Digital Crisis gave us exactly that.
 
They helped us modernize our systems, move to the cloud, and streamline how we work. Now our team can securely access everything we need from anywhere—and we’ve never been more efficient.
 
When our server went down unexpectedly, they had us fully operational again within three hours. No panic. No delays. Just fast, professional support when we needed it most.
 
With Digital Crisis, we feel like we have a world-class IT department—without the overhead.
Scott D.
Trial Attorney in Houston
Quote icon

We Knew Something Had to Change

As a managing partner of our firm, I needed a technology partner who understood urgency—and our old IT company just didn’t get it. Every time we had an issue, we were forced to submit a ticket just to speak with someone. No one ever answered the phone. Everything felt like a battle, and we were stuck in a long-term contract with no flexibility.

 

When I called Digital Crisis, they picked up immediately. No ticket. No runaround. Just answers. Within minutes, they had already started helping us.

 

Looking back, I wish we had made the switch sooner. I didn’t need to be a tech expert—I just needed to make one good decision for my team. Now our systems are secure, we actually get support when we need it, and I don’t have to worry about IT holding us back.

 

If you’re tired of being ignored by your IT guy, do what I did. Take back control. Call Digital Crisis.

Rudy C.
Probate Law Firm in Houston
Quote icon

I Couldn’t Afford IT Headaches When Starting My Firm

As the Managing Partner of a newly established law firm, I can confidently say that the seamlessness of our start-up is due in large part to the exceptional IT support provided by Zach and the team at Digital Crisis. From day one, they have been more than just a service provider—they've been true partners in our success.

Zach and his team have an incredible ability to anticipate our needs before we even voice them. Their proactive approach, deep expertise, and commitment to keeping our systems secure and efficient have given us the confidence to focus fully on building our practice.

Having reliable IT support is critical in the legal field, where security and uptime are non-negotiable. Thanks to Digital Crisis, we’ve had both—plus the peace of mind that comes from knowing we’re in capable hands. We couldn’t ask for a better tech partner.

Stacy K.
Mangaing Partner at Estate & Trust Law Firm
Quote icon

They’re a Valuable Member of Our Team

Zach is great at explaining to us about our IT in plain-speak, rather than “geek-speak.” I genuinely feel like hiring Digital Crisis was the best decision I’ve made for my firm. If you want an IT expert who charges reasonable rates and is not just an IT guy, but a valuable member of your team, call Zach.
Keith M.
Founder at Probate Law Firm in Fort Worth
Quote icon

My Firm Runs Like a Well-Oiled Machine

I’ve worked with Zach for over 20 years. Digital Crisis takes their time to understand my practice and doesn’t try to shove a cookie-cutter system down our throat. When Digital Crisis first came in, they took the time to understand our firm and helped streamline and modernize our processes.
Kelly F.
Senior Partner- Plaintiff firm in Houston
Quote icon

My Firm’s Efficiency DOUBLED Overnight

I thought my firm was doing just fine with my previous IT setup- boy, was I wrong! Digital Crisis came in Updated Equipment and Technology. I wish I had used them ten years earlier when I first met Zach. You will be sold immediately by their knowledge, patience, and willingness to help.
Craig R.
Senior Partner - Personal Injury Lawyer in Houston
Quote icon

Digital Crisis Saves Us Thousands Every Year

We used to enter data quarterly that would easily take an average of two weeks each quarter to enter. Then, when Digital Crisis came in, they fully automated our process, taking minutes instead of weeks to process the same data, not only faster but more accurately, removing room for human error. The new system gets things done faster and saves us thousands every year in labor alone!
Sandy H.
Executive Assistant, Group Purchasing Organization in Houston, TX
Quote icon

We Make Money FASTER Because of Digital Crisis

In 2010, my business had an old DOS-based server from 1995 that ran our proprietary software, which crashed. If it weren’t for Zach, we’d have to start completely over! Not only was Digital Crisis able to restore all our data, but they were also able to migrate us to a modern system which allowed us to get paid faster and work remotely.
Sandra V.
Owner, Marine Supply Distributor in Houston, TX
Quote icon

They Rescued My Practice

On a Friday, my practice had to be moved immediately without any notice. Digital Crisis not only managed to come out and get our IT up and running, but they had our phones and internet up and running by Monday morning, and we didn’t lose a single day of business!  I can’t recommend Zach and his team enough.
Marietta C.
Owner, Pediatrics Practice in Dickinson, TX
Quote icon

I Never Lost a Day of Work During the Pandemic

Zach truly understands my firm’s needs and always provides valuable tips and tools to make my firm run more efficiently. For example, when the COVID pandemic hit in 2020, I didn’t lose a single day of work since Digital Crisis had me set up on their cloud system, and I could remote in from anywhere.
Pamela S.
Owner, Bankruptcy Lawyer in Houston, TX

Protect Your Network Against Cyber Threats

Contact Digital Crisis for a network security consultation and ensure your business is safeguarded against cyber threats.

This field is for validation purposes and should be left unchanged.