3 Overlooked Security Controls in Microsoft 365

2025-05-23 • 6 min read

Microsoft 365 (M365) plays a central role in modern business, but its complexity leaves plenty of room for missed settings. Here are three important controls that often go unnoticed, and how to address them quickly.

1. Audit Log Retention

Microsoft 365 retains Unified Audit Logs for only 90 days by default, unless you configure extended retention using an Advanced Audit policy (available with E5 or Microsoft Purview licensing).

Why this matters:

You may need access to logs older than 90 days during an investigation.
Limited audit history can slow down your incident response process.

What to do:

Go to the Microsoft Purview compliance portal.
Navigate to Audit > Audit retention policies.
Set longer retention for high-value users and high-risk activities.

2. External Forwarding Block

Attackers often create mail forwarding rules after gaining access to an account. These rules can quietly send email to external inboxes without raising alarms.

Although Microsoft includes a default policy to block this behavior, it might not apply across all legacy mailboxes or older transport rules.

How to verify your settings:

Open the Exchange Admin Center.
Go to Mail Flow > Remote Domains.
Confirm that Allow automatic forwarding is set to off.

Also:

Review inbox rules for any automatic forwarding behavior.
Monitor rule creation events using your audit logs.

3. Application Consent Controls

If users can approve third-party applications, they might accidentally give away excessive access to your tenant. This can happen without fully understanding the risks.

How to improve control:

Enable admin consent workflows so that requests are reviewed.
Set up consent policies to limit which users can approve apps and what scopes are allowed.

Configure these settings in:

Azure AD > Enterprise applications > User settings
Disable "Users can consent to apps accessing company data on their behalf"
Turn on Admin Consent Requests

Final Thoughts

Microsoft 365 offers strong security capabilities, but many require manual configuration. These three controls offer a lot of value for the time it takes to implement them.

Each one can usually be reviewed and updated in under an hour. For organizations that want to reduce risk without adding unnecessary complexity, these are smart places to start.

If you want help auditing your Microsoft 365 environment or configuring these settings, contact us. We focus on practical, results-driven improvements that make a difference.