The Shared Responsibility Model (And Why It’s Your Problem)

Microsoft operates on a shared responsibility model. They secure the infrastructure, the data centers, and the platform. You are responsible for securing your data, your identities, your access controls, and your configuration.

Most Phoenix businesses don’t know this. They assume that because their email is “in Microsoft’s cloud,” Microsoft is protecting it. Microsoft is protecting the building. You’re responsible for who has the keys.

The Most Common Microsoft 365 Security Failures We See

1. MFA is enabled but not enforced

Microsoft makes MFA easy to enable and easy to skip. The default in many tenants is that MFA is “available” but not required — users are prompted to set it up but can dismiss the prompt indefinitely. When we audit new clients’ Microsoft 365 environments, we routinely find that 20–40% of users have never completed MFA setup despite it being “enabled.”

Fix: Use Conditional Access policies (available in Microsoft 365 Business Premium and above) to require MFA for all users on all applications. Make it impossible to skip, not just inconvenient.

2. Legacy authentication protocols are still active

Legacy authentication protocols like Basic Auth allow applications to connect to Microsoft 365 without going through MFA — even when MFA is “enabled.” Attackers use these protocols to bypass MFA entirely using stolen credentials.

Microsoft has been deprecating Basic Auth, but many Phoenix tenants still have legacy authentication active — either because it was never disabled or because an older application requires it. Conditional Access policies can block legacy authentication across the tenant.

Fix: Disable legacy authentication via Conditional Access. Identify any applications that require it and update or replace them.

3. Global Administrator accounts used for daily work

Global Administrator is the most privileged role in Microsoft 365. It has unrestricted access to everything in the tenant. We regularly find Phoenix organizations where the IT person — or even the business owner — signs into their daily email using an account that is also a Global Administrator.

If that account is compromised, the attacker has complete control of your entire Microsoft 365 environment: all email, all files, all user accounts, all security settings.

Fix: Create dedicated Global Administrator accounts used only for administrative tasks. Never use them for daily email. Require MFA and ideally hardware security keys for admin accounts.

4. External sharing is wide open

SharePoint and OneDrive default to allowing broad external sharing. Files shared with “anyone with the link” are accessible by anyone on the internet who obtains that link — including through accidental forwarding, email compromise, or link exposure in a public channel.

Fix: Set SharePoint and OneDrive external sharing to “New and existing guests” or “Existing guests only” at the tenant level. Audit existing shared links for exposure. Implement expiration dates on all external share links.

5. No unified audit logging

Microsoft 365 has comprehensive audit logging capability. It is not always enabled by default, and even when enabled, many organizations don’t have anyone reviewing the logs or alerting on suspicious activity.

When a breach occurs, audit logs are essential for forensics: when did the attacker log in, what did they access, what did they change? Without logs, you’re flying blind in a post-incident investigation and you may be unable to satisfy breach notification requirements.

Fix: Enable unified audit logging in the Microsoft Purview compliance portal. Retain logs for at least 90 days (longer for regulated industries). Configure alerts for high-risk events: new admin accounts created, MFA disabled, mass download events, login from unusual locations.

6. Microsoft Secure Score is ignored

Microsoft provides every 365 tenant with a Secure Score — a dashboard that evaluates your configuration against security best practices and gives you a score with specific remediation recommendations. It’s free, it’s built in, and it tells you exactly what to fix.

Most Phoenix tenants have never looked at it. The average SMB tenant we onboard has a Secure Score in the 30–45% range. The achievable score for an SMB with reasonable controls is 70–80%+.

Fix: Log into the Microsoft Defender portal and review your Secure Score. Work through the top recommendations. Track progress monthly.

The Microsoft 365 Security Tiers

Microsoft 365 Business Premium is the most important upgrade conversation for Phoenix SMBs in 2025. The jump from Business Standard to Business Premium adds Defender for Business (enterprise-grade EDR), Intune (MDM), and Conditional Access. For many businesses, this single license upgrade replaces three separate security tools at a lower total cost.

What a Properly Secured Microsoft 365 Tenant Looks Like

•       Conditional Access policies enforce MFA for all users, all applications, all locations.

•       Legacy authentication is blocked tenant-wide.

•       Global Administrator accounts are dedicated, cloud-only accounts used only for admin tasks.

•       Privileged Identity Management (PIM) is used for just-in-time admin access where available.

•       External sharing is restricted to authenticated guests with expiring links.

•       Unified audit logging is enabled with 90+ day retention.

•       Defender for Business (or Defender for Endpoint) is deployed on all endpoints.

•       Intune MDM manages all company devices with compliance policies enforced.

•       Email is protected by Defender for Office 365 with Safe Links and Safe Attachments enabled.

•       Secure Score is above 65% and reviewed monthly.

•       A break-glass emergency admin account exists, is secured with a hardware key, and its credentials are stored off-site.

This configuration is achievable for any Phoenix SMB on Microsoft 365 Business Premium. Most of it requires configuration changes, not additional tools.

AEGITz performs Microsoft 365 security assessments and hardening for Phoenix businesses. Download our free Microsoft 365 Security Checklist to see exactly where your tenant stands. aegitz.com