MICROSOFT 365 SETTINGS Small configuration gaps can become real business risk. The most commonly overlooked Microsoft 365 settings often involve sign in protection, administrator access, external sharing, guest users, audit visibility, mailbox forwarding, Teams ownership, and offboarding. Article Sections Microsoft 365 is often one of the most important systems in a business. It holds email, files, calendars, Teams chats, user accounts, shared documents, and administrative access to critical tools. Because it is so familiar, many organizations assume it is already configured correctly. That assumption can create risk. Many Microsoft 365 settings are not reviewed after the original setup. A business may add users, create shared mailboxes, invite outside partners, change licenses, or add new departments without going back to review security and access settings. Over time, small configuration gaps can build into larger problems. Here are common Microsoft 365 settings that business and operations teams should review before they become an issue. Practical goal The goal is to turn common Microsoft 365 settings into a repeatable review process that protects accounts, files, email, users, and business operations. Multifactor Authentication Settings Multifactor authentication is one of the most important Microsoft 365 settings to review. It helps protect accounts by requiring more than a password to sign in. The mistake many organizations make is assuming that multifactor authentication is fully enabled for everyone. In reality, some users may be excluded, older accounts may have been missed, or administrative accounts may not be protected consistently. Recommended action Confirm multifactor authentication is required for all users. Verify administrator accounts use strong authentication. Review excluded users and groups. Remove old or weak authentication methods when possible. Check whether users rely on outdated verification methods. This matters because a single compromised account can expose email, files, Teams messages, and internal business information. Legacy Authentication Legacy authentication is easy to overlook because many users never see it. It often relates to older apps, mail clients, or protocols that do not support modern sign in protections. The risk is simple. If legacy authentication is still allowed, an attacker may be able to bypass stronger protections that are applied to normal browser or app sign ins. Business teams should ask whether any older applications still require legacy authentication. If they do, those applications should be documented, reviewed, and replaced when possible. Recommended action Identify whether legacy authentication is still allowed. Document any application that still depends on older sign in methods. Replace old applications where possible. Make leadership aware of any remaining exceptions. This is not just a technical cleanup task. It is a business risk decision. If an old tool requires weaker access, leadership should know why it is still needed and what the plan is to remove that dependency. Administrator Roles Administrator access should be reviewed regularly. Many organizations have too many Global Administrators because it is the easiest way to give someone access when a problem needs to be solved quickly. That convenience creates risk. Global Administrator access can control broad parts of the Microsoft 365 environment. If too many people have that role, the organization has more exposure if one of those accounts is compromised. Recommended action Review who has Global Administrator access. Confirm each person still needs that level of access. Use a more limited administrator role when possible. Separate admin accounts from everyday user accounts where appropriate. Require multifactor authentication for administrator accounts. The goal is not to make work harder. The goal is to give people the access they need without giving every support task the highest level of permission. External Sharing in SharePoint and OneDrive External sharing is useful. Businesses need to work with vendors, clients, accountants, consultants, and partners. The issue is not that external sharing exists. The issue is that it often expands without review. A team may share a folder with a vendor for one project. Months later, that vendor may still have access. A link may be created for convenience, but nobody checks whether it should expire. A SharePoint site may allow broader sharing than the business intended. Recommended action Review which sites allow external sharing. Check whether anonymous or anyone links are allowed. Require guests to sign in where possible. Use expiration dates for sharing links when appropriate. Review who can share files externally. Remove old guest users that no longer need access. This review can prevent accidental exposure of contracts, employee records, financial documents, and internal planning files. Guest Users Guest accounts are another area that can quietly grow over time. Microsoft 365 makes it easy to collaborate with external users, but those users should not remain in the environment forever without review. Recommended action Review current guest users. Identify which company or partner each guest belongs to. Confirm what files, Teams, groups, or sites each guest can access. Check when each guest last signed in. Assign an internal owner for guest access approvals. Guest access should have ownership. If nobody owns the guest account, nobody is accountable for removing it when the work is done. Audit Logging and Activity Review Audit logs help organizations understand what happened in Microsoft 365. They can support troubleshooting, investigations, compliance questions, and security reviews. The setting is often overlooked until something goes wrong. Business owners and managers should not wait for an incident before asking whether audit information is available. They should know whether audit logging is enabled, what activity can be searched, how far back records are available, and who has permission to review those logs. Recommended action Confirm whether audit logging is available and usable. Identify who can review audit activity. Check whether file deletion, external sharing, mailbox rule changes, group changes, and sign in activity can be reviewed. Document how long audit records are available. Without audit visibility, it is harder to understand whether a problem was caused by user error, a process gap, or unauthorized access. Mailbox Forwarding and Inbox Rules Mailbox forwarding and inbox rules can be helpful for normal business workflows. They can also be abused. A compromised account may be configured to silently forward email to an outside address. A hidden inbox rule may move financial emails, password reset messages, or vendor communications out of sight. This is one of the most practical Microsoft 365 settings to review because it directly affects business operations. Recommended action Review which mailboxes forward to external addresses. Confirm forwarding rules are approved. Check for inbox rules that move messages to unusual folders. Review executives, finance staff, and operations accounts regularly. Add forwarding review steps to the offboarding process. Email is still where many business risks begin. Forwarding and inbox rules deserve more attention than they usually get. Anti-Phishing and Email Protection Policies Microsoft 365 includes built in email protection, but organizations should still review their policies. Default protection may not match the risk level of every business. A company that handles invoices, payroll, client records, or executive approvals should pay close attention to phishing, impersonation, suspicious links, and attachments. Recommended action Review whether anti-phishing policies are configured. Protect key executives and finance staff against impersonation. Review Safe Links and Safe Attachments settings if available. Make quarantine notifications understandable for users. Assign responsibility for reviewing released messages and false positives. The goal is to reduce risk without blocking normal business communication. That requires tuning, review, and documentation. Teams and Group Creation Settings Microsoft Teams, Microsoft 365 Groups, and SharePoint sites often grow together. A new Team may create a group, mailbox, calendar, and SharePoint site. That is useful, but it can also create clutter and access confusion. If anyone can create teams or groups without a naming standard or ownership process, the environment can become difficult to manage. Recommended action Review who can create Teams and Microsoft 365 Groups. Use a naming standard. Confirm each Team has an owner. Review inactive Teams. Set sensitive Teams to the proper privacy level. Review guest access in Teams. This is especially important for organizations that have grown quickly or changed staff often. User Offboarding Settings Offboarding is where many Microsoft 365 mistakes show up. When an employee leaves, the process should cover more than disabling the account. Recommended action Block the account from sign in. Revoke active sessions. Configure email forwarding properly if needed. Transfer OneDrive access when appropriate. Remove group memberships. Recover licenses. Review shared mailbox permissions. Handle mobile devices and managed devices correctly. If the offboarding process is not documented, each departure may be handled differently. That creates risk and makes it harder to prove that access was removed properly. Security Alerts and Responsibility Many businesses have security alerts available but no clear owner for reviewing them. Alerts are only useful if someone knows where they appear, what they mean, and what action to take. Recommended action Assign someone to receive security alerts. Assign someone to review risky sign ins. Document who checks quarantine and threat reports. Document who responds if an account is compromised. Document how the resolution is recorded. This is where business operations and IT need to work together. Security settings are not just technical controls. They support decisions, accountability, and response. Documentation Matters Microsoft 365 settings should not live only in someone’s memory. A business should have basic documentation that explains how the environment is configured and why. Recommended action Document administrator accounts and roles. Document multifactor authentication requirements. Document external sharing rules. Document the guest access process. Document email forwarding rules. Document offboarding steps. Document security alert responsibilities. Document approved exceptions. Good documentation helps the business stay consistent. It also makes it easier to train staff, support audits, and recover from problems. Quick Checklist Start with the Microsoft 365 settings that reduce the most common risk and make the environment easier to manage. Review multifactor authentication requirements. Review legacy authentication and old sign in methods. Review Global Administrator access. Review external sharing in SharePoint and OneDrive. Review guest users and old external access. Confirm audit logging and activity review access. Review mailbox forwarding and inbox rules. Review anti-phishing and email protection policies. Review Teams and group creation settings. Review user offboarding steps. Document security alert ownership. Document approved exceptions. Final Thoughts Microsoft 365 is powerful, but it needs regular review. Settings that made sense during setup may not fit the business anymore. New users, new vendors, new departments, and new risks can all change what good configuration looks like. A practical Microsoft 365 settings review does not have to be overwhelming. Start with the areas that create the most risk: multifactor authentication, administrator access, external sharing, guest users, audit logs, email forwarding, security policies, Teams ownership, and offboarding. Need help reviewing Microsoft 365 settings? J3 Systems Group LLC helps small businesses and nonprofits review Microsoft 365, access, documentation, cloud systems, devices, security settings, and practical IT risks before they become urgent problems. Need help applying this? J3 Systems Group LLC helps small businesses and nonprofits turn practical IT guidance into clear next steps. Request a Consultation Back to Resource Center