Microsoft 365 is one of the most secure business platforms in the world. But here’s the catch: Microsoft protects the infrastructure but you’re responsible for how people sign in, how data is shared, and how licenses are set up.
That’s where most problems happen. If those basics aren’t tight, ransomware, accidental deletion and data loss can still bring your business to a halt.
This post breaks down:
- What Microsoft already covers by default
- The gaps that show up in real businesses
- Simple steps every owner or ops leader should take to close them
What Microsoft Protects by Default
Out of the box, Microsoft 365 gives you:
- Secure cloud infrastructure + encryption in transit and at rest
- File version history + recycle bins in OneDrive/SharePoint
- Baseline spam and malware filtering (EOP)
- Extra protections with Defender for Office 365 (Safe Links, Safe Attachments, impersonation rules) when licensed and turned on
These are strong safety nets. But gaps usually come from how accounts are configured and how people use the tools.
Where Gaps Appear (and How to Fix Them)
1. Weak sign-ins and phishing
Most Microsoft 365 compromises begin with phishing or stolen credentials. The risk isn’t just a forgotten password, it’s outdated settings that leave doors open:
- Inconsistent MFA or relying on SMS codes
- Old protocols (POP/IMAP) that bypass modern protections
- Auto-forwarding rules that quietly move data externally
- No alerts on risky sign-ins or suspicious app permissions
2. Too much admin access
Too many Global Admins (or permanent admin rights) magnify damage if one account is compromised. Microsoft recommends no more than 2–4 Global Admins.
Fixes that work:
- Use Privileged Identity Management (PIM) so admin rights are temporary and approved
- Apply Conditional Access for all admin roles
- Review and trim roles on a schedule
3. Limited logging and visibility
Short audit retention and quiet alerts give attackers cover. By default, Microsoft 365 retains audit logs for 90 days (E5 and add-ons extend this to 1 year+).
Fixes that work:
- Make sure Unified Audit Log is on and searchable
- Stream sign-ins and admin activity to your SIEM (or at least review them weekly)
- Monitor for:
- Unusual inbox rules
- Large numbers of file changes (possible ransomware)
- New third-party app connections
4. Backups: what Microsoft does (and doesn’t) cover
One of the biggest myths: “Microsoft backs up everything automatically.”
Not quite. Yes, you get:
- File version history
- Recycle bins
But those aren’t true backups. They don’t help if:
- Ransomware encrypts everything
- A deletion goes unnoticed for weeks
- You need to restore data from months or years ago
Microsoft does build in redundancy across its datacenters, but that’s not the same as having a backup you control and can restore from any point in time.
What to look for in a real backup service:
- Daily incremental backups stored offsite (outside Microsoft’s cloud)
- Ability to restore entire mailboxes, Teams chats, OneDrive/SharePoint sites, or single files
- Retention that matches your compliance requirements
The takeaway is simple: Microsoft builds the foundation, but it’s up to you to make sure it’s used the right way.
Here's how you get started:
- Fill the gaps with monitoring, access controls, and proper backups
- Keep licenses aligned with your actual needs
You don’t need to do this alone. If you’re unsure whether your Microsoft 365 environment could withstand a ransomware attack, Sirkit can help. Our Managed IT Services team closes these gaps, tests recovery plans, and keeps you compliant.
