Why your Microsoft 365 setup might be more vulnerable than you think
Why your Microsoft 365 setup might be more vulnerable than you think
60% of organisations rate their security as “established” or “advanced” - yet, 60% of those have also experienced compromising attacks.
Published on 23rd July 2025
The Microsoft 365 attack surface is wide and unpredictable. Risks can come from any direction, whether it’s the complexity of managing multiple tenants, the explosion of Entra apps with broad permissions, or inconsistent enforcement of security controls like MFA.
These issues are often worsened by limited visibility, manual oversight, and a lack of cohesive governance. Even small missteps, like an unmonitored configuration change or an overlooked admin role, can introduce serious vulnerabilities.
49% of IT leaders mistakenly believe that Microsoft backs up their configurations automatically, leaving them vulnerable in the event of a disaster.
Multi-tenant architectures in Microsoft 365
78% of organisations manage multiple Microsoft 365 tenants, creating significant complexity for IT teams. Many valid reasons exist for maintaining multi-tenant architectures. It’s often a strategic choice, not a technical limitation.
Organisational, geographic, and security factors frequently drive the separation, such as:
- Organisational structure alignment: Separate business units or subsidiaries often maintain their own tenants to preserve operational autonomy (47%)
- Geographical and jurisdictional requirements: 35% of multi-tenant organisations cite data sovereignty and compliance with regional regulations as a driver
- Merger and acquisition history: Previously independent organisations bring their existing Microsoft 365 environments, creating multi-tenant landscapes
- Security isolation: 34.8% of multi-tenant organisations maintain separate tenants to enforce separation of duties and least privilege principles
Regardless of alignment, multi-tenant management brings complexity and risk, often beyond what organisations are prepared for.
Organisations with 10 or more tenants are 2.3 times more likely to report significant operational overhead than those with just 2–4. Each tenant adds its own configurations, licensing costs, admin burden, cross-tenant access risks, and contributes to identity and privilege sprawl.
Global admin usage down, application privileges exploding
The good news is that organisations are getting global admin proliferation under control. Only 20% report having more than 10 global admins, while 61% maintain five or fewer, which is close to Microsoft’s best-practice recommendation of fewer than five.
While global admin counts are down, a new risk is rising: 51% of organisations have 250+ Entra apps with read-write permissions, and 18% report over 1,000. Even among those limiting global admins to five or fewer, 43% still allow 250+ apps with these powerful permissions.
Yet most organisations lack strong oversight: 16% have no process at all, 33% rely on manual reviews, and only a minority use built-in (29%) or third-party (22%) tools to manage app permissions.
Organisations overlook configuration backups
While 96% of organisations sa their data is backed up or will be soon, many overlook configuration backups entirely. 47% rely on Microsoft’s built-in tools, which back up data but not configurations. Another 25% use third-party backup vendors, 18% manually back up configurations or rely on documentation, and 10% have no strategy at all.
Organisations with formal disaster recovery plans are 58% less likely to experience significant operational disruptions from misconfigurations. And with formal change control processes in place, they see 72% fewer security incidents tied to misconfigurations.
68% of organisations report that attackers attempt to access Microsoft 365 weekly, daily, or constantly.
Despite the fact that 99.9% of account compromises occur in accounts lacking MFA, only 41% of organisations have implemented MFA effectively. Organisations with automated MFA detection and enforcement experience 53% fewer account compromise incidents compared to those with only partial implementation.
“In a landscape where 49% of IT leaders mistakenly believe their configurations are backed up by Microsoft, and 68% of organisations are facing constant cyber threats, it’s crucial for businesses to reevaluate their security strategies,” says Simon Azzopardi, an expert in cloud security.
