TL;DR: Microsoft has quietly tightened its default Microsoft 365 settings over the past few years, but those upgrades do not apply to older tenants. If your setup is more than two or three years old, five settings are worth checking: file sharing links, external email forwarding, old app permissions, audit log retention, and MFA enforcement. Here is what to look at and why it matters.
Microsoft has tightened many of its default Microsoft 365 settings over the past few years. A tenant set up in 2025 gets more protection out of the box than one built in 2021. Your Microsoft 365 tenant, which is your company’s private space inside Microsoft’s cloud, is where all these settings live.
Here is the catch. When Microsoft changes a default for new tenants, your existing tenant does not change with it. A safer setting rolled out in 2024 does not travel back in time to fix yours. Old sharing links, forwarding rules, and app permissions that were granted years ago all stay active until someone reviews them.
That gap is where risk hides. Below are five settings worth checking, especially if your tenant is more than two or three years old, was set up by a previous IT provider, or has not been reviewed in a while. A quick note before you start: some of these toggles need Microsoft 365 Business Premium, E3, or E5 licensing to change. If an option is grayed out, your license tier is usually the reason. You do not need to change all five at once.
Why do older tenants have weaker security settings?
Older tenants keep the defaults they were born with. Microsoft applies stronger settings to new tenants going forward, but it rarely reaches back and flips them on for tenants that already exist. So a business running Microsoft 365 since 2020 may still carry loose settings that Microsoft stopped shipping years ago.
This matters because attackers know it. They count on old sharing links, forgotten forwarding rules, and stale app permissions that no one has looked at since setup. Federal guidance agrees this is worth your attention. CISA’s Microsoft 365 secure configuration baselines lay out recommended settings for exactly this reason. A yearly review of your tenant is one of the simplest ways to close these gaps, and it is a core part of good managed IT services.
1. The default sharing link in SharePoint and OneDrive
When someone shares a file from SharePoint or OneDrive, the link they create has a default setting for who can open it. In older tenants, that default is often “Anyone with the link,” which means anyone who gets the URL can open the file without signing in. No expiration date. No record of who the link was passed along to.
Newer sites created through Teams now default to “Only people in your organization.” Older sites and the tenant-wide setting often still allow “Anyone” links. Picture an employee who left six months ago and once emailed a proposal to their personal account. That link may still work today, unless someone manually shut it off.
You will find this setting in the SharePoint admin center under Policies, then Sharing. Switching the default to “Specific people” forces every new link to require a sign-in. You can also set an expiration date so any remaining “Anyone” links time out on their own. This change takes about 15 minutes and does not affect existing links until they are recreated.
2. External email forwarding rules
Microsoft now blocks automatic email forwarding to outside addresses by default, part of its push to make new tenants safer from the start. That block lives in the outbound spam policy, which controls what your tenant is allowed to send out.
Forwarding rules created before that change can still be running, though. A tenant with custom spam settings configured years ago may not match the current default either. So a rule an employee set up long ago to send every message to a personal Gmail account could still be quietly shipping your data out the door.
Check two things. In the Microsoft Defender portal, open your anti-spam outbound policy and confirm automatic forwarding is set to off or to the system-controlled option. Then review the inbox rules across your users for any that forward to outside addresses. This is a smart pairing with strong email and spam protection, since a single hidden rule can undo a lot of other safeguards. Verifying the tenant setting takes about 10 minutes. Reviewing every mailbox takes longer.
3. Old third-party app permissions
In July 2025, Microsoft changed its default so most users can no longer approve third-party apps that ask to reach their files and sites. New requests now route to an admin for review. It is a solid upgrade, but it only applies going forward.
Apps that were approved before that change still hold whatever permissions they were given. That can include reading mail, calendars, and files on behalf of the user. Some of these are tools an employee installed years ago and forgot about. Others were approved during a one-time project nobody remembers. Each one is a door into your data that is still standing open.
To review them, go to Microsoft Entra ID, then Enterprise Applications, then All applications. Sort by user consent and look at what currently has access to mail, files, or calendars. Anything you do not recognize or no longer use can be removed right from that screen. Many of these approvals came from “consent phishing,” where a fake app tricks a user into granting access, which is one more reason cybersecurity awareness training pays off. Plan on 30 to 60 minutes, depending on how many old apps show up.
4. How long does Microsoft 365 keep your audit logs?
Standard Microsoft 365 audit logs are kept for 180 days by default. That went up from 90 days for logs created on or after October 17, 2023, according to Microsoft’s audit retention documentation. Audit logs are the records of who did what in your tenant, and they are what you rely on to investigate a problem after the fact.
For many regulated businesses, 180 days is not enough. If you work in healthcare, financial services, or law, your record-keeping duties are often measured in years, not months. HIPAA, the FTC Safeguards Rule, and most state bar rules assume you can produce records long after an event. A six-month window can leave you short when a regulator or an investigation comes calling.
Audit retention policies live in the Microsoft Purview compliance portal under Audit. Extending retention past 180 days requires E5 licensing or the Purview Audit add-on. Once your license supports it, the setup itself takes about 15 minutes. If your industry has strict record rules, this is one to confirm sooner rather than later.
5. Is MFA turned on for everyone?
Not always, and older tenants are where it slips most. MFA, or multi-factor authentication, is the second check at login, like a code from your phone on top of your password. Microsoft’s Security Defaults feature turns MFA on automatically for new tenants, but it arrived in late 2019. Tenants older than that may have no baseline enforcement at all.
There is also a common trap. When an admin turns on a Conditional Access policy, which is a more advanced rule for who must use MFA and when, Microsoft expects that policy to take over and may switch Security Defaults off. If that handoff was rushed, you can end up with Security Defaults off and a Conditional Access policy that misses some users. The result is people signing in with just a password and no one noticing.
Check three spots. Confirm whether Security Defaults is on or off. Confirm a Conditional Access policy is actively requiring MFA for every user, including admins. Then look closely at “break-glass” emergency admin accounts, which are sometimes left out of the policy on purpose and end up with no MFA as a result. Budget about an hour, more if you have several existing policies to map. Getting this right is one of the highest-value moves in all of cybersecurity protection.
What order should you make these changes?
Start with the silent ones and save the disruptive one for last. Some of these changes are invisible to your team. Others change how something they use every day works, so the order matters if you want to avoid a wave of confused emails.
Begin with audit log retention and the app permission review. Neither one touches how your users work. Next, verify external forwarding, which is silent unless someone has a legitimate forwarding rule, and that is rare. Then handle the sharing default, but tell your team before you flip it, since anyone used to grabbing a quick share link will notice. Save the MFA and Conditional Access review for last. It carries the highest stakes and is the one most likely to lock people out if it is done in a hurry.
Review your tenant before a gap becomes a problem
None of these five settings are dramatic on their own. Together, they are the difference between a tenant that quietly protects your business and one that carries years of forgotten risk. Old sharing links, stale forwarding rules, and missing MFA are the kinds of gaps attackers look for first.
You do not have to tackle all five today. Start with the silent changes, work up to the bigger ones, and give the MFA review the time it deserves. If you are not sure when your tenant was last reviewed, or whether any of these need attention, that is worth sorting out now rather than after an incident. Want a second set of eyes on your Microsoft 365 setup? Get in touch with our team and we will walk through it with you.
Not sure how your tenant is configured?
Most business owners have never seen the inside of their Microsoft 365 admin settings, and that is exactly where these gaps live. Z-JAK Technologies can review your tenant, flag the settings that need attention, and fix them in a sensible order without locking your team out. Schedule a quick tenant review and start your next year on solid footing.
Frequently Asked Questions
Are my Microsoft 365 settings still at risk if my tenant is new?
New tenants get stronger defaults than ones set up a few years ago, so you start in a better spot. Even so, a few settings still need a look in any tenant, including sharing scope, app permissions your users granted, and old inbox rules. Age lowers the risk but does not remove it.
What is the current default for “Anyone with the link” sharing?
At the tenant level, many existing tenants still allow “Anyone with the link” sharing. Newer SharePoint sites created through Teams default to “Only people in your organization.” Check both the tenant-wide setting and the site-level setting to know what your users actually see when they share.
Did Microsoft turn off external email forwarding by default?
Yes. Microsoft’s outbound spam policy now blocks automatic forwarding to outside addresses by default in new tenants. The catch is that inbox rules created before that change can still be active, so it is worth auditing existing rules across your mailboxes.
How long does Microsoft 365 keep audit logs by default?
Standard audit logs are kept for 180 days, up from 90 days for logs created on or after October 17, 2023. Key workloads like Exchange, SharePoint, OneDrive, and Entra ID are kept for one year if you have E5 licensing or the Purview Audit add-on.
Does Security Defaults cover all my users?
On a new tenant, yes, including MFA enforcement. On an older tenant that has had Conditional Access policies turned on, Security Defaults may have been switched off, and your MFA coverage now depends entirely on how those policies were built. That is why it is worth confirming directly.
