Why your Microsoft 365 setup might be more vulnerable than you think

60% of organizations rate their Microsoft 365 security as “established” or “advanced”, according to CoreView. Yet, 60% of those same organizations have
experienced account compromise attacks.

The Microsoft 365 attack surface is wide and unpredictable. Risks can come from any direction, whether it’s the complexity of managing multiple tenants, the explosion of Entra apps with broad permissions, or inconsistent enforcement of security controls like MFA.

These issues are often worsened by limited visibility, manual oversight, and a lack of cohesive governance. Even small missteps, like an unmonitored configuration change or an overlooked admin role, can introduce serious vulnerabilities.

49% of IT leaders mistakenly believe that Microsoft backs up their configurations automatically, leaving them vulnerable in the event of a disaster.

Multi-tenant architectures in Microsoft 365

78%of organizations manage multiple Microsoft 365 tenants, creating significant complexity for IT teams. Many valid reasons exist for maintaining multi-tenant architectures. It’s often a strategic choice, not a technical limitation.

Organizational, geographic, and security factors frequently drive the separation, such as:

• Organizational structure alignment: Separate business units or subsidiaries often maintain their own tenants to preserve operational autonomy (47%)
• Geographical and jurisdictional requirements: 35% of multi-tenant organizations cite data sovereignty and compliance with regional regulations as a driver
• Merger and acquisition history: Previously independent organizations bring their existing Microsoft 365 environments, creating multi-tenant landscapes
• Security isolation: 34.8% of multi-tenant organizations maintain separate tenants to enforce separation of duties and least privilege principles

Regardless of alignment, multi-tenant management brings complexity and risk, often beyond what organizations are prepared for.

Organizations with 10 or more tenants are 2.3 times more likely to report significant operational overhead than those with just 2–4. Each tenant adds its own configurations, licensing costs, admin burden, cross-tenant access risks, and contributes to identity and privilege sprawl.

Global admin usage down, application privileges exploding

The good news is that organizations are getting global admin proliferation under control. Only 20% report having more than 10 global admins, while 61% maintain five or fewer, which is close to Microsoft’s best-practice recommendation of fewer than five.

While global admin counts are down, a new risk is rising: 51% of organizations have 250+ Entra apps with read-write permissions, and 18% report over 1,000. Even among those limiting global admins to five or fewer, 43% still allow 250+ apps with these powerful permissions.

Yet most organizations lack strong oversight: 16% have no process at all, 33% rely on manual reviews, and only a minority use built-in (29%) or third-party (22%) tools to manage app permissions.

Organizations overlook configuration backups

While 96% of organizations say their data is backed up or will be soon, many overlook configuration backups entirely. 47% rely on Microsoft’s built-in tools, which back up data but not configurations. Another 25% use third-party backup vendors, 18% manually back up configurations or rely on documentation, and 10% have no strategy at all.

Organizations with formal disaster recovery plans are 58% less likely to experience significant operational disruptions from misconfigurations. And with formal change control processes in place, they see 72% fewer security incidents tied to misconfigurations.

68% of organizations report that attackers attempt to access Microsoft 365 weekly, daily, or constantly.

Despite the fact that 99.9% of account compromises occur in accounts lacking MFA, only 41% of organizations have implemented MFA effectively. Organizations with automated MFA detection and enforcement experience 53% fewer account compromise incidents compared to those with only partial implementation.

“In a landscape where 49% of IT leaders mistakenly believe their configurations are backed up by Microsoft, and 68% of organizations are facing constant cyber threats, it’s crucial for businesses to reevaluate their security strategies,” says Simon Azzopardi, an expert in cloud security.