top of page
Writer's picturePaul Barnes

🍝 Microsoft 365's Security Settings Spaghetti 🍝


Spaghetti bowl with Microsoft logo

Businesses are increasingly relying on cloud-based applications like Microsoft 365 to stay productive and competitive. However, managing the security of these applications can be a daunting task, especially for small businesses with limited IT and Security resources.


In this short post, we will discuss some of the key security challenges facing small businesses that use Microsoft 365.



The Challenge of Managing Multiple Admin Portals

One of the biggest challenges facing businesses that use Microsoft 365 is the sheer number of admin portals that they need to manage. There are over 20 main admin portals, ranging from Azure AD to Yammer, with 200+ sub portals. This makes it virtually impossible to manually keep track of which settings need to be configured and where they are located.

Even for the most technical IT admins, it can be difficult to get a clear view of all of the security settings that need to be configured in a Microsoft 365 environment. Take a look at http://msportals.io/ where the site lists all the cloud portals that Microsoft offers:


List of all portals currently available
Collection of Microsoft cloud Portals

To make matters worse, there are also nearly 200 settings groups within this collection of portals. This means that there are potentially thousands of settings that need to be configured in order to properly secure a Microsoft 365 environment.



The Difficulty of Implementing Security Recommendations

Microsoft provides a long list of security recommendations for Microsoft 365 environments. The Microsoft Security Score is an attempt to benchmark where customers are in terms of these security recommendation, however, they can be difficult to implement, especially for small businesses with limited IT resources.


Microsoft Security score - good luck!
Microsoft Security score

The recommendations are often scattered across multiple portals and settings groups and despite some of the deep-linking that the Security Score tool offers, you soon get lost in the incoherent settings screens you encounter and lose track of where you are as you refer to multiple help screen to decipher the impact of what the changes will entail.


What makes matters worse is that the recommendations can apply to services that the business does not even have access to based on their existing subscription capabilities!



Auto-Enforced Security Defaults

Knowing how much of a mess this is, Microsoft announced last year that it will start rolling out the auto-enforcement of certain security defaults for Microsoft 365 environments. This is a very positive step in terms of improving security, but it also comes with some challenges that we know IT administrators and Managed Service Providers will cringe at!


Microsoft Security Defaults enabling prompt

The auto-enforced security defaults can disrupt certain functionality in some environments. In fact, when this was turned on for a local small business I know, they were caught off guard as their shared email account began enforcing MFA and all but one of their employees lost access to email - I didn’t have too much sympathy from a security perspective, but they had no idea what had gone wrong and caused them no end of headaches as they needed to figure out how to resolve this.



The Need for a Security Partner

Given the challenges discussed above, it is clear that businesses need help in managing the security of their Microsoft 365 environments (and a myriad of other SaaS platforms and Apps). A security partner can help with a variety of tasks, including:

  • Advising the most suitable security recommendations that align with their customer's needs and risk profile

  • Implementing security recommendations without the client needing to be an expert

  • Monitoring for security threats 24/7 to ensure their client's environments remain secure

  • Responding to security incidents should an adversary or insider incident occur


At Overe, we understand the need for this and believe that the first step is to raise awareness of the potential issues that businesses may face. One way we intend to do this is with a free tool, that will give businesses an easy to understand way to see their security posture as it relates to Microsoft 365, we hope that this goes some way to close some of the gaps that will inevitably be present when dealing with 🍝 Microsoft 365's Settings Spaghetti 🍝



We are currently building the Overe security platform and this tool is one of the first services to be released, so be sure to sign up to our service so we can let you know when it's ready!





bottom of page