Microsoft has quietly tightened a lot of the default settings in Microsoft 365 over the past several years. A tenant created last month starts life more locked down than one set up in 2020 or 2021. The catch is that those improvements mostly apply going forward. When Microsoft changes a default for new tenants, your existing tenant usually keeps whatever it had — and any consent, inbox rule, or sharing link granted before the change stays exactly as it was.
So the protections you read about in Microsoft’s announcements may simply not be switched on in your environment. Below are five settings worth checking, especially if your tenant is more than two or three years old, was set up by a previous IT provider, or hasn’t been looked at in a while.
Before you start
Some of these changes require Microsoft 365 Business Premium, E3, or E5 licensing. If a toggle is grayed out, your license tier is almost always the reason. A couple of them will generate a support ticket or two, because they change how something already works. And none of them need to be flipped all at once — there’s a suggested order at the end.
1. The default sharing link in SharePoint and OneDrive
When someone shares a file from SharePoint or OneDrive, the link they generate has a default scope — who the link works for before they change anything. There are really two settings working together here, and older tenants often have both set loosely.
The first is whether your tenant allows “Anyone with the link” sharing at all. On a link like that, anyone who receives the URL can open the file without signing in, the link can be forwarded to people you’ve never heard of, and there’s no record of where it ends up. The second is the default link type users see when they click Share. Newer Teams-created sites tend to default to “Only people in your organization,” but the tenant-level setting and older sites are frequently still permissive.
The practical risk is mundane: a proposal a departing employee emailed to their personal account six months ago may still open today, because nobody ever revoked the link.
You’ll find these under SharePoint admin center > Policies > Sharing. Switching the default link type to “Specific people” forces every new link to require sign-in. You can also tighten the external sharing level and set a maximum expiration on any remaining “Anyone” links — up to 730 days — so old ones time out on their own.
Rough time about 15 minutes. Changing the default doesn’t touch existing links; it applies to new ones as they’re created.
2. External email forwarding rules
Microsoft now blocks automatic forwarding to external addresses by default, through the outbound spam policy, as part of its secure-by-default work. On most tenants the setting reads “Automatic – System-controlled,” which now behaves as “off” — so a user’s inbox rule that forwards everything to a personal Gmail address is blocked, even if they set it up years ago.
Two things still trip people up. First, a custom outbound spam policy that someone created long ago and set to “On” will keep allowing forwarding, and it overrides the system default for the users it covers. Second, this control doesn’t cover forwarding built with Power Automate — a flow that quietly copies mail out of the tenant runs outside the spam policy entirely.
So it’s worth verifying two layers. In the Microsoft Defender portal, under Email & Collaboration > Policies & Rules > Threat policies > Anti-spam policies, open the outbound policy and confirm automatic forwarding is set to “Off” or “Automatic – System-controlled.” Then audit existing inbox rules and any Power Automate flows for forward-to-external setups. The Microsoft Purview audit log lets you search for inbox rule creation events to find them.
Rough time about 10 minutes to check the tenant setting; longer to review rules and flows across all mailboxes.
3. Historical third-party app consents
In July 2025, Microsoft changed the default so that regular users can no longer approve third-party apps that request access to their files and SharePoint sites — those requests now route to an admin for review. (Tenants still on the old “allow user consent for all apps” setting were migrated automatically to Microsoft’s recommended policy through that summer.)
As with the others, the change applies going forward. Any app a user already consented to keeps whatever permissions it was granted — including, in some cases, the ability to read mail, calendars, and files on their behalf. Some of those are tools someone installed years ago and forgot about, or apps approved during a one-off project that nobody remembers.
To see what’s already there, go to Microsoft Entra admin center > Identity > Applications > Enterprise applications > All applications. Look at how consent was granted and what currently has access to mail, files, or calendars. Anything you don’t recognize or no longer use can be revoked from the same screen.
Rough time 30 to 60 minutes for the review, depending on how many apps have accumulated.
4. Mailbox and tenant audit log retention
Microsoft raised the default audit log retention on October 17, 2023. Standard audit logs are now kept for 180 days, up from 90 — but only for records generated on or after that date; anything older followed the old 90-day rule. With E5 licensing or the Microsoft Purview Audit (Premium) add-on, Exchange, SharePoint, OneDrive, and Entra ID records are kept for a year, while other activity stays at 180 days.
If you’re in healthcare, financial services, legal, or another regulated field, 180 days may be well short of what you need. HIPAA, the FTC Safeguards Rule, and most state bar rules around client data assume you can produce records on request, and the relevant window is usually measured in years, not months. The problem tends to surface at the worst possible time — during an investigation, when the records you need have already aged out.
Retention policies live in the Microsoft Purview portal under Audit > Audit retention policies. Extending beyond 180 days requires E5 or the Purview Audit add-on — note that Business Premium on its own does not include it. If you’re on Business Premium or E3 and need longer retention, the usual path is to export logs on a schedule or stream them to a SIEM. The configuration itself takes about 15 minutes once you’ve confirmed your license supports it.
5. MFA enforcement and Security Defaults
This is the setting most likely to be inconsistent in an older tenant. Microsoft introduced Security Defaults in October 2019, and it enforces MFA automatically on new tenants. Microsoft has also been steadily making MFA mandatory for admin work — the Azure portal, Entra admin center, and Intune admin center starting October 2024, the Microsoft 365 admin center from February 2025, and command-line and automation tools from October 2025.
Two situations cause gaps. A tenant created before Security Defaults existed may never have had baseline enforcement turned on. And there’s a common configuration trap: you can’t run Security Defaults and Conditional Access at the same time, so when an admin enables a Conditional Access policy (available with Business Premium and above), Microsoft turns Security Defaults off and expects that policy to take over. If the handoff was rushed, you can end up with Security Defaults off and a Conditional Access policy that doesn’t actually cover everyone.
Check three places. Under Entra admin center > Identity > Overview > Properties > Manage Security Defaults, confirm whether it’s on or off. Under Protection > Conditional Access, confirm a policy is actively enforcing MFA for all users, administrators included. And pay attention to break-glass emergency accounts — these are often deliberately excluded from Conditional Access so you’re never locked out, which is reasonable, but they shouldn’t be left with no second factor at all. Put a phishing-resistant method like a FIDO2 security key on them instead.
Rough time about an hour, more if Conditional Access already has several policies you need to map.
A sensible order to roll out the changes
Some of these are invisible to your users. Others change something they do every day, so sequence matters.
Start with audit log retention (#4) and the app consent review (#3). Neither has any user-facing impact.
Verify external forwarding (#2) next. It’s silent unless someone has a legitimate forwarding rule, which is rare — and if they do, you’ll want to know about it anyway.
The sharing default (#1) will generate questions from anyone used to clicking Share and pasting the link into an email. Tell people it’s changing before you flip the tenant setting.
Save the MFA and Conditional Access review (#5) for last. It’s the highest-stakes change and the easiest one to lock people out with if it’s done in a hurry. Budget the time to do it properly.
Bottom line. None of this requires ripping anything out. It’s mostly a matter of knowing where Microsoft moved the defaults and checking whether your tenant came along for the ride. The list above is yours to work through — and if you’d rather have someone run it for you, that’s the kind of thing we do.
Frequently asked questions
Are my Microsoft 365 settings still vulnerable if my tenant is fairly new?
Newer tenants start with stronger defaults than ones set up a few years ago. Even so, a few things — sharing scope, app consents users granted, and old inbox rules — are worth reviewing in any tenant, regardless of age.
What’s the current default for “Anyone with the link” sharing?
It depends on two settings. Many existing tenants still permit “Anyone with the link” at the tenant level, while newer Teams-created SharePoint sites default to “Only people in your organization.” Check both the tenant-level setting and the individual site setting to know what your users actually see.
Did Microsoft turn off external email forwarding by default?
Yes. The outbound spam policy now blocks automatic external forwarding by default, and that block disables matching inbox rules. The gaps to watch are custom outbound policies someone set to “On” and forwarding built with Power Automate, which this control doesn’t cover.
How long are Microsoft 365 audit logs kept by default?
180 days for Standard audit logs generated on or after October 17, 2023 (older records followed the previous 90-day default). E5 or the Microsoft Purview Audit (Premium) add-on extends that to one year for Exchange, SharePoint, OneDrive, and Entra ID.
Does Security Defaults cover all my users?
On a new tenant, yes, including MFA. On an older tenant that has had Conditional Access turned on, Security Defaults was likely switched off — because the two can’t run together — and your coverage now depends entirely on how Conditional Access is configured.