Notifications
Clear all
Topic starter
27/06/2026 1:13 pm
TL;DR: Microsoft 365 misconfigurations such as auto-forwarding, excess mailbox delegation, disabled MFA, and configuration drift can create silent exposure across Teams, SharePoint, Entra, and Exchange, according to Abnormal AI. The security problem is not just visibility, but the identity governance gap between policy intent and what actually remains enabled in production.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams govern Microsoft 365 misconfigurations at scale?
A: Security teams should treat Microsoft 365 configuration as part of identity governance, not as an isolated admin task.
Q: Why do Microsoft 365 misconfigurations create persistent risk even without malware?
A: They create persistent risk because settings like auto-forwarding, mailbox delegation, and disabled MFA can remain active long after the original business need has passed.
Practitioner guidance
- Map Microsoft 365 settings to identity controls Classify auto-forwarding, mailbox delegation, MFA enforcement, and sharing settings as identity-relevant controls and assign owners for each control domain.
- Baseline and compare live tenant state continuously Record the approved configuration for Exchange, Entra, Teams, and SharePoint, then compare live state against that baseline on a recurring cadence so drift is visible before it becomes exposure.
- Prioritise settings that create durable exposure Triage first the controls that enable persistence, forwarding, delegation, or authentication bypass because these create the longest-lived abuse paths and the widest blast radius.
What to expect at the briefing
Abnormal AI's full webinar covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for identifying hidden Microsoft 365 misconfigurations across Exchange, Teams, SharePoint, and Entra
- Remediation workflow details for prioritising critical settings without relying on manual triage alone
- Operational examples showing how posture management reduces investigation time from 40 hours a week to just two
- ISC2 CPE claim instructions for practitioners who need continuing-education credit
👉 Watch Abnormal AI's on-demand webinar on Microsoft 365 misconfigurations →
Microsoft 365 configuration drift: what identity teams are missing?
Explore further
27/06/2026 2:29 pm
Configuration drift is an identity governance failure, not just an admin hygiene issue. Microsoft 365 settings shape who can read, forward, delegate, or bypass protections, which makes them part of the access model rather than mere system housekeeping. When posture changes silently, governance reports can stay clean while effective exposure grows. Practitioners should treat tenant configuration as enforceable identity state, not background noise.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who is accountable when a Microsoft 365 configuration gap leads to exposure?
A: Accountability should sit with the control owner for the affected service, supported by identity governance and security operations. If a setting can forward mail, widen delegation, or weaken authentication, then someone must own the baseline, the exception process, and the evidence trail. Without that ownership, the gap will persist across audits and incident response.
👉 Read our full editorial: Microsoft 365 misconfigurations expose identity gaps across core apps
