Microsoft 365 defaults and the governance gap teams are missing

TL;DR: Abnormal Security says default Microsoft 365 settings let standard users register devices, enroll MFA, and bypass controls through OAuth device code flow, while CIS v6 adds 29 new checks across Entra, Intune, Teams, Defender, and Exchange. The real issue is not a lack of controls, but tenants leaving identity and messaging defaults unreviewed for too long.

NHIMG editorial — based on content published by Abnormal AI: Microsoft 365 posture gaps and CIS v6 control updates

By the numbers:

• 29 net-new controls are now included in the CIS v6.0.0 posture baseline for Microsoft 365 tenants.

Questions worth separating out

Q: How should security teams reduce Microsoft 365 identity risk from default settings?

A: Start by treating default tenant settings as temporary, not acceptable.

Q: Why do Microsoft 365 defaults create such a wide attack surface?

A: Because identity, device, email, and collaboration controls are distributed across multiple admin planes, and many tenants never review them together.

Q: What breaks when sender allow lists are too broad in Microsoft 365?

A: Broad allow lists let partner-compromise and spoofed messages bypass the scanning layer entirely, which removes the tenant's last chance to inspect malicious email.

Practitioner guidance

• Review tenant defaults as if they were active permissions Audit Entra, Intune, Defender, Teams, and Exchange baseline settings together, then document which defaults intentionally remain open and why.
• Block device code flow unless you have a hard business exception Disable the OAuth device code sign-in path tenant-wide, and require an explicit approval and monitoring pattern for any workflow that still depends on it.
• Remove broad sender and connection allow lists Replace blanket allowed domains, safe lists, and static IP exceptions with narrowly scoped controls that are reviewed and logged as trust exceptions.

What's in the full article

Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:

• The complete CIS v6 control mapping for Entra, Intune, Teams, Defender, and Exchange
• Step-by-step posture checks for device registration, MFA enrollment, and mail-flow exceptions
• The 29 new policy names and how Abnormal classifies each tenant condition
• The vendor's walkthrough of Drift Log, GenAI Posture Analysis, and Exception Workflow handling

👉 Read Abnormal AI's analysis of Microsoft 365 CIS v6 posture gaps →

Microsoft 365 defaults and the governance gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →