Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Microsoft 365 defaults and the governance gap teams are missing


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Abnormal Security says default Microsoft 365 settings let standard users register devices, enroll MFA, and bypass controls through OAuth device code flow, while CIS v6 adds 29 new checks across Entra, Intune, Teams, Defender, and Exchange. The real issue is not a lack of controls, but tenants leaving identity and messaging defaults unreviewed for too long.

NHIMG editorial — based on content published by Abnormal AI: Microsoft 365 posture gaps and CIS v6 control updates

By the numbers:

  • 29 net-new controls are now included in the CIS v6.0.0 posture baseline for Microsoft 365 tenants.

Questions worth separating out

Q: How should security teams reduce Microsoft 365 identity risk from default settings?

A: Start by treating default tenant settings as temporary, not acceptable.

Q: Why do Microsoft 365 defaults create such a wide attack surface?

A: Because identity, device, email, and collaboration controls are distributed across multiple admin planes, and many tenants never review them together.

Q: What breaks when sender allow lists are too broad in Microsoft 365?

A: Broad allow lists let partner-compromise and spoofed messages bypass the scanning layer entirely, which removes the tenant's last chance to inspect malicious email.

Practitioner guidance

  • Review tenant defaults as if they were active permissions Audit Entra, Intune, Defender, Teams, and Exchange baseline settings together, then document which defaults intentionally remain open and why.
  • Block device code flow unless you have a hard business exception Disable the OAuth device code sign-in path tenant-wide, and require an explicit approval and monitoring pattern for any workflow that still depends on it.
  • Remove broad sender and connection allow lists Replace blanket allowed domains, safe lists, and static IP exceptions with narrowly scoped controls that are reviewed and logged as trust exceptions.

What's in the full article

Abnormal AI's full article covers the operational detail this post intentionally leaves for the source:

  • The complete CIS v6 control mapping for Entra, Intune, Teams, Defender, and Exchange
  • Step-by-step posture checks for device registration, MFA enrollment, and mail-flow exceptions
  • The 29 new policy names and how Abnormal classifies each tenant condition
  • The vendor's walkthrough of Drift Log, GenAI Posture Analysis, and Exception Workflow handling

👉 Read Abnormal AI's analysis of Microsoft 365 CIS v6 posture gaps →

Microsoft 365 defaults and the governance gap teams are missing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Default trust is the real vulnerability in Microsoft 365 posture. The article shows that out-of-the-box tenant settings can quietly grant device registration, MFA enrollment, and external communication rights before any meaningful review occurs. That is not a single control failure, but a trust model that assumes the baseline is safe until proven otherwise. Practitioners should read this as a reminder that unreviewed defaults are policy decisions, not neutral settings.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities, according to the same research.

A question worth separating out:

Q: Who is accountable for Microsoft 365 trust exceptions that remain open?

A: Accountability should sit with the IAM or platform owner who approved the exception, plus the security team that owns continuous review. CIS-style baselines are useful because they make those exceptions visible, measurable, and auditable instead of leaving them buried in scattered admin settings.

👉 Read our full editorial: Microsoft 365 default settings expose tenant security gaps



   
ReplyQuote
Share: