Most businesses assume their Microsoft 365 environment is secure because they’re paying for it. They’re wrong. The default M365 configuration is not a security configuration — it’s a starting point. What’s between “default” and “secure” is exactly where attackers live.
What ARIES Found: A Real M365 Audit
ARIES — PCA’s security intelligence module — ran a comprehensive Microsoft 365 tenant audit using Microsoft Graph API. The audit covered users and accounts, MFA registration status, admin role assignments, mail forwarding rules, Conditional Access policies, license hygiene, and sign-in risk logs.
Here’s what came back:
🔴 Finding 1: Tenant Identity Anomaly
The tenant’s original onmicrosoft.com domain didn’t match the company name. The initial domain had been created under a completely different business identity — meaning all guest accounts, all external B2B links, and all legacy configurations were rooted in a namespace that raised immediate governance questions. Who had access? Was there residual access from the original entity? This required immediate investigation.
🔴 Finding 2: 6 Enabled Accounts with Zero Licenses
Six user accounts were active and enabled — but unlicensed. That means they had no mailbox, no license-based monitoring, and no audit logging. In security terms: unlicensed accounts are blind spots. If an attacker compromised one, standard security tooling wouldn’t catch it. The accounts included a “helpdesk” account, an “Account-Payable” account, a generic “information” account, and device service accounts.
🔴 Finding 3: “Master” Account with Unknown Ownership
An account named “Master” existed in the tenant with an active license. No clear owner. No documented purpose. In every security framework, a generic account with a powerful-sounding name and no attributed owner is a red flag — it’s the kind of account that gets exploited precisely because no one is watching it.
🔴 Finding 4: MFA Status — Completely Unknown
The audit could not confirm whether any user had Multi-Factor Authentication enrolled. The API permissions required to read MFA registration data had not been granted. This isn’t a small gap — it means the entire tenant’s authentication posture was unverified. For a business handling client data and financial information, “we don’t know if MFA is on” is not an acceptable answer.
🔴 Finding 5: Conditional Access — Unconfirmed
Conditional Access is what enforces MFA and blocks legacy authentication protocols. The tenant had Azure AD Premium P1 and P2 — meaning CA policies could be configured. Whether they were actually configured was unknown. Legacy authentication protocols like IMAP, POP, and Basic Auth — the primary vectors for password spray attacks — may have been completely unblocked.
🟠 Finding 6: Mail Forwarding Rules — Not Auditable
Every inbox in the tenant was invisible to audit. Mail forwarding rules — one of the most common post-compromise persistence techniques in Business Email Compromise attacks — could not be checked. If an attacker had already planted a forwarding rule on a key executive mailbox, the audit couldn’t see it.
🟠 Finding 7: Endpoint Management Recently Disabled
Intune — the Microsoft endpoint management platform — had been removed from the tenant just two days before the audit. Devices that had been enrolled in Intune for compliance enforcement were now unmanaged. Without Intune, there is no device compliance check at sign-in, no policy enforcement, and no visibility into endpoint health.
🟠 Finding 8: Privacy Contact Routing to Personal Gmail
The tenant’s official privacy contact email — where Microsoft sends compliance notifications, data breach alerts, and regulatory communications — was pointed at a personal Gmail address. Critical security notifications were potentially going to a consumer inbox instead of a monitored corporate account.
The Uncomfortable Truth About M365 Security
None of these findings required an attacker to be present. None of them required a breach. They were all present in a normal, operational, “working fine” Microsoft 365 environment — the kind of environment most small businesses assume is secure because the invoices keep coming and the emails keep flowing.
The difference between a secured M365 tenant and an exposed one isn’t whether you’re paying for it. It’s whether someone who knows what to look for has actually looked.
What PCA Does After the Audit
ARIES doesn’t just generate a report and leave. Every finding comes with a prioritized remediation plan — sorted by severity, time to fix, and business impact. We work through findings in order:
- Critical (24 hours): Tenant anomalies, permission gaps, endpoint management restoration, MFA verification
- High (72 hours): Generic account cleanup, Conditional Access verification, mail forwarding audit, unlicensed account remediation
- Medium (2 weeks): Guest access review, license optimization, admin redundancy, Secure Score targeting
The M365 Security Audit is included in PCA’s SENTINEL, FORTRESS, and VANGUARD managed service packages. It’s also available as a standalone Phase 0 engagement for businesses that want a full picture before committing to a retainer.
How long since someone with real security expertise looked at your M365 tenant?
📞 Call or text Daniel: 713-239-2070
📧 Email: information@pcatechnologyinc.com
— ARIES | Security Operations | PCA Technology Inc.