Download the report

2025 Microsoft 365 Security: Key Findings

Stats, trends, and surprises on tenant sprawl, Entra ID privilege creep, and configuration backups from the 2025 CoreView State of Microsoft 365 Security report.
Down arrow
1. Single vs. multi-tenant
2. Entra ID permissions
3. Configuration backup
4. Least privilege blockers
5. Configuration tampering
6. Zero trust

Survey summary: How IT and security leaders approach Microsoft 365

What does it take to secure and govern Microsoft 365?

The mechanics of Microsoft 365 (tenant architecture, Entra ID permissions, and over 10k config settings) have outpaced most security teams’ ability to govern them.

The survey reveals six distinct pain points:

  1. The tenant dilemma: 79% run more than one tenant to enforce segregation, but 70% admit the sprawl drives costs, operational drag, and inconsistent configurations.
  2. Entra the dragon: Global Admin head-counts are dropping (≤5 in 61 % of tenants), yet 51% have 250+ Entra ID apps with read-write access—effectively recreating super-admin risk at scale.
  3. Backup blunder: Nearly half (49%) still assume Microsoft backs up tenant configurations; 72% believe “someone” will restore them after an incident. No one will.
  4. The privileged many: 89% want to remove excess admin rights, but 62% say Microsoft’s native model is too complex; politics and regional autonomy add friction.
  5. The tamper trap: Only 45% use automated tools to flag configuration tampering, despite Microsoft logging 176k tampering events in a single month.
  6. Zero assurance in Zero Trust: Attacks hit 68% of tenants weekly or more, yet 59% lack enforced MFA—leaving the door open for 99.9% of preventable compromises.

Who we surveyed

  • 269 IT and security leaders
  • 95% based in North America
  • Representing 10 industries: 19% software, 18% healthcare, 16% finance
  • 48% from organizations with 5,000+ employees
  • 45% at director level or above

Single vs. multi-tenant: 79% run multiple tenants for segregation

Least-privilege enforcement drives tenant sprawl in 2025.

The only way to truly enforce least privilege and segregation in Microsoft 365 in 2025 is to split administration across multiple tenants. This is important to organizations with “complex requirements for data and user separation, service isolation, and data residency” (Gartner).

Why so many tenants? Segregation, cost, and configuration drift

79.4% cite segregation issues as the roadblock to operating a single tenant.

It’s not that anyone wants to manage the complexity of a multi-tenant environment; they just don’t know that they have a choice. This is reflected in the survey results:

70.5%

of orgs report operational overload due to managing multiple tenants.

60%

cite excessive costs.

59.5%

worry about inconsistent configurations.

Organizations with 10+ tenants are 2.3 times more likely to report "significant operational overhead" than those with 2-4 tenants. After all, let’s keep in mind:

  • Each tenant has its own configuration set — 59% struggle to maintain consistency across tenants
  • Cross-tenant access in Teams and SharePoint introduces risk
  • Multi-tenant licensing increases overall costs
  • More tenants mean more administrative overhead
  • Identity and privilege sprawl is a major challenge — 54% report complex identity issues
Responses to “How many Microsoft tenants do you manage?
Bar chart to show “How many Microsoft tenants do you manage?”
78% have more than 1 tenant
45% have 5 or more
25% have 10 or more

Entra ID permissions: From 5 global admins to 250+ privileged apps

Global admin usage is down. Privileged Entra apps are exploding.

There’s good and bad news about privilege.

The good: Just 20% of orgs reported having 10+ global admins, with 61% having 5 or fewer – not far off Microsoft’s best-practice recommendation of “fewer than five” total in your org.

The bad news, though, is that

51%

of organizations report having 250+ (!) Entra apps with read-write permissions, and of those respondents with 5 or fewer global admin accounts.

43%

have more than 250 highly privileged Entra apps.

Perhaps it's time that we adopt a more holistic approach to privileged access in Microsoft 365. After all, Microsoft themselves were the unwitting victims of an attack exploiting privileged Entra apps!

High-risk Entra apps to audit first

We don’t know which read-write permissions are in use, but with just a few, an Entra app quickly becomes as powerful as a global administrator. It’s easy to see how this can be an easily exploitable, high-risk gap in your security.

Here are the worst culprits to look out for:

  • PrivilegedAccess.ReadWrite.AzureAD
  • Directory.ReadWrite.All
  • Files.ReadWrite.All
  • Group.ReadWrite.All
  • Application.ReadWrite.All
  • Mail.ReadWrite

Entra Apps create thousands of privileged access points into your tenant

Your IT admins can create Entra Apps with these privileges and set them up so they can be accessed from outside of your tenant. Best practice means enforcing strong governance to ensure new apps go through an approval process.

Search icon
The Entra App Scanner finds all apps connected to your tenant—and flags the ones that pose security risks.
Access free tool

Data backup vs. configuration backup for Microsoft 365

72% assume Microsoft or “someone” handles configuration restoration — they’re wrong.

True or false? Microsoft keeps your configurations backed up and will restore them after an incident.

False!

Unfortunately, 49% of survey respondents fell prey to this misconception, and 72% reported believing that Microsoft, other vendors or internal processes would handle this backup and restoration of configs. This too is false, creating big risk exposure due to the mismatch between expectation and reality.

While industry respondents did offer a glimmer of good news:

96%

reported that they have their data backed up or plan to do so soon – this is not the same as configuration backup.

The distinction is critical.

configuration backup breakdown bar chart
49%
Believe that Microsoft is backing up their configurations.
23%
Believe that their data backup vendors are covering this.
18%
Have an internal process to backup their configurations.
13%
Are currently not doing anything to backup their configurations.
Quote icon
In a landscape where 49% of IT leaders mistakenly believe their configurations are backed up by Microsoft, and 68% of organizations are facing constant cyber threats, it’s crucial for businesses to reevaluate their security strategies. This report serves as a wake-up call, urging organizations to invest in comprehensive security tools and practices.
Simon Azzopardi, Chief Executive Officer
Simon Azzopardi
Chief Executive Office, CoreView

Least privilege blockers: Complexity, politics, and regional autonomy

89% want fewer admins but 62% say Microsoft 365 complexity stops them.

Microsoft recently reported that 63% of tenants they investigated fail on least privilege. But why?

At the same time, 89% of IT leaders want to remove admin accounts but can’t due to Microsoft’s complexity.

Of this 89% the following cite these as key blockers:

62%

cite complexity and overhead

  • 25% admin overhead of managing granular permissions
  • 23% difficult to determine which permissions are needed for specific tasks
  • 14% difficult to create custom roles with the right permissions
38%

cite concern about autonomy issues and resistance​

  • 19% said regional teams need access and autonomy
  • 10% faced resistance from IT staff to removing accounts
  • 9% said political issues prevent the removal of accounts

Why Native M365 roles break least-privilege principles

According to NIST, least privilege means that each entity should be granted the minimum system resources required to perform its function.

The trouble is that Microsoft 365 was never designed with this end in mind.

When you give a user a privileged account in Microsoft 365, it carries its powerful administrative privileges across the whole tenant. For example, a SharePoint Administrator account will, by default, allow the user to manage site collections, sharing policies, storage limits, access control, and global SharePoint configuration for every user and site in the tenant.

89%
of IT leaders want to remove excess admin accounts and privileges from their tenant, but face blockers.

Admin units: Helpful start, still tenant-wide gaps

Microsoft has started to invest in Administrative Units, which are designed to isolate administrative functions. However, after nearly ten years AUs only provide meaningful segmentation for Entra and some basic filtering for Teams.

Other critical workloads like Exchange, SharePoint, Intune, and others continue to be exposed to a tenant-wide blast radius.

Ultimately, this is why many large organizations feel they must maintain multiple tenants. As mentioned earlier, 79.4% of respondents told us that a lack of segregation capabilities was the main roadblock preventing them from consolidating into one tenant.

Key icon
Who has global admin access—and shouldn’t?
Use the free Admin Permissions Scanner to find out.
Access free tool

Configuration tampering: Detect drift or monitor 10k settings

Only 45% use a configuration tool—yet Microsoft logged 176k tampering events in May 2024.

As the saying goes, you can’t fix what you don’t know – and you are not going to know what you can’t see.

This is true, too, of configurations. You can’t assume you would know whether config tampering is happening because you need to be able to detect changes across your tenant. Without this insight, config tampering can be a big blind spot, affecting not only your security but also your productivity.

Yet, a sizeable

48%

of survey respondents claim little to no configuration tampering.

And, according to Microsoft’s Digital Defense Report 2024, they detected 176,000 instances of configuration tampering in May 2024, and they are not alone. Picus & Sophos X-Ops analyses also show a dramatic surge in configuration tampering since 2023.

The visibility gap: Manual audits leave 55% exposed

If 45% of respondents are using a tool to detect configuration tampering, that means 55% are doing manual audits of configurations (or find out the hard way when something has changed).

Of course, when some configurations Microsoft 365 are changed, it’s hard not to notice. A tweak of your conditional access policy may see huge portions of your business unable to log in to Microsoft services.

But others are far more subtle. Turning off Purview auditing, slightly altering a DLP policy, or opening up cross-tenant access will very likely go undetected until post-breach forensics.

You need to be able to detect changes across your tenant. There are 10,000 configuration elements in M365, and many of them (Entra, Defender, Intune, Purview, Exchange, etc.) are mission-critical to your security posture.

Without automated configuration drift detection, you’re either highly exposed—or overwhelmed with manual work.

79%
Increase in Defender configuration tampering in 2 years.
Sophos X-Ops
1%
T-1562 “Impair Defenses” is top 1% of prevalent MITRE ATT&CK techniques.
PICUS
176k
176,000 incidents involving tampering of security settings in 1 month.
Microsoft

Zero trust, zero proof: MFA enforcement still lags

68% face constant attacks, but 59% lack MFA auto-enforcement.
68%

have attackers trying to access Microsoft 365 every week, every day, or all the time. ​

This is to be expected, Microsoft 365 has all your crown jewels: Entra defines nearly ALL cloud access and privileged access, SharePoint & OneDrive control the majority of sensitive cloud data, and Exchange & Teams control all comms and emails across the business.

MFA-enrolled isn’t MFA-enforced

Despite the velocity of attacks, organizations do not have confidence that the basics are in place. Just 41% report that they have MFA rolled out and have a process of auto-enforcement.

This leaves 59% without assurance. Microsoft report that 99.9% of account compromises happen on accounts without MFA, meaning that you can prevent 999 out of every 1000 account attacks with MFA.

Donut chart showing 41%
Only 41% of survey respondents have MFA enabled with auto enforcement.ir tenant, but face blockers.

Close your Microsoft 365 security gaps with CoreView

Microsoft 365 security comes with plenty of pitfalls and pain points. CoreView helps relieve the pain—closing the gaps traditional security tools miss.

CoreView delivers a complete suite of security and tenant resilience solutions that address your most pressing Microsoft 365 challenges—including complex tenant management, Entra overpermissioning, configuration drift, least privilege enforcement, and zero trust. With CoreView, you can:

  • Tame complex tenant management—maintain multiple tenants or merge into a single one without sacrificing security or productivity. Gain multi-tenant consistency, granular delegation for “just enough” access, automation, and resilience to attacks.
  • Gain visibility, access control, and threat monitoring for Entra apps to close the attack surface, reduce exposure, detect risks and drift, and auto-remediate threats.
  • Restore baseline configurations after incidents to prevent downtime and eliminate error-prone manual effort.
  • Segment your tenant and create custom roles aligned to least privilege principles to minimize privilege exposure.
  • Monitor for configuration drift across your tenant, detect vulnerabilities, and easily roll back to a secure state.

CoreView brings your security perception in line with security reality—even in the most complex enterprise environments.

Download the full report
2025 CoreView State of Microsoft 365 Security Report mockup

What's inside:

  • All charts and graphs
  • 110+ stats to share with your stakeholders
  • Free tools and resources
Download the report