The mechanics of Microsoft 365 (tenant architecture, Entra ID permissions, and over 10k config settings) have outpaced most security teams’ ability to govern them.
The survey reveals six distinct pain points:
The only way to truly enforce least privilege and segregation in Microsoft 365 in 2025 is to split administration across multiple tenants. This is important to organizations with “complex requirements for data and user separation, service isolation, and data residency” (Gartner).
79.4% cite segregation issues as the roadblock to operating a single tenant.
It’s not that anyone wants to manage the complexity of a multi-tenant environment; they just don’t know that they have a choice. This is reflected in the survey results:
of orgs report operational overload due to managing multiple tenants.
cite excessive costs.
worry about inconsistent configurations.
Organizations with 10+ tenants are 2.3 times more likely to report "significant operational overhead" than those with 2-4 tenants. After all, let’s keep in mind:
There’s good and bad news about privilege.
The good: Just 20% of orgs reported having 10+ global admins, with 61% having 5 or fewer – not far off Microsoft’s best-practice recommendation of “fewer than five” total in your org.
The bad news, though, is that
of organizations report having 250+ (!) Entra apps with read-write permissions, and of those respondents with 5 or fewer global admin accounts.
have more than 250 highly privileged Entra apps.
Perhaps it's time that we adopt a more holistic approach to privileged access in Microsoft 365. After all, Microsoft themselves were the unwitting victims of an attack exploiting privileged Entra apps!
We don’t know which read-write permissions are in use, but with just a few, an Entra app quickly becomes as powerful as a global administrator. It’s easy to see how this can be an easily exploitable, high-risk gap in your security.
Here are the worst culprits to look out for:
Your IT admins can create Entra Apps with these privileges and set them up so they can be accessed from outside of your tenant. Best practice means enforcing strong governance to ensure new apps go through an approval process.
True or false? Microsoft keeps your configurations backed up and will restore them after an incident.
False!
Unfortunately, 49% of survey respondents fell prey to this misconception, and 72% reported believing that Microsoft, other vendors or internal processes would handle this backup and restoration of configs. This too is false, creating big risk exposure due to the mismatch between expectation and reality.
While industry respondents did offer a glimmer of good news:
reported that they have their data backed up or plan to do so soon – this is not the same as configuration backup.
The distinction is critical.
Microsoft recently reported that 63% of tenants they investigated fail on least privilege. But why?
At the same time, 89% of IT leaders want to remove admin accounts but can’t due to Microsoft’s complexity.
Of this 89% the following cite these as key blockers:
cite complexity and overhead
cite concern about autonomy issues and resistance
According to NIST, least privilege means that each entity should be granted the minimum system resources required to perform its function.
The trouble is that Microsoft 365 was never designed with this end in mind.
When you give a user a privileged account in Microsoft 365, it carries its powerful administrative privileges across the whole tenant. For example, a SharePoint Administrator account will, by default, allow the user to manage site collections, sharing policies, storage limits, access control, and global SharePoint configuration for every user and site in the tenant.
Microsoft has started to invest in Administrative Units, which are designed to isolate administrative functions. However, after nearly ten years AUs only provide meaningful segmentation for Entra and some basic filtering for Teams.
Other critical workloads like Exchange, SharePoint, Intune, and others continue to be exposed to a tenant-wide blast radius.
Ultimately, this is why many large organizations feel they must maintain multiple tenants. As mentioned earlier, 79.4% of respondents told us that a lack of segregation capabilities was the main roadblock preventing them from consolidating into one tenant.
As the saying goes, you can’t fix what you don’t know – and you are not going to know what you can’t see.
This is true, too, of configurations. You can’t assume you would know whether config tampering is happening because you need to be able to detect changes across your tenant. Without this insight, config tampering can be a big blind spot, affecting not only your security but also your productivity.
Yet, a sizeable
of survey respondents claim little to no configuration tampering.
And, according to Microsoft’s Digital Defense Report 2024, they detected 176,000 instances of configuration tampering in May 2024, and they are not alone. Picus & Sophos X-Ops analyses also show a dramatic surge in configuration tampering since 2023.
If 45% of respondents are using a tool to detect configuration tampering, that means 55% are doing manual audits of configurations (or find out the hard way when something has changed).
Of course, when some configurations Microsoft 365 are changed, it’s hard not to notice. A tweak of your conditional access policy may see huge portions of your business unable to log in to Microsoft services.
But others are far more subtle. Turning off Purview auditing, slightly altering a DLP policy, or opening up cross-tenant access will very likely go undetected until post-breach forensics.
You need to be able to detect changes across your tenant. There are 10,000 configuration elements in M365, and many of them (Entra, Defender, Intune, Purview, Exchange, etc.) are mission-critical to your security posture.
Without automated configuration drift detection, you’re either highly exposed—or overwhelmed with manual work.
have attackers trying to access Microsoft 365 every week, every day, or all the time.
This is to be expected, Microsoft 365 has all your crown jewels: Entra defines nearly ALL cloud access and privileged access, SharePoint & OneDrive control the majority of sensitive cloud data, and Exchange & Teams control all comms and emails across the business.
Despite the velocity of attacks, organizations do not have confidence that the basics are in place. Just 41% report that they have MFA rolled out and have a process of auto-enforcement.
This leaves 59% without assurance. Microsoft report that 99.9% of account compromises happen on accounts without MFA, meaning that you can prevent 999 out of every 1000 account attacks with MFA.
CoreView delivers a complete suite of security and tenant resilience solutions that address your most pressing Microsoft 365 challenges—including complex tenant management, Entra overpermissioning, configuration drift, least privilege enforcement, and zero trust. With CoreView, you can:
CoreView brings your security perception in line with security reality—even in the most complex enterprise environments.
What's inside: