2025 Microsoft 365 Security: Key Findings

The mechanics of Microsoft 365 (tenant architecture, Entra ID permissions, and over 10k config settings) have outpaced most security teams’ ability to govern them.

The survey reveals six distinct pain points:

1. The tenant dilemma: 79% run more than one tenant to enforce segregation, but 70% admit the sprawl drives costs, operational drag, and inconsistent configurations.
2. Entra the dragon: Global Admin head-counts are dropping (≤5 in 61 % of tenants), yet 51% have 250+ Entra ID apps with read-write access—effectively recreating super-admin risk at scale.
3. Backup blunder: Nearly half (49%) still assume Microsoft backs up tenant configurations; 72% believe “someone” will restore them after an incident. No one will.
4. The privileged many: 89% want to remove excess admin rights, but 62% say Microsoft’s native model is too complex; politics and regional autonomy add friction.
5. The tamper trap: Only 45% use automated tools to flag configuration tampering, despite Microsoft logging 176k tampering events in a single month.
6. Zero assurance in Zero Trust: Attacks hit 68% of tenants weekly or more, yet 59% lack enforced MFA—leaving the door open for 99.9% of preventable compromises.

The only way to truly enforce least privilege and segregation in Microsoft 365 in 2025 is to split administration across multiple tenants. This is important to organizations with “complex requirements for data and user separation, service isolation, and data residency” (Gartner).

Why so many tenants? Segregation, cost, and configuration drift

79.4% cite segregation issues as the roadblock to operating a single tenant.

It’s not that anyone wants to manage the complexity of a multi-tenant environment; they just don’t know that they have a choice. This is reflected in the survey results:

Organizations with 10+ tenants are 2.3 times more likely to report "significant operational overhead" than those with 2-4 tenants. After all, let’s keep in mind:

• Each tenant has its own configuration set — 59% struggle to maintain consistency across tenants
• Cross-tenant access in Teams and SharePoint introduces risk
• Multi-tenant licensing increases overall costs
• More tenants mean more administrative overhead
• Identity and privilege sprawl is a major challenge — 54% report complex identity issues

Responses to “How many Microsoft tenants do you manage?”

78% have more than 1 tenant

45% have 5 or more

25% have 10 or more

There’s good and bad news about privilege.

The good: Just 20% of orgs reported having 10+ global admins, with 61% having 5 or fewer – not far off Microsoft’s best-practice recommendation of “fewer than five” total in your org.

The bad news, though, is that

Perhaps it's time that we adopt a more holistic approach to privileged access in Microsoft 365. After all, Microsoft themselves were the unwitting victims of an attack exploiting privileged Entra apps!

High-risk Entra apps to audit first

We don’t know which read-write permissions are in use, but with just a few, an Entra app quickly becomes as powerful as a global administrator. It’s easy to see how this can be an easily exploitable, high-risk gap in your security.

Here are the worst culprits to look out for:

• PrivilegedAccess.ReadWrite.AzureAD
• Directory.ReadWrite.All
• Files.ReadWrite.All
• Group.ReadWrite.All
• Application.ReadWrite.All
• Mail.ReadWrite

Entra Apps create thousands of privileged access points into your tenant

Your IT admins can create Entra Apps with these privileges and set them up so they can be accessed from outside of your tenant. Best practice means enforcing strong governance to ensure new apps go through an approval process.

The Entra App Scanner finds all apps connected to your tenant—and flags the ones that pose security risks.

Access free tool

True or false? Microsoft keeps your configurations backed up and will restore them after an incident.

False!

Unfortunately, 49% of survey respondents fell prey to this misconception, and 72% reported believing that Microsoft, other vendors or internal processes would handle this backup and restoration of configs. This too is false, creating big risk exposure due to the mismatch between expectation and reality.

While industry respondents did offer a glimmer of good news:

The distinction is critical.

49%

Believe that Microsoft is backing up their configurations.

23%

Believe that their data backup vendors are covering this.

18%

Have an internal process to backup their configurations.

13%

Are currently not doing anything to backup their configurations.

Microsoft recently reported that 63% of tenants they investigated fail on least privilege. But why?

At the same time, 89% of IT leaders want to remove admin accounts but can’t due to Microsoft’s complexity.

Of this 89% the following cite these as key blockers:

• 25% admin overhead of managing granular permissions
• 23% difficult to determine which permissions are needed for specific tasks
• 14% difficult to create custom roles with the right permissions

• 19% said regional teams need access and autonomy
• 10% faced resistance from IT staff to removing accounts
• 9% said political issues prevent the removal of accounts

Why Native M365 roles break least-privilege principles

According to NIST, least privilege means that each entity should be granted the minimum system resources required to perform its function.

The trouble is that Microsoft 365 was never designed with this end in mind.

When you give a user a privileged account in Microsoft 365, it carries its powerful administrative privileges across the whole tenant. For example, a SharePoint Administrator account will, by default, allow the user to manage site collections, sharing policies, storage limits, access control, and global SharePoint configuration for every user and site in the tenant.

Admin units: Helpful start, still tenant-wide gaps

Microsoft has started to invest in Administrative Units, which are designed to isolate administrative functions. However, after nearly ten years AUs only provide meaningful segmentation for Entra and some basic filtering for Teams.

Other critical workloads like Exchange, SharePoint, Intune, and others continue to be exposed to a tenant-wide blast radius.

Ultimately, this is why many large organizations feel they must maintain multiple tenants. As mentioned earlier, 79.4% of respondents told us that a lack of segregation capabilities was the main roadblock preventing them from consolidating into one tenant.

Who has global admin access—and shouldn’t?

Use the free Admin Permissions Scanner to find out.

Access free tool

As the saying goes, you can’t fix what you don’t know – and you are not going to know what you can’t see.

This is true, too, of configurations. You can’t assume you would know whether config tampering is happening because you need to be able to detect changes across your tenant. Without this insight, config tampering can be a big blind spot, affecting not only your security but also your productivity.

Yet, a sizeable

And, according to Microsoft’s Digital Defense Report 2024, they detected 176,000 instances of configuration tampering in May 2024, and they are not alone. Picus & Sophos X-Ops analyses also show a dramatic surge in configuration tampering since 2023.

The visibility gap: Manual audits leave 55% exposed

If 45% of respondents are using a tool to detect configuration tampering, that means 55% are doing manual audits of configurations (or find out the hard way when something has changed).

Of course, when some configurations Microsoft 365 are changed, it’s hard not to notice. A tweak of your conditional access policy may see huge portions of your business unable to log in to Microsoft services.

But others are far more subtle. Turning off Purview auditing, slightly altering a DLP policy, or opening up cross-tenant access will very likely go undetected until post-breach forensics.

You need to be able to detect changes across your tenant. There are 10,000 configuration elements in M365, and many of them (Entra, Defender, Intune, Purview, Exchange, etc.) are mission-critical to your security posture.

Without automated configuration drift detection, you’re either highly exposed—or overwhelmed with manual work.

This is to be expected, Microsoft 365 has all your crown jewels: Entra defines nearly ALL cloud access and privileged access, SharePoint & OneDrive control the majority of sensitive cloud data, and Exchange & Teams control all comms and emails across the business.

MFA-enrolled isn’t MFA-enforced

Despite the velocity of attacks, organizations do not have confidence that the basics are in place. Just 41% report that they have MFA rolled out and have a process of auto-enforcement.

This leaves 59% without assurance. Microsoft report that 99.9% of account compromises happen on accounts without MFA, meaning that you can prevent 999 out of every 1000 account attacks with MFA.

Only 41% of survey respondents have MFA enabled with auto enforcement.ir tenant, but face blockers.