We have pulled anonymous data to see what’s trending now, what people are still struggling with, and where to find the most common problems. In total, we analyzed 1.6 million Microsoft 365 users across a variety of industries. 

On average, the companies we studied had:

  • 40,736 employees and ranged from 1,000 up to nearly 400,000 users
  • 30% of these users were in the Private Sector
  • 28% from State and Local Government
  • 27% from Education (including both K-12 and Higher Education)
  • 15% from Healthcare

CoreView creates a unified control interface for everything that admins do inside Microsoft 365. And as part of that, we aggregate up every piece of data from inside your Microsoft 365 tenant. 

Today, we are going to give you a peek under the hood of what the average Microsoft tenant is dealing with.

We've broken our findings into these key elements: 

  • Microsoft governance and security gaps
  • License optimization and usage of your Microsoft 365 licenses

Common Microsoft 365 Security Issues

Security is top of mind for every IT professional and its top of mind for us and all of our customers. 

Microsoft 365 Passwords

Did you know? 

  • 10% of companies have thousands of users without a strong password requirement
  • 90% have at least one user without a password expiration policy in place; 32% have more than ten users without one.
  • Overall, 2.26% of users don’t have a password expiration policy – for a total of 36,780 users. This represents an average of more than 900 users in each organization we studied.

We're talking about thousands of users that have weak passwords because there's no strong password requirement in place. We all know that if you give users the option to use passwords like "password", they unfortunately still reign supreme. 

Password Expiration 

90% of companies have at least one user without a password expiration policy in place. And almost a third have 10 or more users without that password expiration policy in place. 

When you zoom out and look across all 1.6 million company users that we analyzed about one in 45 users. So a little more than 2% don't have any password expiration at all. 

But, there are arguments on both sides of should password expiration be the case, or whether should I just use a password that's 50 characters long and lock it in a vault, and never change it. 

The reality is that most people are not using a password that's 50 characters long with all the right capital and lower lowercase and numbers. And so changing it often is still a good idea. 

Multi-factor Authentication

What a pain, right? Anytime you do anything, you've got to grab your phone and open an app and type a key and get a text. 

Especially if you're an admin because you know how to keep your password secure. You know what we're doing...right?

Boy, what a mistake that is. 

And I'm sure if you are an admin without multi-factored switched on are groaning right now because that's exactly the case. 

When we looked at the data on this:

  • 22% of companies - a little over a fifth - did not have any kind of multifactor authentication for a third of their users.

But what's worse is when admins are the ones without MFA enabled. Almost 90% of companies have MSA disabled for some or all of their admins. That's a huge number. 

And we all know the reason why there's an admin, that there's an admin account that we share. And we don't all have the same phone or there's an admin account that is required to log in through a legacy system again. But these are things that we need to be aware of, especially as senior IT professionals.

42% of Microsoft admins have MFA disabled. So it's not just one or two admins. Now we're talking about one out of three admins at your company do not have MFA enabled and that happens 40% of the time. So again, really surprising numbers given how important we all know multifactor authentication is.

So what does this mean? There are a few things that it can mean like multifactor authentication is not enabled at the user level. 

Because we're using conditional access and every time somebody goes through conditional access, multifactor is triggered I'm safe, right?

Not really. 

There was a recent string of attacks from the Russian group called Cozy Bear. Their attack mode was to enroll users in MFA that were not already enrolled in MFA. 

I'm a user. I always log in through conditional access via conditional access. I always use MFA.

However, my basic Microsoft 365 account is not enrolled. Somebody in Russia can enroll their cell phone in Russia as my MFA token. 

And now they're logging into Microsoft 365, not through conditional access, just through my standard admin account. 

And they're able to get away with murder because I'm an admin and that's why admin roles are the most critical. 88% of attacks are initiated through an elevated privilege account. 

Strong passwords and multifactor authentication are the perfect pair. These are just two of the policies that everybody knows that everybody should have in place. And we've seen the data that says they're not in place as much as you would think. And even when they are in place in general, they're not in a place where it counts.

Email Protection Against Malware

Email's great for collaboration. But it's also great for malware and data loss.

Email Security

When we talk about that one user that had a password that wasn't strong, that didn't have MFA enabled and they downloaded the smiley pack. And now they're blasting email that is malware out of your company domain. Maybe if you're not getting hacked, but this is a huge repetitional risk. Maybe your data is relatively safe depending on the privileges of that one user.

Security Stats with Microsoft Email

  • 25% of companies we analyzed had at least one email containing malware sent from their domain within seven days of us starting that health check
  • 10% of companies had 25 of those emails in those seven days. So 
  • 90% of companies are seeking data, and exit their organization to an external address all the time.
  • 87% of companies have some kind of auto-forwarding going on of those 72% of companies.

Failed logins

We all know the world is full of hackers. They're coming from every country at every email all the time. That's why the good guys have to win all the time. The bad guys only have to win once, but which gate are they coming in at? And how do we know? And what do we do as a result?

140,000 failed logins per company per week across this data set. 

Considering the average company in the cohort was 40,000 employees. So that's three and a half failed logins per user, per week. 

5% of those companies were experiencing a million logins per week.

And within those companies, those million failed logins were not evenly distributed across their employees. They're targeting specific users. 

And the question for IT professionals are:

  • Do you know who? 
  • Where are they coming from? 
  • Why them? 

Especially when we have old passwords, weak passwords, MFA, not enrolled, malware's not being blocked forward and it's allowed, this could be a huge problem. And so being able to quickly snap onto the visibility means that you can look for hotspots. You can track where hackers are hacking. You can look at where hackers are coming from so that you can harden different security parameters and policies that you have in place. You can encourage certain users without strong passwords or without MFA enrollment to go ahead and get that done.

Microsoft License Optimization Opportunities

As organizations grow through acquisition and natural growth we see a tremendous amount of fragmentation and then things start to get lost. 

So what are we talking about? Why do this in the first place? Well, we can all agree that the best case scenario is that you're paying for what you need and that you're using what you pay. Pretty straightforward is a good way to be responsible stewards of our organization's limited resources when it comes to investing in what's frankly really amazing collaboration, security, and identity software.

If we have unused licenses sitting on the shelf, we don't want to upgrade licenses that haven't been used for a year and a half. We want to figure out where people are using the tools that we've paid for and drive adoption, and where they aren't using them so that we can get the full value of the subscription that we've paid for.

And when you renegotiate with Microsoft, whether that's in an annual true-up or an EA renegotiation, or you're talking to your CSP to get a better sense of how many licenses you need, you just wanna know all the facts and know all the facts is a real challenge. 

Customers that we've talked to tell us that it can take you to know, certainly hours, usually weeks, possibly months to do the work that's required to know all the facts about what your usage is.

And guess what happens by the time you've finished a month-long project about knowing all the usage everything's changed. So how do we figure that out in real-time? And what are the opportunities that exist? 

Microsoft License Stats

  • Our average company has about 40,000 users and the average company also has about 60,000 licenses
  • 1/3 of licenses are unused on average

Now, if you think about the average cost of a license, Assuming you have some Fs, some E3s, and E5s. That average cost is gonna be three to $400 per year per license. So we're talking about one in six folks having three to 4 million sitting on the shelf of licenses and one in 10 folks having three to 4 million.

Unused, probably being wasted. And that is real money that you can deploy elsewhere to forward push the business forward. And that's really what we want to help our clients understand where can we do that? 

That's one of the great things about what CoreView does is we can create a central authority, or we can delegate autonomy a bit to where it's needed. So we can create license pools that say, Hey you can add and remove licenses as you need them, but we are gonna put together a dashboard of who's not using licenses, be at the bottom of that list.

And the main thing is you wanna keep this clean so that you can negotiate with all the facts, whether you're negotiating with other department leaders, your boss, the finance department, or Microsoft. Always good to have the facts on your side. Whoever's got the most data usually wins. 

Ready to Conquer Microsoft 365?

Request a Demo