Is Your Microsoft Tenancy in A Mess?
A poorly managed Microsoft 365 estate could be costing your business…
By Pete Marsden
Microsoft 365 makes it easy to manage your entire organisation’s access to Microsoft services and applications, giving your chosen administrators complete control over what staff can access, and how they interact with business data and files.
However, whilst this level of control is fantastic for businesses looking to take the next step towards cloud-based working, a poorly configured Microsoft 365 tenancy could be costing your business money, presenting an unprofessional image, and even adding extra workload to your teams!
Working in partnership with many small businesses across the UK, I have seen countless examples of poorly managed Microsoft 365 estates actually making life harder for IT teams, rather than easier…
From out-of-control mailboxes, to losing track of users, if left unmanaged your M365 tenancy can impact on productivity and even leave you vulnerable to common mistakes, such as:
Opening The Door to Hackers
With a poorly configured Administrator account
One of the most common mistakes made by small business owners is setting themselves up as an administrator on their Microsoft 365 tenancy, and leaving a mailbox attached. Whilst I completely understand that this may seem the convenient and logical step, with only one set of account details needed to control everything, this is actually a risky move.
Before I explain why, let me ask a simple question:
Would you exit your house and leave your door wide open?
Of course not! So why would you set a user with a mailbox attached as a M365 administrator? If this mailbox becomes compromised in any way, whoever accesses this account will have control of your entire estate. They can set up fake mailboxes, put redirection rules on your emails and more, all without you knowing about it.
In the past few weeks, I have spoken to several businesses this has happened to, and they have been left fighting for hundreds of thousands of pounds due to emails being redirected and doctored. Remember…
Locking Your Door
Don’t panic – there is a easy first step you can take to protect your mailbox!
Simply create an account with a ‘.onmicrosoft’ suffix (the default M365 domain), set this as an administrator and generate a secure password using a password generator.
Finally, store this password in a password vault and remove your admin access privileges to give your account an immediate extra layer of protection. Whilst this is a simple fix, your business will not be fully protected without a comprehensive email security system in place. Let me know if you need any support with this.
Losing Track of Your Users
Unused accounts could be costing you money and opportunities
Given the amount time and attention required to run a small business, keeping track of your Microsoft 365 licences can understandably often be a lower priority for administrators. However, it certainly should not be.
What if I told you that I recently spoke with a small business that had 28 unused email accounts? Those 28 Business Premium accounts were all costing the business close to £400 each month, and were offering nothing in return!
This is something I see time and time again when speaking to busy organisations. Through everyday changes such as staff turnover, internal restructuring and role adjustments, unused accounts can easily be overlooked. Before you know it a large number of ‘dead’ accounts can be accumulated.
Proactively Manage Your Estate
Included in all of our IT Support contracts, our teams complete quarterly reviews of your IT infrastructure, including your Microsoft 365 tenancy.
As part of these meetings, we set aside 10 minutes to verify all of your existing M365 licences, to ensure your business is not being charged unnecessarily, and that you only pay for the licences you need – no more, no less.
Check in with your IT provider, to ensure you’re getting the visibility you need.
Accidental Data Deletion
Hastily deleting a user could cost your business at a later date
It is common practice for most IT administrators to delete old users’ Microsoft 365 accounts as soon as they leave the business. After all, they no longer need access to their account, and your customers will be redirected elsewhere. However, in doing so administrators may inadvertently be losing access to crucial emails that need to be referenced at a later date.
Rather than going for the ‘nuclear’ option, implementing a few simple steps before deleting the user can help preserve those vital emails, making it far easier for the staff member taking over to meet your customers’ needs.
Implement New Processes Before Deleting
One solution I would suggest for this problem is to take advantage of the fact that Microsoft 365 does not require shared mailboxes to be licensed. By converting the old employees’ mailbox to a shared mailbox, your business can retain access the content within whenever you need it, meaning that 4 years down the line, you have the ability to locate that all-important email!
I also recommend that an automatic forward and ‘Out of Office’ is set up for the account in question, to ensure that no important emails are missed, and that your customers know who they can get in touch with moving forward.
Not Backing Up Your Microsoft 365 Data
Without a separate backup solution in place, your files are NOT protected!
When discussing Microsoft 365 with businesses, one of the facts that shocks most of our customers is that their data is NOT automatically backed up! In fact, if you review Microsoft’s terms of service, you will find that they only offer a 30 day retention for deleted emails, and 14 days for deleted SharePoint data!
What if you need data that was deleted 6 months ago? Or, what if your data becomes encrypted through a malicious attack? To ensure your Microsoft 365 data remains protected, you need a separate solution.
Install a Backup and Disaster Recovery Solution
Our recommendation for businesses looking to backup their Microsoft 365 data is Datto SaaS Protection. This solution doesn’t just backup your data, it goes one step further – offering true disaster recovery! In a traditional backup solution, recovering your data is only the first piece of the puzzle. Restoring this data to machines across your network can prove incredibly time consuming, and as we all know, time is money.
In the case of a data loss or malicious attack, Datto SaaS Protection can quickly spin up a saved backup, restoring both your user and hardware data within minutes, rather than hours or days. This ensures your business can quickly get back up and running, with as little interruption to business activities as possible. SaaS Protection can also target files on an individual level, making it easy to track down that lost email or file, and restore it to the user.
To learn more about Datto SaaS Protection, check out our recent blog here:
Not Using Multi-Factor Authentication
Multi-Factor Authentication is now a MUST for all businesses
What is Multi-Factor Authentication? Multi-Factor Authentication, or MFA for short, adds an extra level of protection to any login attempts made by a user. For example, you can ask users to authenticate their logins via a six digit code sent directly to their work phone.
Due to the sharp increase in phishing and malware attacks during the COVID-19 pandemic, Microsoft now require all new accounts to set up MFA. However, if your business is using older accounts, or if you only access your emails through Outlook, you may not have already enabled this for your teams.
Turn It On!
I cannot urge this strongly enough – you MUST use Multi-Factor Authentication wherever possible. Not just relevant for Microsoft accounts, MFA can also be used with popular services such as Netflix, Amazon and Facebook, and is THE biggest weapon against account takeover. Simply by involving this second level of authentication dramatically reduces the risk to your business, and makes your accounts inherently safer and more secure.
Unsure if you have MFA enabled at your business? Welcomm can run a full report on your Microsoft 365 tenancy to see who has MFA enabled and who does not, as well as which numbers have been attached to each Microsoft 365 account.
