Your Microsoft 365 Security Baseline Drifts Faster Than You Audit.

Cloud Security

M365 has 1000+ security-relevant settings and they change on Microsoft's schedule, not yours. Most tenants we assess have drifted significantly from their last hardening exercise. Here is the audit and remediation pattern that works.

By Arjun Raghavan, Security & Systems Lead, BIPI · February 8, 2026 · 7 min read

Microsoft 365 tenant hardening is one of those projects that finishes once and decays continuously. The team runs through the CIS M365 Foundations benchmark, fixes the 300 findings, declares victory. Six months later, half the controls have drifted: defaults changed in a Microsoft update, a new licensing tier was added, an admin enabled a setting for a one-off project and forgot to revert.

We have audited M365 tenants 4 to 18 months after their last hardening pass. Drift is universal. The amount of drift is usually large enough that the original audit work is half-undone.

Sources of drift

• Microsoft default changes. Microsoft regularly changes default values to be more secure (good) or to enable new features that are off-by-default but admins enable for testing and forget (bad).
• License upgrades. Moving from E3 to E5 surfaces new settings that defaulted to off when E3 was the level. The new ones come up unconfigured.
• Admin one-offs. 'Just for this project' exceptions for sharing, conditional access, MFA. The exceptions outlive the project.
• Service principal proliferation. New SaaS integrations create app registrations with consents. Accumulated consents become attack surface.
• Group nesting changes. Permissions originally scoped to a small group expand as the group is used in more places.
• Guest access. External users from past projects accumulate; their access is rarely cleaned up.

What an actual baseline includes

Beyond CIS M365 Foundations (which is comprehensive but slow to update), a useful baseline covers:

1. Conditional Access policies: every policy reviewed, exclusions documented, expiry dates set on temporary exclusions.
2. MFA enforcement: every user, every privileged role, FIDO2 / passkey for admins, push fatigue protections enabled.
3. Mailbox audit: enabled on every mailbox (default in 2026 but verify), retention period appropriate.
4. Sharing controls: Teams, SharePoint, OneDrive sharing scopes reviewed, anonymous link expiry set.
5. App registrations and enterprise apps: every consent reviewed, dormant apps disabled, high-privilege apps restricted to specific users.
6. Privileged Identity Management: just-in-time elevation for admins, approval flow for sensitive roles, activity audit.
7. Defender for Office: phishing protection, Safe Links, Safe Attachments, anti-spam tuned.
8. Audit log retention: at least 1 year, ingested into your SIEM if you have one.

M365 hardening is not a one-time project. It is continuous configuration management for a thousand-setting product whose defaults change without warning.

The continuous audit approach

What works: a scheduled (weekly or monthly) automated scan that compares current tenant configuration to a documented baseline, flags drift, and assigns remediation tickets. Tools like ScubaGear (CISA), Microsoft Secure Score with custom recommendations, or commercial tools like CoreView and Quadrotech do this.

The drift report is treated as a routine output: small drifts get fixed in the same cadence, large drifts trigger a deeper review. Over time the noise floor drops as the team standardises on the documented baseline.

Things commonly missed even by mature teams

• Legacy authentication protocols (POP, IMAP, SMTP basic auth) sometimes re-enabled by app integrations.
• Tenant-wide application consent allowed for all users (should be admin-approved only).
• Audit log for non-mailbox activity. Many compliance roles only audit mailboxes; SharePoint, OneDrive, Teams content audit is separate.
• Conditional access exclusions that were 'temporary' in 2023 still in place in 2026.
• External tenant collaborations (B2B) without expiry, accumulating across the years.
• Service accounts with passwords (vs. managed identity), especially for legacy on-prem connectors.

Closing

M365 tenant security is configuration management at scale. The rate of change is too high for a quarterly manual audit to keep up. The teams that maintain a strong posture have automated drift detection wired into their workflow, with remediation as a routine activity, not an annual project. Without that, every audit feels like starting over because, in practice, you are.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.