Migrating to Microsoft 365 is one of the most common IT projects at Swiss SMEs. Email, document management, collaboration — all from one provider, all in the cloud. But with the move to M365, a dangerous misconception arises: many companies believe that Microsoft takes care of security. This is only partially true.<\/p>\n
Microsoft operates the infrastructure behind Microsoft 365: data centres, networks, platform security, physical security. Microsoft is responsible for this and invests billions in this area.<\/p>\n
However, configuration, user management, access control, and the protection of your data<\/strong> are your responsibility. Microsoft calls this the “Shared Responsibility Model.” In practice, it means:<\/p>\n This means concretely: if an attacker logs into your M365 account with stolen credentials, that is not Microsoft’s problem. If sensitive documents are publicly accessible through a misconfigured SharePoint share, the responsibility lies with you. And if an employee loses their account because MFA was not enabled, Microsoft is not liable.<\/p>\n From practical experience, security experts are familiar with a range of configuration errors that occur repeatedly in SME M365 environments. Many of these are default settings that were never adjusted.<\/p>\n MFA is the single most important security measure for cloud accounts. Microsoft states that MFA prevents over 99 per cent of automated account takeovers. And yet, MFA is not enabled for all users in many SME tenants.<\/p>\n Common excuses: “It’s too inconvenient,” “It doesn’t work with our printer,” “Management doesn’t want it.” The result: a single stolen password is enough to access all emails, documents, and Teams chats of an employee.<\/p>\n Recommendation:<\/strong> Enable MFA for all<\/strong> users, without exception. Use the Microsoft Authenticator app or FIDO2 security keys instead of SMS.<\/p>\n Legacy authentication protocols such as POP3, IMAP, and SMTP Basic Auth do not support MFA. Attackers deliberately use these protocols to bypass MFA. Even if MFA is enabled for regular sign-in, an attacker can access the mailbox via IMAP with a stolen password.<\/p>\n Microsoft has gradually disabled Basic Authentication for Exchange Online, but in many tenants, exceptions are configured — often for older devices or applications that do not support Modern Authentication.<\/p>\n Recommendation:<\/strong> Block legacy authentication entirely through Conditional Access policies. First identify devices and applications still using legacy protocols, and update them.<\/p>\n In many SME tenants, too many users hold the “Global Administrator” role. Every global administrator account is a highly attractive target for attackers. In the worst case, compromising a single account is enough to take over the entire M365 environment.<\/p>\n Typical problems:<\/p>\n Recommendation:<\/strong> Reduce Global Admins to a maximum of two to three emergency accounts (break-glass accounts). Use role-based administration: an Exchange administrator does not need SharePoint rights. Enable Privileged Identity Management (PIM) to grant administrator rights only on demand and with time limits.<\/p>\n SharePoint Online and OneDrive for Business are powerful collaboration tools. But the default configuration is often too permissive:<\/p>\n Recommendation:<\/strong> Restrict external sharing to authenticated users. Disable “Anyone” links or limit their validity period. Regularly review who has access to which SharePoint sites.<\/p>\n M365 offers comprehensive audit logs, but many SMEs do not use them. Without monitoring, suspicious activities go undetected:<\/p>\n Recommendation:<\/strong> Enable the Unified Audit Log. Configure alerts for suspicious activities. Even without a SIEM system, the built-in M365 alerts can detect many threats.<\/p>\n Exchange Online offers Exchange Online Protection (EOP) as baseline protection. But the default configuration is often insufficient:<\/p>\n Recommendation:<\/strong> Configure SPF, DKIM, and DMARC for all your domains. Tighten the anti-phishing policies. Block macros in email attachments via group policies.<\/p>\n Traditional vulnerability scanning primarily targets on-premise systems: servers, network devices, endpoints. But in a cloud-first world, cloud services must also be incorporated into the security strategy.<\/p>\n Even though the M365 platform itself is patched by Microsoft, there are areas where external scanning remains relevant:<\/p>\n For SMEs looking to improve their M365 security, here is a prioritised checklist:<\/p>\n The shift to the cloud changes the threat landscape but does not make vulnerability management obsolete — quite the opposite. The attack surface becomes more complex: cloud services, on-premise systems, hybrid connections, and third-party integrations must all be considered.<\/p>\n ExposIQ helps Swiss SMEs maintain oversight. External scanning checks your publicly accessible systems and services — whether on-premise or cloud-exposed. With over 35 scan engines and 64’000 CVEs, vulnerabilities in web servers, VPN gateways, mail configurations, and other exposed services are detected. Breach monitoring also alerts you when employee credentials appear in data leaks — one of the most common causes of M365 account takeovers.<\/p>\n Swiss hosting, nDSG-compliant, from CHF 99 per month. Because cloud migration is only responsible with a clear security strategy: exposiq.ch<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Migrating to Microsoft 365 is one of the most common IT projects at Swiss SMEs. Email, document management, collaboration — all from one provider, all in the cloud. But with the move to M365, a dangerous misconception arises: many companies believe that Microsoft takes care of security. This is only partially true. The Shared Responsibility … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"rank_math_focus_keyword":"microsoft 365 cloud security sme","rank_math_title":"Microsoft 365 and Cloud Security: What SMEs Should Check","rank_math_description":"Migrating to M365 does not mean Microsoft handles your security. Shared responsibility, common misconfigurations and what SMEs should check.","rank_math_robots":"","rank_math_canonical_url":"","rank_math_primary_category":"","footnotes":""},"categories":[8],"tags":[],"class_list":["post-1188","post","type-post","status-publish","format-standard","hentry","category-it-sicherheit","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-33"],"_links":{"self":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts\/1188","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/comments?post=1188"}],"version-history":[{"count":0,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts\/1188\/revisions"}],"wp:attachment":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/media?parent=1188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/categories?post=1188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/tags?post=1188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
The Most Common Security Gaps in M365 Environments<\/h2>\n
1. Multi-Factor Authentication Not Enforced<\/h3>\n
2. Legacy Authentication Still Active<\/h3>\n
3. Overprivileged Accounts<\/h3>\n
\n
4. SharePoint and OneDrive Configured Too Openly<\/h3>\n
\n
5. Missing Monitoring and Logging<\/h3>\n
\n
6. Email Security Not Optimised<\/h3>\n
\n
Cloud Security and Vulnerability Scanning<\/h2>\n
\n
A Pragmatic M365 Security Check<\/h2>\n
\n
ExposIQ for Your Cloud Era<\/h2>\n