[Reading time: 16 seconds]
When I perform a security audit of a Microsoft 365 environment, I sometimes find that important security settings are not applied to the most important administrator accounts.
In other words, while some decent security settings may be enforced on the accounts of normal staff, these settings are disabled on the accounts that hold the keys to the kingdom.
I know this can happen by accident – everyone is busy and distracted.
But when I ask the IT administrator why these settings have been relaxed or disabled on their accounts, they seldom say it was an accident.
A common justification is that “all that security stuff” shouldn’t apply to them.
Why?
Because:
1. “All that security stuff” would only slow them down, or
2. “All that security stuff” is unnecessary as they would never be fooled by a phishing email.
What’s my point?
When was the last time you checked that the person who holds the keys to your Microsoft 365 kingdom…
is actually using the locks?
PS I can check this (and about 67 other security settings) for you. More info here.