Your Microsoft 365 Account Is the Front Door. Here's Why Most Oklahoma Small Businesses Leave It Unlocked.

If someone wanted to get into your business right now — your email, your files, your customer data — they probably wouldn't try to break through a firewall. They'd just log in.

That's not a hypothetical. It's what's actually happening to small businesses across Oklahoma and everywhere else. Credential phishing targeting Microsoft 365 users specifically surged more than 300% in 2025. Attackers aren't going after enterprise companies with security teams. They're going after businesses like yours — 10, 20, 50 employees — because they know you're running on M365 and they know most accounts aren't locked down the way they should be.

I've spent five years administering Microsoft 365 environments for organizations ranging from 400 to over 5,000 users, including in environments that had to meet federal government compliance standards. The same problems show up everywhere, regardless of size. And the scariest part is how simple they are to fix — once you know they're there.

Here's what I see most often, and what you can do about it.

The Real Problem: Cloud Access Made Identity the New Perimeter

Ten years ago, "IT security" mostly meant your firewall and your antivirus. The threats were outside, trying to get in. You had a physical building, and if attackers wanted your data, they had to break through something.

That model is gone. Most of your business now lives in the cloud — email in Exchange Online, files in SharePoint and OneDrive, communication in Teams. All of it is accessible from any device, anywhere, with just a username and password. That's the convenience that makes M365 so useful. It's also exactly what makes compromised credentials so dangerous.

When an attacker gets a valid password, they don't need to break anything. They just log in. They read your emails. They access your client files. They impersonate you to your customers and vendors. They can do all of this quietly, for weeks, before anyone notices.

This is why identity is now the front door to your business. And most small businesses have left it unlocked.

The Five Things That Are Probably Wrong Right Now

1. No Multi-Factor Authentication (or inconsistent enforcement)

MFA is the single highest-impact thing you can do to protect your M365 environment. When it's enabled and enforced correctly, a stolen password alone isn't enough to get in. The attacker also needs access to your phone or your authenticator app.

Microsoft estimates that MFA blocks over 99% of automated credential attacks. And yet a significant portion of small business M365 tenants either have MFA disabled, have it set to optional, or have it enforced for some users but not others — often because someone in a rush said "I'll set that up later" and later never came.

If your MFA policy has any exceptions — specific users, shared accounts, service accounts — those are your weakest points. Attackers find them.

2. Shared Accounts and Admin Privileges Handed Out Too Broadly

Walk into most small businesses and you'll find at least one of these: a shared "info@" or "admin@" mailbox that three people log into with the same credentials. A former employee's account that's technically still active because someone needed to check their emails. A manager who got made a global administrator because they needed to reset a password one time and no one revoked the access afterward.

Every one of those is an open window. Shared accounts can't be traced to a specific person when something goes wrong. Former employee accounts sitting active are a standing invitation for anyone who ever had that password. And over-privileged admin accounts mean that when one gets compromised, the attacker has the keys to everything.

The principle of least privilege — giving each person only the access they actually need — sounds boring. It's one of the most effective security controls that exists.

3. No Conditional Access Policies

Conditional Access is one of the most powerful tools in the Microsoft Entra ID toolkit, and most small business tenants don't have a single policy configured.

Conditional Access lets you define the rules for when and how access is granted. It can require MFA when someone logs in from outside your network. It can block access from geographic regions you don't operate in. It can require that a device be compliant — managed, patched, encrypted — before it can access company data. It can flag risky sign-ins and force re-authentication automatically.

Without it, your access controls are essentially binary: you have a password or you don't. With it, you have an intelligent layer that can stop attacks your users would never notice.

4. Stale Accounts Nobody Cleaned Up

This one is almost universal. An employee leaves and their account gets disabled — but maybe not deleted. A contractor finishes a project and their guest access stays active in your tenant. A vendor was given access to a SharePoint folder six months ago and that access was never revoked.

Stale accounts don't trigger alerts. Nobody's using them, so nobody's watching them. But they're still there, and if anyone ever figures out the credentials or exploits a guest link, they have a path in.

A regular access review — quarterly for most small businesses — catches these before they become a problem. It takes less than an hour when you know what to look for.

5. No Offboarding Process

This is closely related to the stale account problem, but it deserves its own call-out because the stakes are higher. When an employee leaves — under bad terms or good — how long does it take your business to disable their M365 account, revoke their device access, remove them from shared mailboxes, and recover any company data they had locally?

If the answer is "a few days" or "whenever someone remembers," that's a serious gap. Former employees with active accounts can access email, download files, and cause damage long after their last day. A structured offboarding workflow closes that window in minutes.

What "Properly Secured" Actually Looks Like

When I set up a Microsoft 365 environment with security as the foundation, here's what's in place:

Multi-factor authentication is enforced for every user, no exceptions, using an authenticator app rather than SMS where possible.

Conditional Access policies define the baseline: MFA required from all locations, block legacy authentication protocols, and require compliant devices for access to sensitive data.

Role-based access control means users have access to what they need and nothing more. Admin roles are assigned narrowly, and global admin access is used only when necessary — not for day-to-day work.

Microsoft Defender is configured with baseline security policies — anti-phishing, safe links, safe attachments — so threats are caught before they reach your users' inboxes.

Intune manages endpoints so you know what devices are accessing your data, can enforce encryption and security requirements, and can wipe a device remotely if it's lost or stolen.

An offboarding checklist that takes 15 minutes to run, not a few days.

None of this is out of reach for a small business. It's all included in Microsoft 365 Business Premium. What's missing for most businesses isn't the tools — it's the configuration.

A Real Example (Without Naming Names)

I managed the infrastructure environment for an organization going through a major acquisition — onboarding several hundred employees from an acquired company into an existing Microsoft 365 tenant. The acquired company came in with almost no identity controls: shared accounts, no MFA, former employees still active in their directory.

Before we could migrate anything, we had to remediate their identity environment. We found accounts that had been active for two years after the employees who owned them had left. We found shared admin credentials that at least six people knew. We found guest access links to sensitive folders that had been forwarded so many times nobody could trace where they'd gone.

This isn't unusual. It's what an unmanaged M365 environment looks like after a few years of growth without intentional oversight. Fixing it isn't complicated — but it takes someone who knows what to look for.

What This Costs You If You Ignore It

A compromised M365 account at a small business typically results in one of three things: a business email compromise scam where a vendor or client gets sent a fake invoice, a ransomware deployment that encrypts your files and demands payment, or quiet data theft that you may not discover for weeks or months.

The average cost of a data breach for a small business runs into six figures when you account for downtime, remediation, legal exposure, and lost client trust. Cyber insurance is increasingly difficult to get — or expensive — without being able to demonstrate that basic controls like MFA are in place.

The cost to lock down your M365 environment properly is a fraction of that.

How Polus Can Help

The Identity & Security service at Polus is built specifically for this: Entra ID configuration, MFA enforcement, Conditional Access policies, device management through Intune, and a baseline security posture that gives you visibility into what's happening in your environment.

It's a fixed-scope, fixed-price engagement. You know what you're getting and what it costs before we start.

If you're not sure where you stand, start with the free discovery call. Thirty minutes. You'll leave with a clear picture of your current exposure and what it would take to fix it — no commitment required.

Your Microsoft 365 account is the front door to your business. Let's make sure it's actually locked.

Jack Washmon is the founder of Polus LLC, an IT and operations consulting firm serving Oklahoma small businesses. He has five years of experience managing Microsoft 365 and Entra ID environments for organizations from 400 to 5,000+ users, including in GCC High (FedRAMP High) environments supporting federal government clients.