Majority of Microsoft 365 Admins Don’t Enable MFA

microsoft 365 multi factor authentication

Beyond admins, researchers say that 97 percent of all total Microsoft 365 users do not use multi-factor authentication.

Up to 78 percent of Microsoft 365 administrators do not have multi-factor authentication (MFA) security measures enabled.

A recent report by CoreView Research also found that 97 percent of all total Microsoft 365 users do not use MFA, shedding a grim light on the security issues inherent with the implementation of Microsoft’s subscription service. Launched in 2017, this service provides users with basic productivity applications – including Office 365, Windows 10 and Enterprise Mobility.

“This is a huge security risk – particularly during a time where the majority of employees are remote – that IT departments must acknowledge and address in order to effectively deter cyberattacks and strengthen their organization’s security posture,” according to the report, released last week.

Microsoft 365 accounts are a treasure trove for cybercriminals looking for sensitive organization data. Attackers typically targeting Microsoft 365 accounts email-based phishing or spear phishing attacks, automated credential stuffing, or guessing attacks. MFA is one of the best ways to prevent this type of unauthorized access to Microsoft 365, researchers said – with research from SANS Software Security Institute indicating that 99 percent of data breaches can be prevented using MFA.

However, the research reveals that Microsoft 365 users – and even admin accounts, with the highest level of permissions and oversight of data – are not doing their part to implement MFA for their accounts.

Overall, researchers found overarching issues with how Microsoft 365 is being implemented in companies. Beyond failing to implement basic security practices, researchers warned that organizations are giving administrators excessive controls (which results in increased access to sensitive information).

For instance, researchers found that 57 percent of global organizations have Microsoft 365 administrators with excess permissions to access, modify, share critical data – potentially giving them unnecessary access to private data and opening up risks for insider threats.

Another issue is that companies are investing in various productivity applications without consideration their security implications. While these apps help fuel productivity, unsanctioned “shadow IT” apps have varying levels of security unsanctioned apps represent a significant security risk. Shadow IT apps are SaaS applications that employees use, typically without IT’s permission or even knowledge.

“In today’s modern work environment, where supporting remote work is a must, CoreView’s data indicates that the missing ingredient in deploying and using M365 (Microsoft 365) effectively is often data governance, application security and Shadow IT oversight,” they said. “Enterprises must ensure they have the processes and tools, including CoreView, to help securely migrate and operate the world’s leading SaaS productivity platform.”

Security issues and attacks leveraging Microsoft 365 are rampant. In September, researchers said that bugs in the multi-factor authentication system used by Microsoft’s cloud-based office productivity platform, Microsoft 365, opened the door for hackers to access cloud applications via a bypass of the security system.

Also in September, Microsoft 365 faced another phishing attack–this one using a new technique to make use of authentication APIs to validate victims’ Office 365 credentials–in real time–as they enter them into the landing page.

Threatpost has reached out to Microsoft for further comment regarding the report.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.