Ask a room full of MSPs what they see wrong in Microsoft 365 tenants and you'll hear the same list, over and over. Not exotic zero-days, but the same handful of gaps left open in tenant after tenant, usually because someone turned on the headline control, ticked the box, and never came back to finish the job. "We've got MFA" is the classic. It's true, and it's nowhere near enough.
In short: The Microsoft 365 gaps MSPs see most often are incomplete MFA coverage, session-token theft that walks straight through MFA, too many standing admins, oversharing across SharePoint and OneDrive, under-configured email authentication, unmanaged devices, and no real monitoring. Almost every one starts as a control someone switched on but never finished configuring, and closing them is mostly a matter of finishing the job.
Here are the Microsoft 365 security gaps we and other managed service providers see most often, why each one matters, and how to actually close it.
Why isn't "we've got MFA" the finish line?
Multi-factor authentication is the single most valuable control in Microsoft 365, and almost everyone has some form of it now. The problem is the gap between some MFA and MFA that actually holds.
The gaps MSPs see constantly: MFA enabled for most users but not the service accounts and admins that matter most, legacy authentication protocols still enabled underneath it (which bypass MFA entirely), and basic app-password or SMS fallback that attackers can work around. Security Defaults are a good floor, but a floor is all they are.
"MFA that covers 95% of users still leaves the 5% an attacker will find first. Coverage is the whole point, and it's the thing least often finished."
The fix is Conditional Access done properly: MFA enforced for everyone, legacy authentication blocked outright, and a move towards phishing-resistant methods (passkeys, Windows Hello for Business, FIDO2 keys) for privileged accounts. Which leads straight to the gap nobody wants to think about.
Token theft and AiTM: the attack that walks straight through MFA
This is the topic that dominates MSP security conversations right now, because it breaks the reassuring story that "MFA means we're safe." Adversary-in-the-middle (AiTM) phishing kits, which Microsoft's security researchers have tracked at scale, don't try to defeat MFA, they sidestep it. The victim logs in and completes MFA on a real-looking proxy page, and the attacker captures the resulting session token. With that token, they're in, no second factor required, because from Microsoft's point of view the session is already authenticated.
Token theft is now one of the most common ways Microsoft 365 accounts get compromised, and standard MFA does nothing to stop it on its own. What does help: Conditional Access policies that bind sessions to compliant or hybrid-joined devices, shorter session lifetimes for risky sign-ins, token protection, and phishing-resistant MFA that can't be proxied in the first place. This is exactly why "we've got MFA" is no longer a complete answer.
Privileged access: how many admins is too many?
Open almost any tenant that hasn't been professionally reviewed and you'll find more Global Administrators than there should be, admin accounts that are also someone's day-to-day mailbox, and no dedicated break-glass account for emergencies. Every one of those is an oversized target.
The pattern MSPs push towards: a small number of named admins, admin roles separated from everyday user accounts, just-in-time elevation with Privileged Identity Management (PIM) so standing access is minimised, and two carefully protected break-glass accounts excluded from the very policies that could otherwise lock everyone out. Privileged access is where a single compromise does the most damage, so it's where the tightening matters most.
Oversharing and data governance: the gap Copilot just made urgent
SharePoint and OneDrive make sharing effortless, which is exactly the problem. Over years, "anyone with the link" permissions, stale external guests and unlabelled sensitive files accumulate quietly. It was always a risk. Microsoft 365 Copilot turned it into an urgent one, because Copilot surfaces anything a user can already access, instantly and at scale.

Closing it means auditing sharing links and external access, applying sensitivity labels to genuinely sensitive data, tightening default sharing settings, and running an oversharing review before Copilot goes live rather than after. We wrote a whole Copilot readiness checklist because this single gap catches so many businesses out.
Email: still the front door, still under-configured
Email remains the number one route in, and Microsoft 365's defaults, while decent, are rarely tuned. The recurring gaps: SPF, DKIM and DMARC not fully configured (so spoofing your own domain is easy), anti-phishing policies left at default, no impersonation protection for the finance team and executives who get targeted by business email compromise, and inbound rules nobody reviews. Layered email security, impersonation protection and proper authentication records turn the front door from "ajar" into "locked".
Devices: unmanaged endpoints quietly undermine everything
You can harden identity and data perfectly and still lose it all through a device you don't control. Half-finished Intune rollouts are everywhere: some devices enrolled, some not, compliance policies created but not enforced through Conditional Access, and personal devices accessing company data with nothing standing behind them. An unmanaged laptop is a laptop that can't be patched, encrypted or wiped on demand. Enrolment, real compliance policies, and Conditional Access that actually requires a compliant device are what turn device management from paperwork into protection. Our Intune device management checklist walks through exactly that.
Monitoring: the gap you don't see until you need it
The quietest gap of all is the one MSPs find during an incident: nobody was watching. The unified audit log switched off or never queried, alerts firing into an inbox no one reads, Secure Score sitting at a number nobody's acted on, and no 24/7 eyes on the tenant at all. Detection and response is what turns a security event at 2am into a contained incident rather than a Monday-morning discovery. Continuous monitoring, tuned alerting, and someone actually on the end of it are the difference between knowing and hoping.
The common thread: switched on isn't the same as finished
"Almost every gap on this list started as a control someone did switch on. The risk lives in the half that never got finished."
None of these gaps come from neglect exactly. They come from good intentions that stopped at the headline setting: MFA enabled but not enforced everywhere, Intune rolled out but not enforced, Copilot switched on before the data was ready, alerts configured but never watched. Real Microsoft 365 security is layered, identity, access, email, data, devices and monitoring, and it's only as strong as the layer someone forgot to finish.
Where this leaves you
If any of this sounds like your tenant, you're in good company, it describes most Microsoft 365 environments we assess. The good news is that every gap here is fixable, usually faster and cheaper than businesses expect, once someone actually looks. Systech's Security Services bring Managed Firewall, EDR, XDR and 24/7 threat management together with proper Microsoft 365 hardening, and it starts with a Microsoft 365 Security Posture Assessment that scores exactly where you stand across identity, data, device and threat protection, so you fix the gaps that matter first, on your own schedule rather than an attacker's.



