Buying the licence isn’t the same as being protected by it. Here’s what the gap looks like, and how to close it.

 

 

 

There’s a assumption that catches a lot of businesses out.

They’re on Microsoft 365. They’re paying for Business Premium. They’ve got MFA switched on for most people. And so they feel, reasonably enough, like their bases are covered.

They usually aren’t.

The security features included in Microsoft 365 Business Premium are genuinely impressive. But they don’t protect your business by default. They protect your business when they’re properly configured. And for most organisations, there’s a meaningful gap between what they’re paying for and what’s actually switched on and working.

This week we’re looking at that gap through the lens of Zero Trust, the security model that Microsoft 365 is built to support, and what it actually takes to implement it properly.

What is Zero Trust, and why does it matter for your Microsoft 365 environment?

 

 

Zero Trust is a security model built on a simple principle: never trust, always verify. Rather than assuming anyone inside your network is safe, every user, every device, and every access request is treated as potentially untrusted until proven otherwise.

It sounds like an enterprise concept. It isn’t. It’s a way of thinking about security that applies to any business where people log in to cloud systems, work remotely, or handle sensitive data. Which is most businesses.

The reason Zero Trust matters specifically for Microsoft 365 is that Microsoft has built the tools to implement it directly into the platform. MFA, Conditional Access, Microsoft Defender for Business, Intune, Privileged Identity Management, and Just-in-Time access are all Zero Trust building blocks. They’re all included with Business Premium. And most businesses have barely touched them.

The four configuration gaps that leave most Microsoft 365 tenants exposed

 

 

When we look at a Microsoft 365 environment that’s never been properly reviewed, we tend to find the same issues. Not because the businesses are careless. Because nobody ever told them these things needed to be configured in the first place.

MFA isn’t fully enforced. Most businesses have enabled MFA for some accounts. Very few have enforced it across every account without exception. A single account without MFA is a single point of failure. If that password is ever compromised, a stolen credential is all it takes to get in.

No Conditional Access policies. Without Conditional Access, any user can log into your Microsoft 365 environment from any device, any location, at any time. There are no checks beyond the password and MFA prompt. Conditional Access adds the intelligence layer: checking device compliance, flagging unusual login locations, and restricting access when something doesn’t look right.

Legacy authentication still enabled. Older login protocols don’t support modern security features like MFA. If legacy authentication is still enabled in your tenant, attackers can use it to bypass your newer security controls entirely. It should be blocked.

Admin accounts without proper protection. Most businesses assign permanent admin rights to a handful of people and never revisit it. This is one of the highest-risk configurations in any Microsoft 365 environment. Admin accounts are the highest-value target for attackers, and permanent elevated access means a compromised account hands over complete control.

How Privileged Identity Management and Just-in-Time access change the equation

 

 

This last point deserves more attention than it usually gets.

Privileged Identity Management (PIM) is a Microsoft Entra feature included with Business Premium that fundamentally changes how admin access works. Rather than permanently assigning admin rights, PIM requires users to request elevated access only when they actually need it. That request can require approval, MFA verification, and a documented justification. When the task is complete, the elevated access is removed automatically.

Just-in-Time (JIT) access works alongside PIM to define a specific time window for that elevated access. An admin might be granted Global Administrator rights for two hours to complete a specific task. After two hours, the access expires. No action required. No risk of forgetting to remove it.

The practical impact is significant. If an admin account is ever compromised, the attacker gets standard user-level access, not the keys to everything. The blast radius of a breach is dramatically reduced.

Most businesses on Business Premium have never looked at PIM. It takes time to configure properly, but the security improvement it delivers is one of the most meaningful available to an SMB.

Microsoft Secure Score: finding out where you actually stand

 

If you want to understand how your Microsoft 365 environment measures up against Zero Trust principles, the best place to start is Microsoft Secure Score.

Accessible at security.microsoft.com, Secure Score gives your environment a rating out of 100 and lists every recommended improvement ranked by impact. Enable this Conditional Access policy: points up. Block legacy authentication: points up. Configure PIM for admin roles: points up. Each recommendation comes with plain-English guidance on what it does and how to action it.

It won’t catch every possible threat. But it gives you a clear, prioritised picture of where the gaps are, and what closing them would mean for your security posture. And it’s completely free to access if you’re already on Microsoft 365.

The average Secure Score for a business that hasn’t had a proper Microsoft 365 configuration review sits significantly below where it should be. The good news is that the highest-impact improvements tend to be the ones that are most straightforward to implement.

What a properly configured Microsoft 365 environment looks like

 

 

To bring this together, here’s what Zero Trust looks like in a Microsoft 365 Business Premium environment that’s been set up properly:

Every account has MFA enforced without exception. Conditional Access policies check device compliance and flag unusual sign-in behaviour before granting access. Legacy authentication is blocked. Admin rights are managed through PIM, with JIT access limiting the window of elevated permissions. Orphaned accounts from former employees are removed promptly. Microsoft Defender for Business is active and configured on every device. And Microsoft Secure Score is reviewed regularly to catch new recommendations as the platform evolves.

None of this requires additional spend beyond Business Premium. It requires configuration. And that’s exactly the gap most businesses are sitting in right now.