You’ve almost certainly been asked: “Is our Microsoft 365 data backed up?” And you’ve most likely confidently answered: “Yes. Microsoft takes care of that.”
And Microsoft does provide exceptional platform-level resilience. But as Cloudwell’s engineers will tell you, the biggest risks inside Microsoft 365 aren’t dramatic cyberattacks or cloud-level failures. They’re the quiet, everyday issues: misconfigurations, overly generous permissions, incomplete offboarding, and environments that slowly drift out of alignment with best practices.
As Owen Harvey, our senior engineer at Cloudwell, shared in a recent discussion, “Most of our conversations with clients aren’t about catastrophic ransomware — they’re about users accidentally deleting content or wanting to restore something they didn’t mean to touch.”
This guide focuses on those risks — the realistic ones — and what you can do today to strengthen your Microsoft 365 environment before calling in external help.
The real risks inside Microsoft 365 aren’t what you think
Yes, nation-state attacks happen. Yes, ransomware is real. But that’s not what our team sees every week.
In fact, Cloudwell’s resident Microsoft 365 expert, Mike Ostrander says that the practical risks look more like:
- A sync conflict that wipes a folder
- Someone with too much access making an unintended, high-impact change
- A misconfigured Conditional Access policy that locks out half the company
- A phishing attempt that slips through
- Employees dropping sensitive content into public AI tools
- A Teams or SharePoint site whose permissions became a free-for-all over time
Microsoft 365 is a secure platform, but platform security isn’t the same as organizational configuration security. The platform is resilient. But your configuration may not be.
What Microsoft 365 Backup actually provides (and what it doesn’t)
Microsoft 365 Backup is a welcome addition to the ecosystem, offering:
- Fast restores of SharePoint, OneDrive, and Exchange
- Point-in-time recovery up to 52 weeks
- Immutable, append-only storage
- Geo-redundant resilience
For many organizations we work with, this covers the lion’s share of traditional “backup” requirements. But, and this is where people often get surprised, backups don’t protect your configuration.
Microsoft 365 Backup does not undo:
- Misconfigurations
- Problematic permission changes
- Conditional Access mistakes
- Admin-level errors
- Shadow AI data leakage
- Third-party integration issues
- Governance drift
- Tenant-level settings changes
As Mike put it: “Microsoft has strong guardrails, but they don’t replace a proper governance model or a backup strategy.”
Microsoft protects the platform. You must protect the tenancy.
And because Microsoft 365 Backup is still new, even clients aware of it haven’t widely deployed it yet, something both Mike and Owen reinforced.
The most common vulnerabilities Cloudwell finds in Microsoft 365 environments
After running assessments, including CISA’s SCuBA tool, across a range of organizations, Cloudwell sees the same vulnerabilities repeatedly.
1. Excessive Administrative Permissions
This is the single most common issue.
Owen summed it up perfectly: “People tend to create users and then just give them admin roles… instead of using Privileged Identity Management.”
Standing admin rights create large blast radii for mistakes and compromise.
2. Weak Offboarding Processes
Even well-run organizations miss steps:
- Accounts remain active longer than intended
- Permissions linger across SharePoint and Teams
- Mailboxes aren’t reassigned
This isn’t glamorous, but it’s one of the highest-impact areas to tighten.
3. Identity Misconfiguration & Risky Access Policies
SCuBA assessments frequently reveal:
- Missing or inconsistent Conditional Access
- Gaps in MFA enforcement
- Outdated Azure AD policies
- Lack of risk-based controls
Identity remains the strongest (and most frequently misconfigured) control plane.
4. Missing DMARC, DKIM & SPF
Owen highlighted this repeatedly: “Most places don’t have DMARC or DKIM or even SPF set up… which leaves them exposed to spoofing.”
A simple fix with major security upside.
5. Minimal User Security Education
You can have zero-trust everything but users still click links.
As Owen reminds us, “The weakest link is always your users.”
Cloudwell doesn’t deliver organization-wide training programs, but we do advise on what to monitor and what internal training should address.
6. Shadow AI & Shadow IT
Organizations are discovering AI sprawl the hard way.
Employees are pasting sensitive content into ChatGPT, using unvetted AI tools, or installing unsanctioned apps. Mike noted that without governance, this becomes “the wild west.”
This is where policies, Purview, and clear boundaries matter.
7. No Backup of Configuration or Governance Settings
Many assume restoring a site restores its governance posture.
It doesn’t.
Tenant configuration — permissions, metadata, retention, policies — is often more fragile than content and far harder to rebuild if something breaks.
Tools Cloudwell uses to help clients understand their environment
Cloudwell isn’t a SOC, and we don’t offer full-spectrum cybersecurity services. But we do help organizations we work with understand and improve the Microsoft-specific components of their security posture.
One of the most powerful resources we use is CISA’s SCuBA (Secure Cloud Business Applications) tool, mentioned earlier, a government-maintained, Microsoft-independent scanner.
As Owen explained, SCuBA:
- Scans Microsoft 365 environments
- Produces extremely detailed findings
- Links issues to best practices and known threats
- Helps organizations prioritize where to focus
Cloudwell helps clients interpret SCuBA results and remediate issues specific to Microsoft 365 configuration, identity, permissions, and governance — the areas where we have deep expertise.
Where Cloudwell fits in
Cloudwell doesn’t run disaster-recovery operations, provide SOC services, or deliver full organization-wide user training.
But Cloudwell does specialize in:
- Microsoft 365 governance and architecture
- SharePoint, Teams, and Power Platform modernization
- Identity and permissions best practices
- Remediating issues surfaced by SCuBA and Microsoft tools
- Fixing configuration drift, oversharing, and governance gaps
- Helping organizations understand safe vs. unsafe AI usage in M365
- Advising on Microsoft 365 Backup adoption
As Mike put it, “Our job is to make sure the Microsoft side follows best practices and aligns with what the organization needs.”
We’re the team leaders call when the issue lives inside Microsoft 365, not around it.
What every M365 organization should do next: A practical action checklist
Here’s what you can start today:
✔ Audit administrative access regularly (and use PIM)
✔ Tighten offboarding workflows — accounts, mailboxes, permissions
✔ Review Conditional Access policies annually
✔ Enable DMARC, DKIM & SPF for domain protection
✔ Continue user security awareness training
✔ Define a Shadow AI policy (don’t wait for an incident)
✔ Back up data and configuration where possible
✔ Run a SCuBA scan — free and highly informative
✔ Adopt Microsoft 365 Backup or a third-party solution depending on your needs
✔ Document your governance model — owners, approvers, boundaries
Small steps compound quickly.
Improve what you can control first
You don’t need to transform your entire Microsoft 365 environment overnight. Start with the checklist. Strengthen your configuration. Build guardrails around identity, permissions, and AI. Most importantly, gain visibility into what’s actually happening inside your environment.
And when you reach the point where Microsoft-specific expertise would help, such as interpreting SCuBA results, remediating governance issues, modernizing SharePoint or Teams, tightening identity controls, or preparing your tenant for secure AI adoption, Cloudwell is here as the expert partner who can help you.
If you’d like help assessing or improving your Microsoft 365 configuration, we’re always happy to talk.