Skip to main content

Many companies aren't making the most of Microsoft 365 or its security tools, finds survey

Laptop with Office 365
Laptop with Office 365 (Image credit: Windows Central)

What you need to know

  • Microsoft 365 services offer many, many tools to organizations.
  • A new survey by Ensono has found that a large number of IT decision-makers and their respective organizations don't utilize MS365 to the fullest, leaving valuable tools and security resources on the table.
  • As an example of the above situation, Ensono discovered that 38% of organizations surveyed were not using multi-factor authentication (MFA).

Even if they're paying for the goods, not all organizations are using them. In fact, a surprisingly large amount of organizations subscribed to Microsoft 365 services are neglecting some key features that could help with productivity and security.

According to a new survey by Ensono, which gathered the responses of 251 UK IT decision-makers from a range of businesses, many organizations are missing out on data loss prevention (DLP), Conditional Access Controls (CAC), and multi-factor authentication (MFA). Respondents included IT decision-makers for firms with 10,000+ employees as well as small businesses with 1-10 employees (in addition to sizes between these extremes). While 83% of the surveyed population found Microsoft 365 invaluable, Ensono also reported that:

  • 38% are not using multi-factor authentication (MFA)
  • Only 43% have Conditional Access Controls in place (CAC)
  • 46% do not have data loss prevention (DLP) or data classification configured

"Of those surveyed that reported a Microsoft 365-related breach, 42% were linked to files being shared with external parties and 37% were due to the impersonation of a compromised account," the report reads, highlighting a few potential consequences of not using the built-in security offerings of MS365.

Simon Ratcliffe, Principal Consultant at Ensono, noted that some firms are creating unnecessary expenditures for themselves by going with third-party solutions for functionalities already packaged with their Microsoft 365 subs.

A takeaway of the survey is this: In a world filled with impersonators and threat actors, knowing what security you have at your disposal is paramount.

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to

  • Maybe people dont about the features, MS has to create awareness about it
  • That certainly counts as a takeaway, yeah.
  • True, but when you have a lazy IT team or those in cohort with third party for features and services you already have, no amount of awareness will help. Organization IT must be informed, knows the details of what they bought from MSFT and be ethical in how they spend the organizations' money on third party's services.
  • I'm not contesting that either. Both comments are true. If you can't rely on IT to know the ins and outs of the tech your organization runs on, who can you rely on?
  • That's what you get when you figure. we don't need IT, we have MS365.
  • There's obviously a lot of factors for that. I think it's because many don't know about the features and integrations. But also, because their consumer offerings don't offer a lot of the same features. You can only educate people on features so much without being intrusive. People tend to learn more on their own time when trying to figure out how to solve a solution. It could also be the discrepancy between web and desktop apps. In the web apps you see what other apps are available whereas in the desktop apps you don't, and some features are only available in one or the other. That's why they really need to work on unifying the feature sets within the same apps to bring the same experience across all platforms. I think they're starting to do that though with integration of web parts like they've done with certain apps already.
  • One of the problems is that there is just so much available. While we fully use the MFA and Conditional Access and DLP stuff we have not really begun to properly leverage Teams for our front line workers. M365 is a beast. As an FYI, MFA is part of conditional access. We try to avoid actually prompting the user for full MFA and instead layer Risk based Conditional Access Policies instead. For example a managed corporate device is considered, is the user login in from somewhere known and if yes no MFA prompt. It’s really cool when you get into it.
  • Quite honestly, there is a lot to learn and to even know about with all of the features available. So many updates and changes, keep you looking for certain settings as well. Even trying to figure out best practices and uses can be tiresome when sifting through the many admin dashboards and "help, resource" pages.
  • I do think they stay out so many updates when it comes to Enterprise, Consumers' offerings are different story and beast entirely.
  • I use office 365/share point for a couple of minutes in work days, and that is to check deliveries, I think the most I will use it is in june, when I need to do some fire safety training.