Skip to main content
by IT Integrations Team

Microsoft 365 for Fort Worth Small Businesses: The Configuration Gaps We See in Every Audit

In late February 2026, Huntress started tracking a phishing campaign that has now compromised more than 340 Microsoft 365 tenants across five countries. The attackers are not breaking through MFA. They are walking around it. They use the OAuth device authorization flow to trick employees into pasting a code on a fake Microsoft page, and once approved, the attacker walks away with a valid access token that survives even a password reset. Construction, healthcare, nonprofits, professional services, and financial firms are all in the target list. In other words, every kind of business we work with in Fort Worth.

This is not a Microsoft problem. It is a configuration problem. Microsoft 365 has the tools to block this attack out of the box. Almost no small business has them turned on. This post walks through the gaps we see in nearly every Microsoft 365 tenant we audit for a new Fort Worth client, and what to do about them before the next campaign rolls through.

What we see when we audit a Fort Worth small business Microsoft 365 tenant

We have onboarded a lot of Fort Worth small businesses since 2003, and we find a consistent list of issues when we crack open a new client's M365 environment. The tenant works. Email flows. SharePoint is online. From the outside it looks fine. The inside is a different story.

MFA exists, but only on paper

The most common finding is that multifactor authentication is on for some users, off for others, and never enforced across the tenant. We will see four out of twenty users with MFA registered, the global admin using SMS as the second factor, and three service accounts excluded because they "kept causing problems." That is not MFA coverage. That is MFA theater.

Legacy authentication is still allowed

Older protocols like IMAP, POP, and basic auth on Exchange Online were supposed to be turned off years ago. We still find them on in roughly half the small business tenants we audit. Legacy auth does not understand MFA, which means an attacker with a valid username and password can bypass MFA entirely by connecting through one of those protocols. The setting lives in Microsoft Entra under Conditional Access, which is the next gap.

Conditional Access is not configured

Conditional Access is the policy engine that decides who can sign in, from where, on what device, with what authentication strength. It is the most important security control in Microsoft 365, and most small business tenants have zero policies in place. The default is "anyone with the right password and an MFA approval gets in from anywhere in the world." That is too permissive for a Fort Worth law firm, a hospice agency, or a construction company.

Defender for Office 365 is either off or never tuned

The email security layer that scans attachments, rewrites links, and detonates suspicious files in a sandbox is included with Business Premium. We routinely find it disabled, set to a default that has not been adjusted in three years, or not licensed at all because the tenant is on Business Standard. Suspicious links and attachments slip through the same way they did before the upgrade.

The seven Microsoft 365 configuration gaps to close this quarter

None of these are exotic. All of them can be done by a competent IT team in a Fort Worth small business in a week or less. Hand this to your IT provider as a checklist if that is easier.

1. Block device code authentication

This is the gap the Huntress campaign is exploiting. The OAuth device authorization flow exists for signing in on devices that do not have a browser, like a smart TV or a printer. Almost no Fort Worth small business needs it. Microsoft added an Authentication Flows condition to Conditional Access to address this attack vector, and you can use it to block device code flow for everyone except the rare service account that legitimately needs it.

To see what is currently using device code flow in your tenant, the sign-in logs in Entra will tell you. Filter by authentication protocol and you can see which users and apps are using it before you flip the switch.

2. Disable legacy authentication protocols

Block legacy authentication using a Conditional Access policy. The Microsoft template is called "Block legacy authentication" and it is a one-click deploy under policy templates. Before you turn it on, run the sign-in logs filtered by "Legacy authentication clients" and confirm what is using it. You almost always find a lone copier using SMTP basic auth, a discontinued application nobody uses anymore, or a service account that should have moved to modern auth in 2019.

3. Move admins to phishing-resistant MFA

SMS-based MFA is better than nothing, but it is not great. Push notification fatigue is a real attack pattern. Phishing-resistant MFA means FIDO2 hardware keys, Windows Hello for Business, or certificate-based authentication. Microsoft now recommends phishing-resistant MFA for all administrator roles.

This is a small change for a small business with one or two admins. It is also the single most impactful security move you can make.

4. Build Conditional Access policies that match how your team actually works

Most Fort Worth small businesses do not have employees scattered across the globe. The team works in Fort Worth and the surrounding DFW area. Some travel for business. Field crews work jobsites. That is a finite set of behaviors you can write policy around.

A starting framework: require MFA for all users on all cloud apps. Block sign-ins from outside North America unless the user is in a "frequent traveler" group. Require compliant or hybrid-joined devices for SharePoint and email. Require stronger authentication when sign-in risk is medium or high. None of this is hard. It requires somebody to sit down and write the policies.

5. Configure Defender for Office 365 or upgrade if you do not have it

On Business Premium, Defender for Business and Defender for Office 365 are included. Turn them on. Tune safe links to rewrite URLs in email and Teams. Tune safe attachments to detonate Office files in a sandbox before delivery. Configure anti-phishing policies that protect VIP users by name.

On Business Standard, you do not have Defender for Business or Defender for Office 365 Plan 1 by default, although Microsoft has announced that URL checks will be added to Standard as part of the 2026 packaging update. For Fort Worth small businesses with regulated data, the cost difference between Standard and Premium is not the question. The security gap is.

6. Get a baseline Intune deployment in place

Intune is the device management piece of Business Premium. Most small business tenants either have it unused or have a half-finished deployment from two years ago. A baseline Intune deployment does three things: it enrolls company-owned Windows laptops and Macs so they get policy and compliance reporting, it protects company data on personal phones using app protection policies without requiring full device enrollment (the right model for most BYOD), and it lets you wipe a stolen laptop or a former employee's phone remotely.

See our endpoint management page for what should happen in the first five minutes after a laptop goes missing.

7. Turn on audit log retention and actually look at the logs

Microsoft Purview audit log retention defaults to 180 days for E3 and below. For HIPAA, you need at least six years of access logs for protected health information. The setting exists, but you have to configure the retention policy explicitly. "Audit logs enabled" and "audit logs retained for the period HIPAA requires" are two different settings.

If you are subject to HIPAA, see our HIPAA compliance services page for what audit retention should look like, and the recent 2026 HIPAA Security Rule overhaul post for what is changing.

Need help auditing your Microsoft 365 tenant? IT Integrations provides Microsoft 365 configuration, security baseline assessment, and managed M365 services for Fort Worth small businesses and the surrounding DFW area. Call us at (817) 808-1816 or contact us for a free IT assessment.

The Fort Worth angle: licensing decisions before the July 2026 deadline

Microsoft also announced a pricing update for July 1, 2026. Business Basic, Business Standard, Office 365 E1, Office 365 E3, Microsoft 365 E3, and Microsoft 365 E5 are all going up. Business Premium is staying the same. The gap between Business Standard and Business Premium is narrowing, and Premium is the only Business-tier license that includes the security tools we just walked through.

For Fort Worth small businesses on Business Standard who are also subject to HIPAA, SOC 2, or client compliance requirements, the math changed. After July 2026 the per-user gap shrinks, and renewing on Business Standard locks you into a license that does not include the tools you actually need.

We see this pattern across our healthcare client base. A home health agency or assisted living facility starts on Business Standard, then realizes two years in that the HIPAA risk assessment requires controls only available in Premium. Now they pay for Standard plus a third-party email security product plus a separate MDM. Consolidating onto Premium is usually cheaper and tighter. For more on what we see in healthcare, see our healthcare IT services page.

The same conversation happens in Fort Worth construction firms running Sage and Procore on jobsite iPads. Business Premium is the right tier because Intune is the right tool for managing devices in the back of a pickup truck on the West 7th corridor or a jobsite in Aledo. See construction IT services in Fort Worth for more.

If you have an upcoming Microsoft 365 renewal between now and July 2026, that is a meaningful decision window. Locking in current pricing while moving to the right tier is a one-conversation, one-quarter project. Doing it after the price increase is the same project at a higher cost. We help Fort Worth businesses think through this as part of IT strategy and vCIO services.

What we see in the field after 20+ years

The single best predictor of whether a small business has a healthy Microsoft 365 environment is whether anyone has actually opened the Microsoft Secure Score in the last twelve months. Secure Score is a free dashboard in the Microsoft 365 Defender portal that grades how locked down the tenant is and tells you which controls would move the score the most. Looking at it once a quarter is the difference between "we have Microsoft 365" and "Microsoft 365 is configured for a regulated business in 2026."

The second pattern is over-licensing combined with under-configuration. Businesses pay for Business Premium for every user, then never turn on Defender, never deploy Intune, never configure Conditional Access. They are paying Premium prices for a Business Basic security posture. The fix is not to downgrade. The fix is to configure the license they already pay for.

The third pattern is admin sprawl. We routinely find Fort Worth small businesses with five or six accounts holding global admin, including the original IT provider from 2017, the office manager who forgot they had it, and a service account whose password has not been rotated since the migration. Reducing global admin to two named human accounts with phishing-resistant MFA, plus one break-glass account in a physical safe, is a one-day project that closes a major attack surface.

If any of those patterns sound familiar, that is what an audit catches. We do those for free for Fort Worth businesses considering managed IT. See our free assessment page for what is included.

Frequently Asked Questions

Do I really need Microsoft 365 Business Premium, or is Business Standard enough for a small business?

For Fort Worth small businesses under 25 users that handle no regulated data, Business Standard plus a third-party email security product can work. For any business in healthcare, legal, financial services, or accounting, Business Premium is the right answer. The Defender, Intune, and Entra Conditional Access features in Premium are not nice-to-haves. They are the controls auditors expect to see. After the July 2026 pricing update, the gap narrows and the case for Premium gets stronger.

How long does it take to harden a Microsoft 365 tenant from scratch?

For a typical Fort Worth small business with 10 to 30 users on Business Premium, a baseline hardening project takes roughly two to three weeks of part-time work. That includes documenting the existing setup, deploying Conditional Access policies in report-only mode, watching for false positives, switching to enforce mode, configuring Defender, deploying a baseline Intune profile, cleaning up admin accounts, and producing the documentation an auditor or insurer would expect. Regulated environments take longer because the documentation matters more.

What if our staff is in the field, like a construction or home health team? Will Conditional Access lock them out?

This is the most common worry, and it is the right thing to think about. Conditional Access is not all-or-nothing. You can exempt specific groups from device-compliance requirements, allow personal devices with app protection policies, or require additional authentication only when sign-in risk is flagged as elevated. For our home health and hospice clients we typically run a mobile-first profile that protects company data on personal phones without taking over the device, plus a stricter profile for back-office staff in the billing systems. Field staff can do their job, and back-office staff are not the next breach headline.

Is the device code phishing attack still active, and what should we do today?

As of late April 2026 the campaign is still being tracked, with new infrastructure spun up regularly. The most effective short-term mitigation is a Conditional Access policy that blocks the device code flow for all users except specific service accounts that need it. That is roughly a 15-minute change for a tenant that already has Conditional Access in place, or a half-day project where it has to be set up from scratch. Either way, it is worth doing this week.

Next Steps

Microsoft 365 ships with a security toolkit that almost no small business uses. The gap between "we have Microsoft 365" and "Microsoft 365 is actually configured for a 2026 threat model" is six or seven specific configurations, all of which are documented, all of which are achievable, and all of which need somebody to sit down and do the work. After 20+ years of running IT for Fort Worth small businesses, the difference between the businesses that get breached and the ones that do not is almost never about how much they spent. It is about whether the configuration matches the license.

Ready to find out what is actually running in your Microsoft 365 environment? IT Integrations provides Microsoft 365 audits, configuration, and managed M365 services for Fort Worth small businesses and the surrounding DFW metro. Call (817) 808-1816 or schedule a free IT consultation today.

Need Help With Your IT?

IT Integrations provides managed IT services, cybersecurity, and compliance support for Fort Worth businesses. Let's talk about what you need.

Get a Free Assessment Call (817) 808-1816
Call Us Get a Quote