Direct Send was my favorite. Direct Send allows devices to send unauthenticated email to internal recipients using your organization’s domain, which can expose you to internal emails for phishing etc. It bypasses user authentication, making sender identity difficult to verify or audit. For all orgs made before mid 2025 it was enabled by default.

I saw a great Blackhat talk this year about Entra misconfiguration that got Microsoft's own sensitive internal services owned by a researcher, one of them owned by their security team. After the report they reconfigure their services, didn't pay a bounty and considered the problems solved. What about their customers making the same config errors as the Microsoft team... no changes planned.

There's much much more...