This checklist is designed for IT administrators and fractional IT leaders conducting a Microsoft 365 security review. Work through each section, checking off items that are confirmed in place. Gaps represent your action list.
How to use this checklist: Each item includes a priority level - Critical items represent the highest-risk gaps and should be addressed first. Items marked with a license tier require specific M365 plans.
Identity & Authentication
5 itemsMFA enforced for all users via Conditional Access or Security Defaults
Per-user MFA is insufficient - requires Conditional Access or Security Defaults to be enforced at the tenant level.
Legacy authentication protocols blocked
IMAP, POP3, SMTP AUTH, and older Office clients bypass MFA. A Conditional Access block policy is required.
Global Administrator count is 5 or fewer
Review Entra → Roles and administrators → Global Administrator. Excess Global Admins are a significant attack surface.
Admin accounts are separate from daily-use accounts
Admin accounts should not be used for email, Teams, or web browsing. Dedicated admin-only accounts reduce breach exposure.
Break-glass emergency access accounts are configured and documented
At least two break-glass accounts excluded from Conditional Access policies, with credentials stored securely offline.
Email & Collaboration Security
4 itemsDefender for Office 365 Standard preset policy applied
Requires Defender for Office 365 Plan 1 (included in Business Premium). Enables Safe Links, Safe Attachments, and anti-phishing in one step.
Anti-phishing impersonation protection enabled for key executives and domains
Configure protected users (CEO, CFO, etc.) and protected domains in the anti-phishing policy.
DMARC, DKIM, and SPF records configured and validated
All three DNS records should be present and valid. DMARC policy should be set to quarantine or reject - not just monitoring.
External email warning banner configured in Exchange
A mail flow rule that prepends a warning to emails arriving from outside the organization reduces phishing success rates.
Data Protection & Compliance
4 itemsUnified audit logging enabled and verified
Confirm at compliance.microsoft.com → Audit. Audit logging must be explicitly enabled - it is not active by default on all tenants.
SharePoint and OneDrive external sharing restricted appropriately
Organization-level sharing should be set to Existing guests or more restrictive. "Anyone" links should be disabled or time-limited.
At least one DLP policy active and enforcing
Requires Microsoft Purview (Business Premium+). Start with PII or financial data templates. Policies in test mode only do not count.
Sensitivity labels published to users
A basic taxonomy (Public, Internal, Confidential) with a default label applied to documents and email is the minimum baseline.
Device Security
4 itemsCorporate devices enrolled in Intune and compliant
All organization-owned devices should be enrolled. Compliance policies should enforce BitLocker, OS version minimums, and antivirus status.
Conditional Access policy requires compliant or Entra-joined device
Unmanaged devices should not have unrestricted access to M365. Require compliant device or Entra-joined device for sensitive apps.
Microsoft Defender for Endpoint / Defender for Business enabled and reporting
Defender for Business is included in Business Premium. Devices should be onboarded and showing in the security portal.
BitLocker encryption enabled on all Windows devices
BitLocker should be enforced via Intune compliance policy. Recovery keys should be stored in Entra ID / Intune, not just locally.
Administration & Monitoring
3 itemsMicrosoft Secure Score reviewed and improvement plan in place
Access at security.microsoft.com → Secure Score. A score below 50% with no active improvement plan is a governance gap.
Guest access reviewed and inactive guests removed
Review Entra → External identities → All users (guests). Remove guests with no recent activity. Implement guest access expiration policies.
Admin consent workflow enabled for application permissions
Prevents users from granting third-party apps access to M365 data without admin review. Configure in Entra → Enterprise applications → Consent and permissions.