Introduction

In 2025, Microsoft reported that over 80% of security breaches in cloud environments stemmed from identity misconfigurations — not sophisticated zero-day exploits. The reality is uncomfortable: most organizations running Microsoft 365 have security gaps they don't know about. And with the attack surface expanding every quarter — new features, new integrations, new admin portals — those gaps only grow.

Whether you manage 100 users or 10,000, a structured security audit is no longer optional. It's the difference between reacting to incidents and preventing them. The EU's NIS2 Directive — now mandatory across all member states — explicitly requires organizations to implement risk management measures for their IT environments, including cloud platforms like Microsoft 365. Non-compliance can mean fines of up to €10 million or 2% of global turnover.

This checklist is the same framework I use when auditing Microsoft 365 tenants for enterprise clients. It's comprehensive, actionable, and organized by the areas that matter most. I've conducted dozens of these audits across industries — financial services, manufacturing, healthcare, professional services — and the patterns are consistent. The same misconfigurations appear again and again, often in tenants managed by competent IT teams who simply haven't had time to keep up with the pace of change in the M365 ecosystem.

What Is a Microsoft 365 Security Audit?

A Microsoft 365 security audit is a systematic review of your tenant's configuration, policies, and practices against security best practices and compliance requirements. It covers every layer of the M365 stack: identity, email, endpoints, data, collaboration, and compliance.

It's important to distinguish an audit from Microsoft Secure Score. Secure Score is a useful starting point — it gives you a numerical benchmark and recommends improvements. But it has significant limitations:

  • It doesn't assess your specific risk context. A recommendation to enable MFA for all users has a very different urgency if you're a 50-person startup versus a 5,000-person financial institution.
  • It misses configuration nuances. Secure Score may report that Conditional Access is configured, but it won't tell you that your policies have unintended exclusions or that legacy authentication is still allowed for a service account.
  • It doesn't cover third-party integrations, custom workflows, or organizational policies that interact with your M365 environment.

A proper audit goes deeper. It combines automated scanning (using tools like Microsoft Secure Score, CIS Microsoft 365 Benchmarks, and PowerShell-based assessment scripts) with manual review of configurations, policies, and user behavior patterns. It maps findings to your regulatory requirements (GDPR, NIS2, ISO 27001), and produces a prioritized remediation roadmap — not just a list of recommendations.

A typical audit engagement covers six core domains: Identity & Access Management, Email Security, Endpoint Management, Data Protection & Governance, Threat Detection & Response, and Compliance & Regulatory. Each domain has its own set of controls, configurations, and best practices. Let's walk through each one.

Identity & Access Management

Identity is the new perimeter. In a cloud-first world, your Entra ID (formerly Azure AD) configuration is the single most critical security control. Start here.

Audit Checklist: Identity & Access

  • MFA enforcement: Verify that multi-factor authentication is enforced for all users — not just enabled. Check for users excluded from MFA policies (service accounts, break-glass accounts, executives). Ensure phishing-resistant MFA methods (FIDO2, Windows Hello, passkeys) are preferred over SMS/voice.
  • Legacy authentication: Confirm that legacy authentication protocols (POP3, IMAP, SMTP AUTH, Exchange ActiveSync basic auth) are blocked via Conditional Access. Run sign-in logs to detect any residual legacy auth traffic — even one active connection is a risk.
  • Conditional Access policies: Review all Conditional Access policies for completeness and consistency. Check for: user/group exclusions that shouldn't exist, policies that target only specific apps instead of "All cloud apps," policies that allow unmanaged devices access to sensitive data, missing location-based restrictions for privileged access.
  • Privileged Identity Management (PIM): Ensure PIM is enabled and configured for all Entra ID roles. No permanent Global Admin assignments — all privileged access should be just-in-time. Review PIM activation requirements: require justification, approval for critical roles, enforce MFA at activation.
  • Entra ID role assignments: Audit the number of Global Administrators — best practice is 2-4, no more. Review all role assignments: are they using least-privilege principles? Check for stale role assignments (users who changed roles but kept old permissions). Verify that administrative units are used to scope role permissions where appropriate.
  • Break-glass accounts: Confirm at least two break-glass (emergency access) accounts exist. They should be cloud-only, excluded from all Conditional Access policies, use FIDO2 keys stored in a secure physical location, and be monitored with alerts for any sign-in activity.
  • Guest access: Review external identity settings. Are guest invitations restricted to specific roles? Is guest access to Teams, SharePoint, and Groups appropriately scoped? Check for stale guest accounts that should have been removed.

Email Security

Email remains the number one attack vector. A properly configured Defender for Office 365 setup, combined with email authentication standards, dramatically reduces your exposure to phishing, business email compromise, and data exfiltration.

Audit Checklist: Email Security

  • Defender for Office 365 configuration: Verify that Safe Attachments is enabled with dynamic delivery mode (users get the email immediately while attachments are scanned). Confirm Safe Links is enabled for email, Teams, and Office apps. Check that policies cover all users — not just a subset.
  • Anti-phishing policies: Review anti-phishing policies in Defender for Office 365. Enable impersonation protection for key executives, partners, and domains. Configure mailbox intelligence for all users. Set actions for detected threats to quarantine (not just tag).
  • DKIM, SPF, and DMARC: Verify that SPF records are published and include all legitimate sending sources (M365, marketing platforms, CRM). Confirm DKIM signing is enabled for all custom domains in Exchange Online. Check DMARC policy: it should be at p=quarantine or p=reject — not just p=none. A p=none policy provides monitoring but zero enforcement.
  • Auto-forwarding rules: Disable external auto-forwarding at the transport rule level. Review all existing mailbox rules for forwarding to external addresses — this is a common persistence mechanism after account compromise. Use mail flow rules to alert on or block external forwarding.
  • Mailbox auditing: Verify that mailbox auditing is enabled for all mailboxes (it should be on by default, but check for exclusions). Confirm audit logs are retained for at least 90 days (365 days with E5/G5 licensing). Review audit log access permissions.
  • Quarantine policies: Review quarantine notification settings. Ensure end users can review and release low-confidence quarantined emails but not high-confidence phishing. Configure admin-only release for high-severity quarantine categories.

Endpoint Management

Unmanaged endpoints are blind spots. If a device isn't enrolled in Intune and protected by Defender for Endpoint, you have limited visibility into what's accessing your data. This section focuses on bringing endpoints under management and ensuring compliance.

Audit Checklist: Endpoints

  • Intune enrollment: Review device enrollment status. What percentage of corporate devices are enrolled? Are personal devices enrolled via MAM (Mobile Application Management) or MDM (full device management)? Identify unmanaged devices accessing corporate data via Conditional Access sign-in reports.
  • Compliance policies: Verify compliance policies are configured for all supported platforms (Windows, macOS, iOS, Android). Check that policies enforce: minimum OS version, disk encryption (BitLocker/FileVault), passcode/PIN requirements, jailbreak/root detection on mobile, Defender for Endpoint risk score evaluation.
  • Conditional Access + device compliance: Ensure Conditional Access policies require device compliance for access to corporate resources. Devices that fall out of compliance should lose access immediately (or within a defined grace period). Test this: what happens when a device becomes non-compliant?
  • Defender for Endpoint: Confirm Defender for Endpoint is deployed to all enrolled endpoints. Review Defender security recommendations in the Microsoft 365 Defender portal. Check that automated investigation and response (AIR) is enabled. Verify that attack surface reduction (ASR) rules are configured.
  • Windows Autopilot: If applicable, verify Autopilot deployment profiles are configured and tested. Review the zero-touch provisioning experience: does a new employee receive a fully configured, policy-compliant device without IT intervention? Check Autopilot reset capabilities for device reuse.
  • Application management: Review which apps are deployed via Intune. Check for required vs. available apps. Verify app protection policies (MAM) for mobile devices: do they prevent copy/paste to unmanaged apps, require PIN, and encrypt app data?

Data Protection & Governance

Data protection is where security meets compliance. Your DLP policies, sensitivity labels, retention rules, and sharing settings determine whether sensitive data stays where it belongs — or leaks through the cracks.

Audit Checklist: Data Protection

  • Data Loss Prevention (DLP) policies: Review all active DLP policies in Microsoft Purview. Check coverage: are policies applied to Exchange, SharePoint, OneDrive, Teams, and endpoints? Verify that policies detect sensitive information types relevant to your organization (credit card numbers, national ID numbers, health records, financial data). Review policy actions: are they in test mode or enforcement mode?
  • Sensitivity labels: Confirm that sensitivity labels are published and available to users. Review the label taxonomy: does it cover all classification levels (Public, Internal, Confidential, Highly Confidential)? Check auto-labeling policies: are they configured for your most critical sensitive information types? Verify that labels enforce encryption and access restrictions where appropriate.
  • Retention policies: Review retention policies for Exchange, SharePoint, OneDrive, and Teams. Ensure policies align with your data retention requirements and regulatory obligations. Check for retention labels applied to specific libraries or content types. Verify that disposition review is configured for records that require manual review before deletion.
  • SharePoint and OneDrive sharing: Review external sharing settings at the tenant level and per-site level. Check the default sharing link type — it should not be "Anyone with the link." Verify that sharing with specific external domains is restricted or allowed as appropriate. Review the expiration settings for guest access links.
  • Teams governance: Review Teams creation policies: can any user create a team, or is it restricted? Check guest access settings for Teams: can guests create channels, share files, start meetings? Review sensitivity labels applied to Teams and the protections they enforce. Audit inactive or orphaned Teams that may contain sensitive data.
  • Guest access review: Configure recurring access reviews for guest users in Entra ID. Review external sharing reports in SharePoint admin center. Check for over-shared sites, folders, and files accessible to external users or "Everyone except external users."

Threat Detection & Response

Detection without response is just observation. This section covers how well your environment identifies threats and how effectively (and quickly) it responds to them.

Audit Checklist: Threat Detection

  • Microsoft Defender XDR configuration: Verify that all Defender workloads are active and properly configured: Defender for Office 365 (email), Defender for Endpoint (devices), Defender for Identity (identity-based threats), and Defender for Cloud Apps (SaaS). Check that cross-workload incident correlation is enabled — this is the core value of XDR.
  • Alert tuning: Review alert policies and suppression rules. Are you suppressing too many alerts (masking real threats) or too few (drowning in noise)? Check that critical alert categories generate notifications to your security team. Verify that alert severity levels are correctly assigned.
  • Automated investigation and response: Confirm that automated investigation and response (AIR) is enabled in Defender XDR. Review the automation level: is it set to full automation, semi-automation, or manual? Check the history of automated investigations — are they resolving incidents effectively? Verify that automated remediation actions are aligned with your risk tolerance.
  • Microsoft Sentinel integration readiness: If you use or plan to use Microsoft Sentinel: verify that the Microsoft 365 Defender data connector is enabled. Check that relevant M365 logs are flowing to Sentinel (sign-in logs, audit logs, Defender alerts). Review Sentinel analytics rules for M365-specific detection scenarios. Ensure that playbooks (Logic Apps) are configured for automated response to common M365 threats.
  • Incident response procedures: Review your incident response plan for M365-specific scenarios: compromised account, data exfiltration, ransomware, insider threat. Verify that your team knows how to use the Microsoft 365 Defender incident queue. Check that investigation actions (isolate device, disable account, purge email) are documented and tested.

Compliance & Regulatory

Compliance isn't just a checkbox exercise — it's a structured approach to managing risk. For organizations operating in Europe, NIS2 and GDPR are non-negotiable. For those pursuing certifications, ISO 27001 alignment within M365 is increasingly important.

Audit Checklist: Compliance

  • Microsoft Purview Compliance Manager: Review your Compliance Manager score. It provides a risk-based assessment of your M365 compliance posture. Check which assessments are active (GDPR, ISO 27001, NIS2, NIST 800-53). Review improvement actions: which ones are assigned, in progress, or overdue? Use Compliance Manager as a living dashboard — not a one-time exercise.
  • NIS2 Directive alignment: If your organization falls under NIS2 scope (and most medium-to-large EU organizations do since October 2024): verify that risk management measures are implemented in your M365 environment. Check incident reporting readiness: can you detect and report a significant incident within 24 hours? Review supply chain security: are your M365 third-party integrations and ISV apps assessed for risk? Ensure management accountability: does leadership have visibility into M365 security posture?
  • GDPR controls: Verify that data processing activities in M365 are documented. Check that Data Subject Access Requests (DSARs) can be fulfilled using Content Search and eDiscovery. Review data residency settings: is your M365 data stored in the correct geography? Verify that appropriate data processing agreements are in place with Microsoft and third-party integrations.
  • ISO 27001 mapping: If pursuing or maintaining ISO 27001 certification: map your M365 security controls to ISO 27001 Annex A controls. Use Compliance Manager's ISO 27001 assessment template for continuous monitoring. Document control ownership and evidence collection within your M365 environment. Review the Statement of Applicability (SoA) to ensure M365-related controls are included.
  • Audit logging: Verify that unified audit logging is enabled (it should be on by default, but confirm). Check audit log retention: standard retention is 180 days; E5/G5 provides 365 days. Consider exporting critical audit logs to a SIEM (Sentinel or third-party) for long-term retention. Review who has access to audit logs and the search audit log permission in the compliance portal.
  • eDiscovery readiness: Ensure that eDiscovery roles are assigned to appropriate personnel. Review hold policies: can you place content holds for legal or regulatory purposes? Test the content search and export workflow to ensure it functions correctly. Verify that eDiscovery premium capabilities (if licensed) are configured for advanced analytics and review.

How to Prioritize Your Audit Findings

After completing the checklist, you'll likely have a significant list of findings. The temptation is to fix everything at once — resist it. A risk-based prioritization approach is far more effective.

Categorize by Risk Impact

Group your findings into three categories:

  1. Critical (fix immediately): Issues that create direct exposure to account compromise, data breach, or regulatory violation. Examples: no MFA enforcement, legacy authentication still enabled, Global Admin accounts without PIM, DMARC at p=none, external auto-forwarding enabled.
  2. High (fix within 30 days): Issues that significantly weaken your security posture but require planning to remediate. Examples: Conditional Access gaps, missing DLP policies for sensitive data, unmanaged endpoints accessing corporate data, incomplete Defender deployment.
  3. Medium/Low (fix within 90 days): Issues that improve your posture incrementally. Examples: sensitivity label refinement, retention policy alignment, Compliance Manager score improvement, documentation gaps.

Quick Wins vs. Strategic Improvements

Within each category, identify quick wins — changes that take less than an hour to implement and have immediate security impact:

  • Block legacy authentication (one Conditional Access policy)
  • Disable external auto-forwarding (one transport rule)
  • Enable Security Defaults if you don't have Conditional Access licensing
  • Set DMARC policy to p=quarantine
  • Review and remove stale Global Admin assignments

Strategic improvements — like rolling out sensitivity labels across the organization, deploying Intune to all endpoints, or implementing PIM — require project planning, change management, and user communication. Treat them as projects, not tasks.

When to Bring in an Expert

Many organizations can handle basic M365 security hygiene internally. But there are clear signals that external expertise will save you time, money, and risk:

  • You don't have dedicated M365 security expertise. Your IT team manages M365 alongside many other responsibilities, and nobody has deep knowledge of Entra ID, Defender, or Purview configuration nuances.
  • You're preparing for a compliance audit or certification. NIS2, ISO 27001, or industry-specific regulations require documented evidence and controls that map to specific requirements. An experienced consultant can bridge the gap between M365 capabilities and regulatory language.
  • You've had a security incident. A compromised account, data leak, or ransomware event in your M365 environment is a clear signal that your current configuration has gaps. Post-incident hardening is most effective when done with fresh eyes.
  • Your Secure Score hasn't improved in months. Stagnation means nobody is actively working on your M365 security posture. An external audit can break through the inertia with a clear, prioritized roadmap.
  • You're migrating or consolidating tenants. Mergers, acquisitions, and tenant consolidations are high-risk windows where security configurations can fall through the cracks.

The goal of an external audit isn't to replace your internal team — it's to give them a clear map. A good consultant delivers a roadmap your team can execute on their own.

Conclusion

Microsoft 365 is likely the most business-critical platform in your organization. It handles your email, your files, your collaboration, your identities — and increasingly, your security. Auditing it systematically isn't just good practice; it's essential.

This checklist covers the six pillars of M365 security: identity, email, endpoints, data protection, threat detection, and compliance. Use it as a starting point, adapt it to your environment, and revisit it quarterly. The threat landscape evolves, Microsoft ships new features and deprecates old ones, and your organization's risk profile changes over time.

Here's what I recommend as immediate next steps:

  1. Run through the Identity & Access Management section first. Identity misconfigurations cause the majority of breaches. Fixing MFA gaps and blocking legacy authentication takes hours, not weeks.
  2. Check your email authentication. Verify your SPF, DKIM, and DMARC configuration. Moving from p=none to p=quarantine is one of the highest-impact changes you can make.
  3. Review your Conditional Access policies. Look for exclusions, gaps, and overly permissive rules. This is where most audits uncover surprises.
  4. Document everything. An audit is only valuable if findings are documented, assigned to owners, and tracked to completion.

Security is not a destination — it's a practice. Start your audit today.

Get Your Free M365 Security Assessment

Book a free 30-minute call to discuss your Microsoft 365 security posture. No sales pitch — just practical advice from a certified M365 security architect.

Book Your Free Assessment