Free checklist

Microsoft 365 security audit checklist

A practical, no-fluff checklist for auditing a Microsoft 365 tenant — covering the same five areas a full IT security audit should check: identity & access, Microsoft Secure Score, data exposure, email authentication, and license waste. Print it, work through it manually, or run the automated scan below to get every item checked for you in minutes.

Run the automated scan Print this checklist

1Identity & access

  • Multi-factor authentication (MFA) is enforced for all users, with no exceptions for executives or service accounts
  • Every Global Administrator account has MFA enabled — this is the single highest-risk gap if missing
  • The number of Global Administrator accounts is minimized (Microsoft recommends fewer than 5 for most organizations)
  • Legacy authentication protocols (POP, IMAP, SMTP AUTH) are disabled tenant-wide unless explicitly required
  • Conditional Access policies block sign-ins from unfamiliar countries or risky sign-in patterns
  • Guest user access is reviewed and unused guest accounts are removed
  • Self-service password reset is enabled with strong verification methods

2Microsoft Secure Score

  • Current Secure Score is known and tracked over time, not just checked once
  • Top unimplemented recommendations are reviewed and triaged (not all controls fit every organization)
  • Score regressions are investigated — a sudden drop usually means a setting was changed
  • Score is benchmarked against similar-sized organizations in the same industry

3Data exposure

  • SharePoint and OneDrive sharing links are reviewed for "Anyone with the link" exposure on sensitive files
  • Third-party OAuth apps connected to the tenant are reviewed, and apps with excessive permissions are removed
  • External sharing settings are scoped appropriately per site, not left at the tenant-wide default
  • Sensitive data (financial records, customer PII) is not stored in unrestricted Teams or SharePoint sites

4Email authentication

  • SPF record is published and includes all legitimate sending sources
  • DMARC record exists, with a policy stronger than monitor-only (p=quarantine or p=reject) once verified
  • DKIM signing is enabled for the domain in Microsoft 365 (Exchange Online does not enable this by default)
  • DMARC aggregate reports are being reviewed periodically to catch new unauthorized senders

Check your domain's SPF/DMARC/DKIM records free →

5License waste

  • Unassigned (purchased but unused) license seats are identified and reclaimed or cancelled
  • Disabled user accounts no longer hold paid licenses
  • Inactive users (no Exchange/Teams/SharePoint/OneDrive activity in 90+ days) are reviewed for license downgrade
  • License tier assignments match actual usage (e.g. no E5 licenses on accounts only using email)

Skip the manual work — connect your tenant and get every item above checked automatically, scored out of 100, with a PDF and Excel report.

Run your free scan

Frequently asked questions

How often should I run a Microsoft 365 security audit?
Quarterly is a reasonable baseline for most small and mid-sized organizations; monthly if you're in a regulated industry or have frequent staff turnover.

Do I need Defender or E5 licensing to do this?
No. Every item on this checklist is checkable with standard admin access. M365 Health Score uses only read-only Graph API permissions available on any Microsoft 365 plan.

Is this the same as a penetration test?
No. This is a configuration and posture audit — checking settings, permissions, and exposure. A penetration test actively attempts to exploit vulnerabilities and is a separate, more involved exercise.

Is there a Microsoft 365 assessment tool that automates this checklist?
Yes — M365 Health Score is a Microsoft 365 / Office 365 security assessment tool that runs every item on this checklist automatically via a read-only Graph API scan, then scores the result out of 100 with a PDF and Excel report. Run a free scan →