Microsoft 365 has quietly become the operational core of most organisations — identity, email, files and collaboration all in one tenant. That also makes it one of the most attractive targets, and one that is rarely reviewed formally. A Microsoft 365 security audit checks whether that core is actually configured to resist the attacks aimed at it. This is the checklist.
At a glance
- Why it matters: M365 is business-critical and a top target, yet often never formally reviewed.
- The focus: identity first — Entra ID, MFA and Conditional Access — then email, collaboration and detection.
- The outcome: a prioritised roadmap, not a one-off tick-box.
Why a business should review Microsoft 365 security
The usual triggers: M365 is now critical to operations; there has never been a formal review; there is doubt about identity, MFA or privileges; there have been major changes; or the business needs better traceability. Any one of these is reason enough — account takeover through M365 is one of the most common incidents we see, as covered in Microsoft 365 account takeover.
The most frequent risks in Microsoft 365
Recurring problems include over-privileged identities, poorly designed MFA, insufficient Conditional Access, exposed email, ungoverned external collaboration, and a lack of useful visibility or continuous review. Each is a well-trodden path for attackers.
The checklist: what to audit
A serious audit works methodically through nine areas, and each should end with risk signals and expected outcomes:
- 1. Identity and Entra ID. Accounts, roles and privileged access across the identity estate.
- 2. MFA. Coverage and strength — phishing-resistant where it matters, not just enabled on paper.
- 3. Conditional Access. Policies that actually constrain risky access rather than nominal rules.
- 4. Privileged and admin accounts. Least privilege, just-in-time access and separation of duties.
- 5. Exchange Online and email security. Anti-phishing, forwarding rules and exposure.
- 6. SharePoint, OneDrive and Teams. Sharing, external access and data governance.
- 7. Applications and consent. OAuth app consent and the exposure it creates.
- 8. Logging, alerts and detection. Would you see an intrusion? Feed it into a SOC for businesses.
- 9. General tenant hardening. Secure defaults across the tenant.
Common mistakes in an internal M365 audit
Internal reviews tend to stay superficial, skip prioritisation, fail to connect security to business impact, treat privileges lightly, and never turn results into a roadmap. A review that does not change anything is not an audit.
When to move from an internal review to a specialist audit
Use this checklist as a self-assessment and to prepare, but bring in a specialist Microsoft 365 security audit when the tenant is business-critical, when privileges and Conditional Access are non-trivial, or when you need independent evidence. To scope one, talk to us.