The Complete Microsoft 365 Security Assessment Checklist for 2026

Security Assessments
February 21, 20265 min read

Why Every Organization Needs a Microsoft 365 Security Assessment

With over 400 million paid Microsoft 365 seats worldwide, M365 has become the backbone of modern business. But with that ubiquity comes risk. Misconfigurations, stale permissions, and overlooked security settings create attack surfaces that threat actors actively exploit.

A structured security assessment is the fastest way to identify gaps before they become breaches. Whether you’re an MSP auditing a client’s environment or an IT admin reviewing your own tenant, this checklist covers every critical area.

Identity and Access Management

Identity is the new perimeter. Start your assessment here because compromised credentials are involved in over 80% of breaches.

  • Multi-Factor Authentication (MFA): Verify MFA is enforced for all users, not just admins. Check for legacy authentication protocols that bypass MFA. Review per-user MFA vs. Conditional Access-based MFA (Conditional Access is the recommended approach).
  • Conditional Access Policies: Audit existing policies for gaps. Ensure policies cover sign-in risk, device compliance, location-based restrictions, and session controls. Look for overly permissive “exclude” groups.
  • Privileged Accounts: Inventory all Global Admins (there should be no more than 4-5). Verify Privileged Identity Management (PIM) is enabled for just-in-time access. Check for standing admin permissions that should be time-limited.
  • Guest Access: Review external user accounts. Remove stale guest accounts. Audit what resources guests can access.
  • Password Policies: Confirm password expiration settings align with NIST guidelines (which now recommend against forced rotation). Check for banned password lists.

Email Security and Mail Flow

Email remains the number one attack vector. These settings are often misconfigured or left at defaults.

  • SPF, DKIM, and DMARC: Verify all three are configured and aligned. Check DMARC policy (should be p=quarantine or p=reject, not p=none in production). Review DMARC aggregate reports for unauthorized senders.
  • Anti-Phishing Policies: Ensure Defender for Office 365 anti-phishing policies are active. Check impersonation protection for VIPs and domains. Review mailbox intelligence settings.
  • Anti-Spam and Anti-Malware: Audit Safe Links and Safe Attachments policies. Check for mail flow rules that might bypass filtering. Review quarantine policies and end-user access.
  • Mail Flow Rules (Transport Rules): Audit all transport rules for overly broad forwarding. Look for rules that strip headers or bypass spam filtering. Check for auto-forwarding to external addresses (a common exfiltration technique).
  • Unified Audit Logging: Confirm audit logging is enabled (it should be on by default, but verify). Check retention period (default is 90 days; extend to 1 year if possible with licensing).

SharePoint and OneDrive Security

File sharing misconfigurations are one of the most common findings in M365 assessments.

  • External Sharing Settings: Review sharing levels for SharePoint and OneDrive. Check for “Anyone” links (anonymous sharing) — disable if not required. Set expiration on sharing links.
  • Site-Level Permissions: Audit site collection permissions for oversharing. Look for sites shared with “Everyone except external users” (includes all employees). Review guest access per site.
  • Data Loss Prevention (DLP): Check DLP policies for sensitive data types (SSN, credit cards, health records). Verify DLP is active across SharePoint, OneDrive, and Exchange.
  • Sensitivity Labels: Review Microsoft Information Protection labels. Ensure labels are applied to sensitive content. Check auto-labeling policies.

Microsoft Teams Security

Teams has become the hub for collaboration, but its default settings are often too permissive.

  • Guest Access in Teams: Review whether guests can create, update, or delete channels. Check guest access expiration settings. Audit active guest users across teams.
  • Meeting Policies: Review who can present, record, and use features in meetings. Check lobby settings for anonymous and external participants. Audit meeting recording storage locations.
  • App Permissions: Review third-party apps installed in Teams. Check app permission policies (who can install what). Audit existing connectors and bots.
  • Channel and Team Creation: Determine if all users can create teams (often leads to sprawl). Review naming conventions and expiration policies.

Compliance and Data Protection

Compliance settings protect the organization from regulatory risk and data loss.

  • Retention Policies: Verify retention policies are set for email, Teams, SharePoint, and OneDrive. Check for litigation hold on relevant mailboxes. Review deleted item retention.
  • eDiscovery: Ensure eDiscovery roles are assigned appropriately. Test search and export capabilities. Review compliance boundaries if applicable.
  • Audit Log Monitoring: Set up alert policies for suspicious activities (mass file downloads, impossible travel, mail forwarding rule creation). Review Microsoft Secure Score and address recommendations.
  • Compliance Manager: Check compliance score across frameworks (NIST, HIPAA, SOC 2, CIS). Review improvement actions and prioritize high-impact items.

Microsoft Secure Score Review

Microsoft Secure Score provides a numerical representation of your security posture, but context matters.

  • Current Score vs. Maximum: Document your current Secure Score percentage. Identify the top 10 improvement actions by point value.
  • Prioritize by Impact: Focus on identity-related actions first (they have the highest ROI). Address “quick wins” that require configuration changes only. Plan longer-term improvements that need licensing or user training.
  • Compare Over Time: Track Secure Score monthly to measure improvement. Set target scores per category (Identity, Data, Device, Apps, Infrastructure).

How 365 Security Assessment Automates This Process

Going through this checklist manually takes hours per tenant. For MSPs managing dozens or hundreds of clients, it simply does not scale.

365 Security Assessment automates forensic-level audits across all of these areas and more — analyzing over 11,000 data points against 24,000+ expert-curated security rules. The platform generates comprehensive PDF reports with findings, risk scores, and prioritized remediation steps in minutes, not hours.

The tool is 100% read-only, MITRE ATT&CK mapped, and designed specifically for MSPs and MSSPs who need to deliver security assessments at scale.

Ready to automate your M365 security assessments? Start your free assessment today.

microsoft 365security assessmentchecklistm365 securitymsp
Back to Blog