Microsoft 365 is the backbone of most modern enterprises, but out-of-the-box, it is not secure enough to protect against today's sophisticated phishing, ransomware, and data exfiltration attacks.
If you are an IT administrator or an MSP taking over a new tenant, your first priority must be a comprehensive security audit. A single misconfigured SharePoint sharing setting or legacy authentication protocol can lead to a catastrophic breach.
Here is the blueprint for auditing a Microsoft 365 tenant effectively.
1. Identity and Access Management (Azure AD)
Identity is the new perimeter. If an attacker compromises an account, they have the keys to the kingdom.
What to check:
- MFA Status: Ensure Multi-Factor Authentication is enforced for all users, with zero exceptions for VIPs.
- Conditional Access Policies: Verify that policies block logins from high-risk countries and require compliant devices for accessing sensitive data.
- Legacy Authentication: Ensure legacy protocols (IMAP, POP3) are completely blocked across the tenant, as they bypass MFA.
- Global Admins: Restrict Global Administrator roles to a maximum of 3-5 dedicated, cloud-only accounts that are not used for daily email.
2. Exchange Online Security
Email remains the number one attack vector for businesses.
What to check:
- Email Authentication: Verify that SPF, DKIM, and DMARC are properly configured in DNS and enforced in Exchange to prevent domain spoofing.
- Anti-Phishing & Anti-Spam: Review the default threat policies in Microsoft Defender for Office 365. The "Standard" preset is often too lenient for high-target industries.
- Mail Forwarding Rules: Audit the tenant for any auto-forwarding rules sending company emails to external domains (a common sign of a compromised account).
3. SharePoint and OneDrive Governance
Data leakage often happens internally through poorly managed sharing settings.
What to check:
- External Sharing: Ensure the default sharing link is set to "Specific people" rather than "Anyone with the link" (Anonymous).
- Guest Access: Review which external domains are allowed to collaborate in your tenant. Consider implementing an allow-list for B2B collaboration.
- Site Permissions: Audit high-value SharePoint sites (Finance, HR, Legal) to ensure permissions are granted via Groups, not individual user assignments.
4. Microsoft Teams Configuration
Teams sprawl can lead to uncontrolled data sprawl.
What to check:
- External Communication: Verify if external federation is open to all domains or restricted.
- Guest Access in Teams: Check if guests are allowed to share files, delete messages, or create channels.
- App Permissions: Review the list of allowed third-party apps in Teams. Users should not be able to install unvetted applications that request access to company data.
The Fastest Way to Audit a Tenant
Performing this audit manually by clicking through the Microsoft 365 Admin Center, Azure AD, Exchange Admin Center, and Teams Admin Center takes days and it is incredibly easy to miss a critical setting.
If you want to ensure you don't miss a single vulnerability, you need a structured framework.
Get the Complete Audit Framework
Stop guessing what to check. Use the Microsoft 365 Tenant Audit Checklist — a comprehensive 150-point security and compliance checklist used by IT admins at global enterprises. It covers every critical setting across Azure AD, Exchange, SharePoint, Teams, and Intune.
Securing a tenant isn't a one-time event, but a thorough initial audit is the foundation of a secure environment. Don't leave your company's data to chance.
Top comments (0)