Microsoft 365 Security Checklist

50-Point Comprehensive Security Audit for Your Organization

Version 2.0 | Updated December 2025 | stgengineer.com

How to Use This Checklist

Work through each section systematically. Check off items as you verify or implement them. Items are prioritized by risk level. Critical items should be addressed immediately, while lower priority items can be scheduled for later implementation.

12
Critical Priority
15
High Priority
13
Medium Priority
10
Low Priority
🔐

Identity & Access Management

12 items
Enable Multi-Factor Authentication (MFA) for all users
Require MFA for 100% of accounts. Use Microsoft Authenticator app for best security.
Critical
Disable legacy authentication protocols
Block IMAP, POP3, and basic auth which bypass MFA protections.
Critical
Configure Conditional Access policies
Require compliant devices, block risky sign-ins, enforce MFA for sensitive apps.
Critical
Enable Azure AD Identity Protection
Automatically detect and respond to identity-based risks.
High
Implement Privileged Identity Management (PIM)
Just-in-time admin access with approval workflows.
High
Review Global Admin accounts (minimize to 2-4)
Audit who has Global Admin. Use role-based access instead.
Critical
Enable password protection and smart lockout
Block common passwords and prevent brute force attacks.
High
Configure self-service password reset (SSPR)
Allow secure password resets while reducing helpdesk burden.
Medium
Review and clean up guest accounts
Remove stale guests, audit permissions regularly.
Medium
Enable sign-in risk policies
Block or challenge sign-ins from unusual locations or devices.
High
Configure session timeouts appropriately
Balance security with user experience based on data sensitivity.
Low
Implement break-glass emergency access accounts
Create 2 cloud-only accounts excluded from Conditional Access for emergencies.
High
📧

Email Security

10 items
Configure SPF record correctly
Publish SPF to prevent email spoofing. Include all legitimate sending sources.
Critical
Enable DKIM signing for all domains
Cryptographically sign outbound emails to prove authenticity.
Critical
Publish DMARC policy (start with p=none, move to p=reject)
Prevent domain spoofing. Monitor before enforcing.
Critical
Enable Safe Attachments (Defender for Office 365)
Scan attachments in sandbox environment before delivery.
High
Enable Safe Links (Defender for Office 365)
Time-of-click URL verification to catch delayed attacks.
High
Configure anti-phishing policies
Protect against impersonation of executives and domains.
High
Block auto-forwarding to external addresses
Prevent data exfiltration via email forwarding rules.
Critical
Review and audit mailbox forwarding rules
Check for unauthorized forwarding set up by compromised accounts.
High
Enable external sender tagging
Warn users when emails come from outside the organization.
Medium
Configure spam and malware filtering
Review and tune spam filter settings for your organization.
Medium
🛡️

Data Protection & DLP

10 items
Enable audit logging
Turn on unified audit log. Set retention to at least 90 days.
Critical
Configure Data Loss Prevention (DLP) policies
Protect sensitive data types (SSN, credit cards, etc.) from being shared externally.
High
Implement sensitivity labels
Classify and protect documents based on sensitivity level.
High
Configure retention policies
Define how long data should be retained for compliance.
Medium
Enable Information Rights Management (IRM)
Protect documents even after they leave your organization.
Medium
Review external sharing settings in SharePoint/OneDrive
Restrict anonymous links, require sign-in for sharing.
High
Configure expiration for external sharing links
Set automatic expiration to limit exposure of shared content.
Medium
Enable eDiscovery capabilities
Prepare for legal hold and investigation scenarios.
Low
Block personal storage services (optional)
Prevent upload to Dropbox, Google Drive, etc. if required.
Low
Review third-party app permissions
Audit OAuth apps with access to organizational data.
High
💻

Device & Endpoint Security

8 items
Enable Microsoft Intune device management
Manage and secure devices that access company data.
High
Require device compliance for access
Only allow compliant, healthy devices to access resources.
High
Enable Microsoft Defender for Endpoint
Advanced threat protection for Windows, Mac, iOS, Android.
High
Configure app protection policies for mobile
Protect company data on personal devices without full MDM.
Medium
Require encryption on all devices
BitLocker for Windows, FileVault for Mac.
High
Enable remote wipe capability
Ability to wipe lost or stolen devices remotely.
Medium
Block unapproved applications
Use app control to prevent shadow IT and malware.
Low
Configure Windows Update policies
Ensure devices receive security updates promptly.
Medium
📊

Monitoring & Alerts

10 items
Review Secure Score regularly
Track your security posture. Aim for 80%+ score.
Medium
Configure alert policies for suspicious activities
Get notified of unusual admin actions, impossible travel, etc.
High
Enable Microsoft Defender for Cloud Apps
Visibility into cloud app usage and risk detection.
Medium
Set up admin activity alerts
Monitor for new admin assignments, setting changes.
High
Review sign-in logs weekly
Look for failed attempts, unusual locations, risky sign-ins.
Medium
Configure mailbox audit logging
Track who accessed what in Exchange mailboxes.
Medium
Set up data exfiltration alerts
Detect unusual download or sharing patterns.
High
Review Threat Dashboard regularly
Stay informed about active threats targeting your organization.
Low
Configure automated investigation & response
Let Defender automatically remediate common threats.
Low
Create incident response runbooks
Document procedures for common security incidents.
Low