Tenant Security & Compliance Audit

Perform a comprehensive audit of your Microsoft 365 tenant across eight security and compliance domains. This assessment is designed to be completed using least-privilege, read-only permissions — no elevated roles or write access required.

Least Privilege: All information needed for this audit can be gathered with Global Reader, Security Reader, and Reports Reader roles — plus read-only Microsoft Graph API permissions. No Global Admin or write access is required.

Identity & Access Management

How identities, authentication, and privileged access are secured.

How many Global Admin accounts exist?

Are dedicated admin accounts used (separate from daily-use accounts)?

What level of MFA is enforced?

Phish-resistant = FIDO2, Windows Hello, passkeys, or certificate-based auth.

Is Self-Service Password Reset (SSPR) enabled?

What is the password policy posture?

Is Privileged Identity Management (PIM) enabled?

PIM provides just-in-time role activation instead of standing admin access.

Conditional Access & Zero Trust

Policies governing access decisions and session security.

How many Conditional Access policies are configured?

Is legacy authentication blocked?

Legacy protocols (POP, IMAP, SMTP AUTH) bypass MFA entirely.

Are risk-based Conditional Access policies enabled?

Is device compliance required for access?

Are named/trusted locations configured?

Are session controls configured (sign-in frequency, persistent browser)?

Data Protection & Information Governance

Classification, labelling, DLP, and retention policies.

Are sensitivity labels deployed?

Are DLP policies configured?

Is encryption at rest confirmed?

Are retention policies configured?

Are information barriers in place?

Email Security

Anti-phishing, email authentication (DMARC/DKIM/SPF), and Defender for Office 365.

What anti-phishing protection level is configured?

What is the DMARC policy?

DMARC protects your domain from being spoofed in phishing emails.

Is DKIM enabled for all domains?

Is SPF configured for all domains?

Are Safe Attachments enabled?

Requires Defender for Office 365 Plan 1 or higher.

Are Safe Links enabled?

Endpoint Management

Device enrolment, compliance, app protection, and update management.

What is the Intune device enrolment coverage?

Are device compliance policies configured?

Are App Protection Policies (MAM) deployed?

Are Windows Update rings configured via Intune?

Is BitLocker enforced on Windows devices?

Collaboration Security

External sharing, guest access, Teams governance, and SharePoint controls.

What is the external sharing policy?

Are guest access reviews performed?

Is Teams / M365 Group creation restricted?

What is the SharePoint sharing default?

Are Teams meeting policies configured?

Compliance & Governance

Audit logging, alert policies, eDiscovery, and insider risk.

What is the audit log retention period?

Are alert policies configured?

Is eDiscovery configured?

Is Communications Compliance enabled?

Is Insider Risk Management configured?

Backup & Resilience

Break-glass accounts, backup strategy, disaster recovery, and incident response.

Are break-glass (emergency access) accounts configured?

Cloud-only accounts excluded from Conditional Access, with secure credential storage.

What backup solution is in place for M365 data?

Is there a disaster recovery plan?

Is there an incident response plan?