Microsoft 365 Audit Review • Security Gap Analysis

Microsoft Office 365 Security Audit Services

Review Entra ID, MFA, Conditional Access, Exchange Online, Defender for Office 365, Purview, DLP, audit logs, SharePoint, OneDrive, Teams, administrator access, and compliance readiness before hidden settings become business risk.

25+Years of IT, cybersecurity, Microsoft infrastructure, audit, and compliance experience.
200Preserved Microsoft 365 audit checks across identity, email, data, logging, recovery, and governance.
M365Entra ID, Exchange, Defender, Purview, Teams, SharePoint, OneDrive, and admin roles.
SoCalIrvine, Orange County, Los Angeles County, and Southern California business focus.

Executive Summary

Audit Microsoft 365 before cloud collaboration risk turns into business exposure.

A Microsoft Office 365 security audit is a structured review of your Microsoft 365 tenant, security settings, identity controls, email protection, audit logs, data protection policies, administrative access, and compliance readiness.

Many Microsoft 365 environments grow over time without a formal security review. Users are added, administrators change settings, vendors receive access, Teams and SharePoint sites expand, and security tools may be enabled without being fully configured.

Entra ID and MFAExchange OnlineDefender for Office 365Purview DLPTeams, OneDrive, SharePointAudit logs and evidence
Microsoft 365 security controls for identity, data protection, cloud security, monitoring, and compliance

Audit Scope

Microsoft 365 security areas reviewed.

OC Security Audit reviews the most important areas of your Microsoft 365 environment and turns technical evidence into business-readable findings, risk ratings, and remediation priorities.

Identity and Administrator Access

Review users, privileged roles, Global Administrators, MFA, Conditional Access, risky sign-ins, guest users, inactive accounts, PIM readiness, and emergency access.

Email Security and Defender

Review Exchange Online, mail flow rules, external forwarding, delegation, anti-phishing, Safe Links, Safe Attachments, quarantine, SPF, DKIM, and DMARC.

Purview, DLP, and Audit Logs

Review audit log availability, retention settings, DLP policies, sensitivity labels, eDiscovery readiness, alert policies, and evidence collection.

Collaboration and Recovery

Review SharePoint, OneDrive, Teams, external sharing, guest access, anonymous links, retention, backup readiness, ransomware recovery, and incident response documentation.

Common Findings

Example Microsoft 365 audit findings that create real risk.

Identity Gaps

  • MFA is not enforced for all users or administrators
  • Legacy authentication remains allowed
  • Too many privileged roles or permanent admins
  • Guest users and OAuth apps are not reviewed

Email and Defender Gaps

  • External forwarding is not restricted
  • Mail flow rules bypass security controls
  • DMARC is not enforced
  • Safe Links or Safe Attachments are incomplete

Data and Evidence Gaps

  • SharePoint anonymous links are allowed
  • DLP policies are missing or only in test mode
  • Audit logs are not reviewed
  • No Microsoft 365 incident response procedure exists

Deliverables

What your Microsoft 365 audit produces.

Executive Summary

High-level Microsoft 365 security posture, major risks, business impact, and recommended priorities.

Risk-Rated Findings

Findings categorized as Critical, High, Medium, Low, or Informational so your team knows what to fix first.

Security Gap Report

Detailed review across identity, email, Defender, audit logs, DLP, SharePoint, OneDrive, Teams, admin access, and compliance readiness.

Evidence Checklist and Roadmap

Reviewed evidence, screenshots, exports, configuration areas, audit artifacts, and a prioritized remediation plan.

Audit vs Implementation

What we test vs. what gets fixed after the audit.

This page focuses on Microsoft 365 auditing and assessment. The audit identifies gaps, reviews evidence, risk-rates findings, assesses compliance readiness, and builds a remediation roadmap.

For implementation, hardening, Defender tuning, SPF/DKIM/DMARC improvements, DLP configuration, Conditional Access, secure collaboration, and ongoing Microsoft 365 support, IT Perfection can support the operational implementation side through Microsoft 365 managed services, Microsoft 365 Copilot readiness, and co-managed IT services.

Microsoft 365 Audit Review

  • Identify configuration gaps
  • Review audit evidence
  • Risk-rate findings
  • Assess compliance readiness
  • Document control weaknesses

Microsoft 365 Implementation

  • Configure and harden settings
  • Deploy security controls
  • Remediate high-risk issues
  • Implement policies and procedures
  • Support technical fixes

Preserved Worksheet

Microsoft 365 Security Audit Checklist

This preserved Office 365 security audit checklist includes 200 itemized checks across 14 categories. Use it as a planning and review reference; it does not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.

Checklist CategoryWhat the Checklist Helps ReviewExample Security Risk
Identity SecurityConfirm users and administrators are properly protectedMFA gaps, risky sign-ins, inactive accounts
Administrator AccessReview privileged roles, admin exposure, and role governanceToo many Global Administrators or permanent admins
Email SecurityEvaluate Exchange Online and Defender controlsPhishing, spoofing, mailbox forwarding, and unsafe mail rules
SPF, DKIM, DMARCReview email authentication and domain protectionDomain spoofing and unauthorized senders
Audit LoggingConfirm investigation readiness and evidence retentionInsufficient log retention or no log review process
DLP and PurviewReview sensitive data controls, labels, and alertsData leakage or DLP policies left in test mode
SharePoint and OneDriveEvaluate file sharing exposure and site permissionsAnonymous links and external data exposure
Teams SecurityReview guest access, external access, apps, and meeting controlsUncontrolled collaboration and external communication risk
Retention and eDiscoveryAssess records, legal hold, and compliance readinessMissing records, legal hold gaps, or incomplete exports
Backup and RecoveryReview recoverability and incident recovery proceduresPoor recovery readiness and ransomware recovery gaps
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-001Identity SecurityValidationConfirm all user accounts are active, assigned to valid employees, and reviewed against HR records.Dormant or unauthorized account remains activeAccount compromise, unauthorized access to email, files, and appsHighHighEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-002Identity SecurityValidationReview disabled accounts to confirm they are removed from licensing and sign-in access.Disabled accounts are retained with permissionsResidual access and license wasteMediumMediumEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-003Identity SecurityReviewReview inactive accounts with no sign-in activity in the last 30/60/90 days.Inactive account can be exploitedUndetected compromise and lateral movementHighHighEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-004Identity SecurityValidationValidate account lifecycle process for onboarding, role changes, and terminations.Weak account lifecycle governanceExcessive access and delayed deprovisioningMediumMediumEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-005Identity SecurityValidationConfirm administrator accounts are separate from daily user accounts.Admins use normal accounts for privileged workHigher risk of credential theft and admin compromiseHighHighEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-006Identity SecurityReviewReview guest users and external identities for business justification.Unreviewed guest accessExternal exposure of Microsoft 365 dataMediumMediumEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-007Identity SecurityValidationValidate guest user expiration and review process.Guest accounts remain indefinitelyFormer vendors retain accessMediumMediumEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-008Identity SecurityReviewReview password policies and banned password settings.Weak passwords remain allowedCredential stuffing and account takeoverMediumMediumEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-009Identity SecurityReviewReview authentication methods registered by users.Weak or outdated authentication methodsBypass or downgrade of strong authenticationMediumMediumEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-010Identity SecurityReviewReview risky users and risky sign-ins history.Risk events are not investigatedAccount takeover may go unnoticedMediumMediumEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-011Identity SecurityValidationConfirm self-service password reset settings are controlled and monitored.Improper SSPR configurationUnauthorized password reset or support burdenMediumMediumEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-012Identity SecurityReviewReview OAuth consent settings and user consent permissions.Users can grant risky app permissionsData exfiltration through malicious OAuth appsMediumMediumEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-013Identity SecurityReviewReview enterprise applications and service principals with high privileges.Overprivileged app registrationsTenant-wide compromise through application permissionsHighHighEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-014Identity SecurityValidationConfirm break-glass accounts exist and are secured with monitored access.No secure emergency access processLockout during incident or uncontrolled emergency accessMediumMediumEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-015Identity SecurityReviewReview conditional sign-in risk policies if Entra ID P2 is available.Risk-based controls not usedMissed automatic response to compromised identitiesHighHighEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-016Identity SecurityValidationValidate named locations and trusted IP configuration.Trusted locations are too broadAttackers bypass Conditional AccessHighHighEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-017Identity SecurityReviewReview authentication strength policies for privileged users.Weak MFA methods allowed for adminsIncreased admin compromise riskHighHighEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-018Identity SecurityValidationConfirm sign-in logs are retained and accessible for investigation.Sign-in evidence unavailablePoor investigation and compliance readinessMediumMediumEntra admin center reports, sign-in logs, user exports, authentication method reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-019Administrator AccessValidationList all Global Administrators and confirm business justification.Too many Global AdministratorsTenant-wide compromise if one admin is breachedHighHighRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-020Administrator AccessReviewReview Exchange Administrator assignments.Excessive Exchange admin rightsMailbox, mail flow, and data exposureMediumMediumRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-021Administrator AccessReviewReview SharePoint Administrator assignments.Excessive SharePoint admin rightsFile sharing and site control riskMediumMediumRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-022Administrator AccessReviewReview Teams Administrator assignments.Excessive Teams admin rightsCollaboration and guest access exposureMediumMediumRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-023Administrator AccessReviewReview Security Administrator and Compliance Administrator assignments.Overbroad security or compliance rolesPolicy changes and evidence tamperingMediumMediumRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-024Administrator AccessValidationConfirm privileged roles are reviewed on a scheduled basis.No privileged role reviewPrivilege creep and former staff accessHighHighRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-025Administrator AccessValidationValidate emergency access accounts are excluded from normal policies only as required.Improper emergency account exclusionsUnmonitored high-privilege accessMediumMediumRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-026Administrator AccessValidationConfirm administrator MFA is enforced with phishing-resistant or strong authentication where possible.Weak administrator MFAPrivileged account takeoverHighHighRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-027Administrator AccessReviewReview role assignments for former IT staff, consultants, and vendors.Former personnel retain admin accessUnauthorized administrative controlMediumMediumRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-028Administrator AccessValidationValidate Privileged Identity Management readiness or usage.Permanent admin rights remain enabledIncreased attack windowHighHighRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-029Administrator AccessReviewReview admin audit logs for recent role changes.Admin role changes are not monitoredUnauthorized privilege escalationMediumMediumRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-030Administrator AccessValidationConfirm admin consent workflow for high-risk application permissions.Uncontrolled app consentData access granted without reviewMediumMediumRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-031Administrator AccessReviewReview service accounts with administrative permissions.Service accounts overprivilegedPersistent compromise pathHighHighRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-032Administrator AccessValidationConfirm admin access is not shared between people.Shared admin accountsNo accountability or audit trailMediumMediumRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-033Administrator AccessReviewReview mailbox delegation for executive and privileged mailboxes.Improper delegated accessSensitive email exposureHighHighRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-034Administrator AccessValidationValidate admin workstation or secure access expectations.Admins operate from unmanaged endpointsCredential theft and session hijackingMediumMediumRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-035Administrator AccessValidationConfirm admin alerting for risky sign-ins and role changes.No admin activity alertingDelayed detection of compromiseHighHighRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-036Administrator AccessReviewReview audit evidence for last privileged access review.No proof of role governanceCompliance and insurance evidence gapHighHighRole assignment exports, admin audit logs, PIM reports, access review evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-037Email SecurityReviewReview Exchange Online accepted domains.Uncontrolled accepted domainsMail flow and spoofing exposureMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-038Email SecurityReviewReview all mail flow rules for bypass, redirect, and delete actions.Mail rules bypass security controlsPhishing, data loss, and hidden forwardingMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-039Email SecurityAssessmentIdentify rules that bypass spam filtering or malware scanning.Security filtering is bypassedMalicious email reaches usersMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-040Email SecurityReviewReview external forwarding settings at tenant and mailbox level.External forwarding is allowedBusiness email compromise and data exfiltrationHighHighExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-041Email SecurityReviewReview mailbox forwarding reports.Hidden forwarding rules existSensitive email leakageMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-042Email SecurityReviewReview inbox rules for suspicious forwarding, deletion, or keyword triggers.Malicious inbox rules persistStealthy BEC activityMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-043Email SecurityReviewReview shared mailbox permissions and delegation.Overbroad shared mailbox accessUnauthorized email accessMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-044Email SecurityValidationConfirm executives and finance users have enhanced anti-phishing controls.High-value users are not protectedImpersonation and wire fraudMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-045Email SecurityReviewReview anti-phishing policy settings.Weak phishing protectionCredential theft riskMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-046Email SecurityReviewReview anti-spam inbound policy settings.Weak spam filteringIncreased malicious email exposureMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-047Email SecurityReviewReview anti-spam outbound policy settings.Compromised account sends spamDomain reputation damageHighHighExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-048Email SecurityReviewReview anti-malware policy settings.Weak malware filteringRansomware or malicious attachment riskHighHighExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-049Email SecurityValidationValidate quarantine policies and review process.Quarantine is not reviewedMissed threats or business disruptionMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-050Email SecurityReviewReview user-reported phishing mailbox/process.No phishing reporting workflowDelayed detection and training gapsMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-051Email SecurityValidationConfirm message trace availability and investigation process.Poor mail flow visibilityWeak incident responseMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-052Email SecurityReviewReview transport rules for external warning banners.No external sender awarenessHigher phishing susceptibilityMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-053Email SecurityReviewReview mailbox audit settings.Mailbox activity not loggedPoor evidence during investigationsMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-054Email SecurityValidationConfirm Exchange Online PowerShell access is controlled.Uncontrolled PowerShell accessBulk changes and attacker persistenceMediumMediumExchange admin center settings, mail flow rules, message trace, mailbox reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-055SPF, DKIM, DMARCReviewReview SPF record syntax and authorized senders.Invalid SPF recordEmail authentication failureMediumMediumDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-056SPF, DKIM, DMARCValidationConfirm SPF record is not too broad.Overly permissive SPFSpoofing through unauthorized sendersMediumMediumDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-057SPF, DKIM, DMARCReviewReview SPF include mechanisms and lookup count.SPF lookup limit exceededAuthentication breaks for legitimate emailMediumMediumDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-058SPF, DKIM, DMARCValidationConfirm DKIM is enabled for all accepted domains.DKIM not enabledSpoofing and deliverability riskMediumMediumDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-059SPF, DKIM, DMARCValidationValidate DKIM selectors and DNS records.Incorrect DKIM DNS recordsEmail authentication failureMediumMediumDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-060SPF, DKIM, DMARCReviewReview DMARC record existence.No DMARC recordDomain spoofing not controlledHighHighDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-061SPF, DKIM, DMARCReviewReview DMARC policy enforcement level.DMARC monitoring onlySpoofed messages may still deliverHighHighDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-062SPF, DKIM, DMARCValidationValidate DMARC alignment for Microsoft 365 and third-party senders.Alignment failureLegitimate email rejected or spoofing persistsHighHighDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-063SPF, DKIM, DMARCValidationConfirm DMARC aggregate reports are sent to monitored mailbox or service.No DMARC reporting processNo visibility into abuseHighHighDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-064SPF, DKIM, DMARCReviewReview third-party sending services inventory.Unknown senders use domainSpoofing and deliverability failuresMediumMediumDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-065SPF, DKIM, DMARCValidationConfirm subdomain DMARC policy.Subdomains not protectedSubdomain spoofing exposureHighHighDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-066SPF, DKIM, DMARCReviewReview return-path and envelope-from alignment.Poor sender alignmentDMARC failuresHighHighDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-067SPF, DKIM, DMARCDocumentationDocument DNS ownership and change control for mail authentication records.DNS changes unmanagedAuthentication breaks or abuseMediumMediumDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-068SPF, DKIM, DMARCReviewReview BIMI readiness if relevant.Brand protection not matureLower trust in email identityMediumMediumDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-069SPF, DKIM, DMARCValidationConfirm email authentication evidence is captured for audit.No evidence for external reviewersCompliance and customer questionnaire gapMediumMediumDNS records, Defender domain reports, DMARC aggregate report configurationDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-070Defender for Office 365ValidationConfirm Defender for Office 365 licensing availability.Security features available but unusedReduced protection from phishing and malwareMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-071Defender for Office 365ReviewReview Safe Links policy coverage.Safe Links not applied to all usersMalicious links reach usersMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-072Defender for Office 365ReviewReview Safe Attachments policy coverage.Attachments not detonated consistentlyMalware and ransomware exposureHighHighDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-073Defender for Office 365ValidationConfirm Safe Links applies to Teams, Office apps, and supported workloads as needed.Incomplete workload coverageThreats bypass controls in collaboration appsMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-074Defender for Office 365ReviewReview anti-phishing impersonation protection settings.Weak impersonation protectionExecutive and vendor fraudMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-075Defender for Office 365ValidationConfirm protected users and domains are configured.High-value identities not protectedTargeted phishing riskMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-076Defender for Office 365ReviewReview preset security policies.Baseline protections not enabledInconsistent security postureMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-077Defender for Office 365ReviewReview threat policies and overrides.Overrides weaken protectionMalicious content allowedMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-078Defender for Office 365ReviewReview quarantine policy permissions.Users can release risky messagesThreat exposureMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-079Defender for Office 365ReviewReview alert policies and notification recipients.Alerts not routedDelayed incident responseMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-080Defender for Office 365ValidationValidate investigation workflow for Defender alerts.No response processUnresolved security eventsMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-081Defender for Office 365ReviewReview Attack Simulation Training readiness.No phishing training validationUser risk remains unknownMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-082Defender for Office 365ReviewReview spoof intelligence and allowed senders.Spoofed senders allowedImpersonation exposureMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-083Defender for Office 365ReviewReview Tenant Allow/Block List entries.Dangerous allow entriesKnown threats bypass controlsMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-084Defender for Office 365ReviewReview submission process for false positives and false negatives.Poor tuning processDetection quality remains weakMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-085Defender for Office 365ValidationConfirm Defender reports are reviewed periodically.Reports ignoredMissed trends and repeated attacksMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-086Defender for Office 365ReviewReview automated investigation and response settings if available.Automation not usedSlower containmentMediumMediumDefender portal policies, quarantine reports, threat explorer, alert settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-087Audit LoggingValidationConfirm Microsoft Purview audit logging is enabled.Audit logs unavailableCannot investigate suspicious activityHighHighMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-088Audit LoggingReviewReview audit log retention period.Retention too shortEvidence unavailable during late discoveryMediumMediumMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-089Audit LoggingValidationConfirm audit search access is assigned to authorized staff.No one can search logsIncident response delayMediumMediumMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-090Audit LoggingReviewReview admin activity visibility.Admin changes not monitoredUnauthorized configuration changes persistMediumMediumMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-091Audit LoggingReviewReview Exchange mailbox activity logging.Mailbox access not visibleEmail compromise investigation gapHighHighMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-092Audit LoggingReviewReview SharePoint and OneDrive activity logging.File access not visibleData leakage investigation gapMediumMediumMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-093Audit LoggingReviewReview Teams activity logging.Collaboration events not visibleGuest and Teams misuse gapsMediumMediumMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-094Audit LoggingValidationConfirm DLP event visibility.DLP events not reviewedSensitive data exposure persistsMediumMediumMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-095Audit LoggingReviewReview alert policies tied to audit events.No alerting from important eventsDelayed detectionMediumMediumMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-096Audit LoggingValidationConfirm evidence collection procedure for investigations.Evidence not preservedLegal, insurance, and compliance weaknessMediumMediumMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-097Audit LoggingReviewReview audit log export process.Logs cannot be shared with auditorsAudit readiness gapMediumMediumMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-098Audit LoggingValidationValidate time synchronization and timezone documentation.Timeline reconstruction difficultInvestigation confusionMediumMediumMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-099Audit LoggingReviewReview who can modify audit settings.Unauthorized audit changes possibleEvidence tampering riskMediumMediumMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-100Audit LoggingValidationConfirm sensitive admin events generate alerts.No alert on high-risk changesTenant compromise riskHighHighMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-101Audit LoggingReviewReview audit evidence for recent suspicious sign-ins or file sharing.Known issues not investigatedRepeated exposureMediumMediumMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-102Audit LoggingValidationConfirm audit log review cadence is documented.Logs enabled but ignoredControls not operating effectivelyMediumMediumMicrosoft Purview audit settings, audit search results, alert policies, retention settingsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-103DLP and PurviewAssessmentInventory DLP policies across Exchange, SharePoint, OneDrive, and Teams.DLP coverage incompleteSensitive data leakageMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-104DLP and PurviewReviewReview DLP policy mode: test, simulation, or enforcement.DLP left in test modeData not protectedMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-105DLP and PurviewReviewReview sensitive information types used in policies.Wrong data patterns monitoredMissed sensitive dataMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-106DLP and PurviewReviewReview DLP alert routing and review process.Alerts not reviewedData leakage persistsMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-107DLP and PurviewValidationConfirm policy tips are configured where appropriate.Users not warnedPreventable violations continueMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-108DLP and PurviewReviewReview DLP exceptions and exclusions.Too many exclusionsControls ineffectiveMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-109DLP and PurviewReviewReview retention policies.Retention missingRecords unavailable or retained improperlyMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-110DLP and PurviewReviewReview retention labels.Labels not appliedGovernance gapsMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-111DLP and PurviewReviewReview sensitivity labels.Sensitive data not labeledPoor access and sharing controlMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-112DLP and PurviewValidationConfirm label publishing policies cover target users.Labels unavailable to usersClassification not adoptedMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-113DLP and PurviewReviewReview auto-labeling readiness.Manual labeling onlySensitive data remains unlabeledMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-114DLP and PurviewReviewReview eDiscovery role assignments.Improper eDiscovery accessLegal data exposureMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-115DLP and PurviewReviewReview eDiscovery case process documentation.No eDiscovery processLegal hold readiness gapMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-116DLP and PurviewReviewReview Insider Risk readiness if applicable.Insider risk unmanagedData theft indicators missedMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-117DLP and PurviewValidationConfirm compliance portal access is role-based.Overbroad compliance accessSensitive investigation data exposureMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-118DLP and PurviewAssessmentMap DLP and retention controls to business requirements.Policies not business-alignedOverblocking or underprotectionMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-119DLP and PurviewReviewReview evidence of DLP incident handling.No proof of control operationAudit readiness gapMediumMediumPurview DLP policies, retention labels, sensitivity labels, alert reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-120SharePoint and OneDriveReviewReview SharePoint external sharing setting at tenant level.External sharing too broadSensitive data exposureMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-121SharePoint and OneDriveReviewReview OneDrive external sharing settings.User file sharing uncontrolledData leakageMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-122SharePoint and OneDriveValidationConfirm anonymous links are disabled or restricted.Anonymous sharing allowedUntraceable data accessHighHighSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-123SharePoint and OneDriveReviewReview default link type and permission.Default sharing is too permissiveOversharingMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-124SharePoint and OneDriveReviewReview guest user sharing process.Guests added without approvalExternal exposureMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-125SharePoint and OneDriveReviewReview site-level sharing exceptions.Sensitive sites exposedData lossMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-126SharePoint and OneDriveReviewReview externally shared files report.Overshared files remain publicConfidential data exposureMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-127SharePoint and OneDriveReviewReview site owner permissions.Owners not governedUncontrolled sharing and access changesMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-128SharePoint and OneDriveReviewReview sensitive site access controls.Critical data lacks restrictionsUnauthorized accessMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-129SharePoint and OneDriveReviewReview inactive SharePoint sites.Old sites retain data and permissionsStale exposureMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-130SharePoint and OneDriveReviewReview OneDrive access for terminated users.Former employee data unmanagedData loss or unauthorized accessMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-131SharePoint and OneDriveValidationValidate sharing expiration settings.Links remain active indefinitelyLong-term external exposureMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-132SharePoint and OneDriveReviewReview file download restrictions where needed.Sensitive data downloadableData exfiltrationMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-133SharePoint and OneDriveReviewReview synchronization restrictions for unmanaged devices.Files synced to unmanaged endpointsData leakageMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-134SharePoint and OneDriveValidationConfirm audit evidence for external sharing reviews.No proof of sharing governanceCompliance gapMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-135SharePoint and OneDriveReviewReview sensitivity label use on sites and files.Labels not used to control accessWeak data protectionMediumMediumSharePoint admin center, sharing reports, site permissions, external sharing evidenceDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-136Teams SecurityReviewReview Teams guest access setting.Guest access unmanagedExternal collaboration riskMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-137Teams SecurityReviewReview Teams external access setting.External domains unrestrictedUncontrolled communicationMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-138Teams SecurityReviewReview allowed and blocked domains.Domain policy too permissiveData and communication exposureMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-139Teams SecurityReviewReview private channel governance.Private channel access unmanagedHidden sensitive collaborationMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-140Teams SecurityReviewReview shared channel usage if enabled.Shared channels unmanagedCross-tenant exposureMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-141Teams SecurityReviewReview meeting policy for anonymous users.Anonymous meeting access too broadUnauthorized meeting participationHighHighTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-142Teams SecurityReviewReview file sharing behavior through Teams.Teams files inherit weak SharePoint settingsData exposureMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-143Teams SecurityReviewReview app permissions and Teams app governance.Unapproved apps allowedData access and malware riskMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-144Teams SecurityReviewReview Teams retention policies.Teams records not retainedCompliance evidence gapMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-145Teams SecurityReviewReview Teams audit events.Teams activity not monitoredPoor incident investigationMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-146Teams SecurityReviewReview owner and member controls for sensitive teams.Sensitive teams lack governanceUnauthorized accessMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-147Teams SecurityValidationConfirm lifecycle process for inactive teams.Old teams remain activeStale data and permissionsMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-148Teams SecurityReviewReview federation with external organizations.Federation too openExternal phishing and data leakageMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-149Teams SecurityReviewReview messaging policies for security and compliance needs.Messaging controls misalignedGovernance gapsMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-150Teams SecurityValidationConfirm Teams security evidence is captured for audit.No review artifactsAudit readiness gapMediumMediumTeams admin center policies, guest access settings, app policies, audit eventsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-151Retention and eDiscoveryReviewReview Exchange retention coverage.Email retention incompleteRecords unavailable or over-retainedMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-152Retention and eDiscoveryReviewReview SharePoint retention coverage.Files not governedCompliance and legal riskMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-153Retention and eDiscoveryReviewReview OneDrive retention coverage.User data not governedLegal and recovery gapMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-154Retention and eDiscoveryReviewReview Teams retention coverage.Chat and channel data not governedCompliance gapMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-155Retention and eDiscoveryValidationConfirm retention policies align with legal and business requirements.Retention misalignedLegal exposureMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-156Retention and eDiscoveryReviewReview litigation hold usage and governance.Holds missing or overusedLegal readiness riskMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-157Retention and eDiscoveryReviewReview eDiscovery role assignments.Too many eDiscovery usersSensitive data exposureMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-158Retention and eDiscoveryReviewReview eDiscovery case creation process.No case processLegal response delaysMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-159Retention and eDiscoveryReviewReview preservation and export procedure.Evidence export not definedInvestigation and litigation delaysMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-160Retention and eDiscoveryValidationConfirm deleted item recovery settings are understood.Recovery expectations unclearData lossMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-161Retention and eDiscoveryReviewReview compliance search permissions.Overbroad search accessPrivacy and data exposureMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-162Retention and eDiscoveryDocumentationDocument retention exceptions and exclusions.Unknown exclusionsControl gapsMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-163Retention and eDiscoveryReviewReview records management maturity.Records not formally managedRegulatory riskMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-164Retention and eDiscoveryValidationConfirm retention evidence is available for auditors.No evidence of configurationAudit deficiencyMediumMediumPurview retention policies, eDiscovery roles, hold reports, case proceduresDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-165Backup and RecoveryReviewReview Microsoft 365 native recovery capabilities.Recovery misunderstoodData loss during incidentMediumMediumRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-166Backup and RecoveryDocumentationDocument Exchange Online mailbox recovery process.No mailbox recovery procedureExtended outage or data lossMediumMediumRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-167Backup and RecoveryDocumentationDocument OneDrive recovery process.No OneDrive recovery procedureFile lossMediumMediumRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-168Backup and RecoveryDocumentationDocument SharePoint recovery process.No SharePoint recovery procedureSite or library lossMediumMediumRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-169Backup and RecoveryReviewReview retention vs. backup assumptions.Retention mistaken for backupUnrecoverable deleted dataMediumMediumRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-170Backup and RecoveryReviewReview third-party Microsoft 365 backup coverage if used.Backup coverage incompleteRansomware recovery gapHighHighRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-171Backup and RecoveryValidationConfirm critical mailboxes are protected.Critical mailboxes not recoverableBusiness disruptionMediumMediumRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-172Backup and RecoveryValidationConfirm sensitive SharePoint sites are protected.Critical sites not recoverableOperational disruptionMediumMediumRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-173Backup and RecoveryReviewReview deleted user and mailbox recovery process.Terminated user data lostCompliance and business impactMediumMediumRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-174Backup and RecoveryReviewReview ransomware recovery planning for cloud data.No ransomware recovery planExtended downtimeHighHighRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-175Backup and RecoveryReviewTest recovery procedure or review last test evidence.Recovery not testedUnknown recoverabilityMediumMediumRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-176Backup and RecoveryReviewReview backup admin permissions.Backup access overprivilegedData exposureHighHighRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-177Backup and RecoveryReviewReview backup retention settings.Backup retention insufficientHistorical data unavailableMediumMediumRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-178Backup and RecoveryValidationConfirm backup alerts and job monitoring.Backup failures unnoticedRecovery gapsMediumMediumRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-179Backup and RecoveryDocumentationDocument roles and responsibilities for recovery.No owner assignedDelayed responseMediumMediumRecovery procedures, backup portal reports, restore test evidence, retention policiesDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-180Endpoint and Session SecurityReviewReview device compliance requirements for Microsoft 365 access.Unmanaged devices access dataData leakage and malware exposureMediumMediumConditional Access, Intune compliance, session controls, device reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-181Endpoint and Session SecurityReviewReview Conditional Access device filters.Device policies incompleteUntrusted endpoints allowedHighHighConditional Access, Intune compliance, session controls, device reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-182Endpoint and Session SecurityReviewReview session controls for unmanaged devices.No session restrictionsDownload and exfiltration riskMediumMediumConditional Access, Intune compliance, session controls, device reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-183Endpoint and Session SecurityValidationConfirm browser-only restrictions where needed.Sensitive data can be synced or downloadedData lossMediumMediumConditional Access, Intune compliance, session controls, device reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-184Endpoint and Session SecurityReviewReview Intune compliance policy integration if available.Device posture not enforcedUnsafe accessMediumMediumConditional Access, Intune compliance, session controls, device reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-185Endpoint and Session SecurityReviewReview mobile device access and app protection policies.Mobile access uncontrolledLost device data exposureMediumMediumConditional Access, Intune compliance, session controls, device reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-186Endpoint and Session SecurityReviewReview sign-in persistence and session lifetime settings.Sessions persist too longToken theft impactMediumMediumConditional Access, Intune compliance, session controls, device reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-187Endpoint and Session SecurityReviewReview token revocation process.Compromised sessions remain activeAccount takeover persistsHighHighConditional Access, Intune compliance, session controls, device reportsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-188Incident Response ReadinessValidationConfirm Microsoft 365 incident response procedure exists.No response procedureSlow containmentMediumMediumIR plan, phishing workflow, evidence preservation procedure, insurance requirementsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-189Incident Response ReadinessDocumentationDocument escalation contacts for email compromise.No escalation pathDelayed response to BECHighHighIR plan, phishing workflow, evidence preservation procedure, insurance requirementsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-190Incident Response ReadinessReviewReview account compromise response checklist.No account response stepsIncomplete containmentHighHighIR plan, phishing workflow, evidence preservation procedure, insurance requirementsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-191Incident Response ReadinessReviewReview phishing investigation workflow.Phishing process missingThreats remain activeMediumMediumIR plan, phishing workflow, evidence preservation procedure, insurance requirementsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-192Incident Response ReadinessReviewReview evidence preservation process.Evidence overwritten or incompletePoor legal and insurance supportMediumMediumIR plan, phishing workflow, evidence preservation procedure, insurance requirementsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-193Incident Response ReadinessValidationConfirm communication plan for Microsoft 365 incidents.No communication planConfusion during incidentMediumMediumIR plan, phishing workflow, evidence preservation procedure, insurance requirementsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-194Incident Response ReadinessReviewReview cyber insurance evidence requirements.Insurance evidence not readyClaims or renewal issuesMediumMediumIR plan, phishing workflow, evidence preservation procedure, insurance requirementsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-195Incident Response ReadinessReviewReview post-incident improvement process.Lessons not appliedRepeat incidentsMediumMediumIR plan, phishing workflow, evidence preservation procedure, insurance requirementsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
IDCategoryControl AreaChecklist ItemSecurity RiskSecurity ImpactLikelihoodSeverityEvidence to ReviewExpected Secure ConfigurationAudit ResultOwnerRemediation PriorityNotes
M365-196Governance and DocumentationDocumentationMaintain Microsoft 365 security policy documentation.Policies missingInconsistent operationsMediumMediumPolicies, procedures, change records, executive reporting artifactsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-197Governance and DocumentationDocumentationMaintain administrator access policy.Admin access unmanagedPrivilege abuse or compromiseHighHighPolicies, procedures, change records, executive reporting artifactsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-198Governance and DocumentationDocumentationMaintain email security standard.Email controls inconsistentPhishing exposureMediumMediumPolicies, procedures, change records, executive reporting artifactsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-199Governance and DocumentationDocumentationMaintain external sharing standard.Sharing decisions inconsistentData leakageMediumMediumPolicies, procedures, change records, executive reporting artifactsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
M365-200Governance and DocumentationDocumentationMaintain DLP and data handling standard.Sensitive data controls unclearCompliance gapsMediumMediumPolicies, procedures, change records, executive reporting artifactsDocumented, reviewed, risk-rated, and aligned with business, compliance, and security requirements.Audit checklist item
Ali Hassani, CISO and cybersecurity consultant, in a data center

CISO-Led Microsoft 365 Audit

Guided by Ali Hassani, CISO.

Ali Hassani is a CISO and cybersecurity consultant with 25+ years of experience across IT operations, cybersecurity, compliance auditing, Microsoft infrastructure, Microsoft 365 security, network security, firewall security, vulnerability management, cloud security, and infrastructure leadership.

His practical background helps organizations connect Microsoft 365 configuration evidence to executive risk, technical controls, compliance readiness, and remediation priorities. Learn more at the OC Security Audit Ali Hassani profile.

Related Services and Tools

Continue from Microsoft 365 audit into readiness, email security, and cloud security.

FAQ

Microsoft Office 365 Security Audit FAQ

What is a Microsoft Office 365 Security Audit?

A Microsoft Office 365 Security Audit is a structured review of Microsoft 365 identity controls, email security, administrator access, audit logs, DLP, SharePoint, OneDrive, Teams, and compliance readiness.

Is this the same as Microsoft 365 security implementation?

No. A security audit identifies gaps, reviews evidence, and provides a remediation roadmap. Security implementation focuses on fixing, configuring, and hardening Microsoft 365 controls.

What areas are reviewed during an Office 365 audit?

Common areas include Entra ID, MFA, Conditional Access, Exchange Online, Defender for Office 365, SPF/DKIM/DMARC, Microsoft Purview, audit logs, DLP, SharePoint, OneDrive, Teams, retention, eDiscovery, and administrator access.

Does an Office 365 audit help with compliance?

Yes. A Microsoft 365 audit can help identify gaps related to HIPAA, PCI DSS, SOC 2, ISO 27001, NIST, CMMC, cyber insurance, and internal governance requirements.

Schedule Your Audit

Review Microsoft 365 security before a hidden setting becomes a business risk.

If your organization uses Microsoft 365 for email, collaboration, file storage, or business operations, OC Security Audit can help identify gaps, review audit evidence, evaluate controls, and create a practical roadmap for improvement.