Microsoft 365 Security Audit Checklist for SMBs

If you have already gone through the basics of hardening your Microsoft 365 tenant, this checklist helps you verify that nothing was missed and gives you a repeatable audit you can run quarterly. If you have not hardened your tenant yet, start there first. This checklist assumes the foundational settings are in place and focuses on verifying, documenting, and catching drift over time.

Print this out, open your M365 admin center, and work through it item by item. For each item, note the current state, whether it meets your target, and what action is needed if it does not. This audit also fits naturally into the security validation phase of the cloud migration checklist for small business – if you just migrated to M365, run this audit at week 2 post-cutover before the migration project formally closes. The network-side companion to this checklist is the network security checklist for small business – identity and network are the two halves of SMB attack surface, and gaps in either one undo the work in the other.

Identity and Access Controls

1. MFA enrollment status

Check that every active user account has MFA registered and enforced. In the Entra admin center, go to Protection > Authentication methods > User registration details to see which users have registered for MFA and which methods they are using.

What to look for: accounts that have never registered for MFA, accounts using only SMS (which is vulnerable to SIM swapping), and accounts where MFA was registered but later removed. Pay special attention to admin accounts and any accounts with elevated permissions. Every admin account should use a phishing-resistant method like a hardware security key or at minimum the Microsoft Authenticator app with number matching enabled.

2. Conditional access policies

Review all conditional access policies in Entra > Protection > Conditional Access. Document each policy, what it applies to, who it targets, and what conditions it enforces. For a full walkthrough of the essential policies and how to configure them, see How to configure conditional access in Microsoft 365.

Verify that you have policies covering: MFA enforcement for all users, legacy authentication blocking, geographic restrictions if applicable, device compliance requirements if you use Intune, and sign-in frequency for admin accounts. Check that no policies are in “report-only” mode unless they are intentionally being tested before enforcement. Report-only policies do not block anything.

3. Admin role assignments

Go to Entra > Roles and administrators and review every assigned admin role. Document who has Global Administrator, Exchange Administrator, SharePoint Administrator, User Administrator, and any custom roles.

What to look for: more than two or three Global Administrators, admin roles assigned to daily-use accounts instead of dedicated admin accounts, admin roles assigned to accounts that no longer need them, and any admin accounts without MFA enforced. Stale admin assignments are a common audit finding. If someone changed roles six months ago and still has Exchange Admin, that access should be revoked.

4. Guest and external user accounts

In Entra > Users > Guest users, review all external accounts that have been granted access to your tenant. Guest accounts are created when you share files, Teams channels, or SharePoint sites with external users.

What to look for: guest accounts that were created months or years ago and are no longer needed, guest accounts with access to sensitive SharePoint sites or Teams, and guest accounts from domains you do not recognize. Remove any guest access that is no longer needed. External accounts that linger indefinitely are an unnecessary expansion of your attack surface. For a complete guide to configuring guest access policies, restricting who can invite guests, and setting up automated access reviews, see Microsoft 365 guest access: how to collaborate securely.

5. Security defaults status

If you are using conditional access policies, security defaults should be disabled (they conflict with conditional access). If you are not using conditional access, security defaults should be enabled as a baseline. Check this in Entra > Overview > Properties > Manage Security defaults. Being in a state where both are disabled means you may have no MFA enforcement at all.

Email Security

6. Anti-phishing policies

In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > Anti-phishing. Verify that you have a policy applied to all users with mailbox intelligence enabled, spoof intelligence enabled, and impersonation protection configured for your executives and key personnel.

Check the action settings. Messages identified as impersonation should be quarantined or moved to junk, not just tagged with a safety tip. Review the list of protected users and domains, and update it if people have joined or left the organization since the policy was last configured.

7. Safe Links and Safe Attachments

Verify that Safe Links is enabled for all users, set to check URLs at time of click, and applied to internal emails (not just external). Verify that Safe Attachments is enabled with Dynamic Delivery so that users receive emails immediately while attachments are scanned.

Check whether Safe Links is also enabled for Teams and Office applications, not just email. Attackers deliver malicious links through Teams messages and shared documents, not only through email.

8. DMARC, DKIM, and SPF records

These are DNS records, not M365 admin center settings, but they are critical to verify during any email security audit. Use a tool like MXToolbox or dmarcian to check your domain’s current records.

Verify that SPF includes all legitimate sending sources and ends with -all (hard fail) rather than ~all (soft fail). Verify that DKIM is enabled and signing outbound messages from M365. Verify that DMARC is published and ideally set to p=quarantine or p=reject. If your DMARC policy is still at p=none, review your DMARC reports to confirm all legitimate mail sources are covered, then move to enforcement.

9. Inbox forwarding rules

Check for mailbox forwarding rules across all users. Attackers who compromise an account frequently create forwarding rules to send copies of incoming email to an external address.

In Exchange Online PowerShell or the Exchange admin center, review inbox rules and transport rules for any that forward, redirect, or BCC to external addresses. Pay particular attention to rules that were created recently or that target high-value accounts like executives and finance staff. A single forwarding rule on the CFO’s mailbox can enable an ongoing business email compromise that goes undetected for weeks.

10. Mail flow rules (transport rules)

Review all transport rules in the Exchange admin center under Mail flow > Rules. Document each rule and verify it still serves a legitimate business purpose.

What to look for: rules that bypass spam filtering for specific senders or domains (often created as a quick fix and never removed), rules that automatically forward email externally, rules that strip encryption or security headers, and any rules you do not recognize. Stale or overly broad transport rules are a frequent source of security gaps.

Data and Sharing

11. SharePoint and OneDrive external sharing

In the SharePoint admin center, go to Policies > Sharing. Document the current sharing level for both SharePoint and OneDrive.

Verify that anonymous sharing (Anyone with the link) is disabled unless you have a documented business justification. The recommended setting for most small businesses is “New and existing guests,” which requires external recipients to authenticate. Check whether SharePoint site-level sharing settings are more permissive than the tenant-level settings, as individual site owners can loosen restrictions within whatever the tenant allows.

12. Teams external and guest access

In the Teams admin center, review External access and Guest access settings. External access controls whether your users can communicate with people in other Teams organizations. Guest access controls whether external users can be added to your Teams and channels.

For most SMBs, external access should be restricted to specific trusted domains rather than open to all organizations. Guest access should be enabled only if you actively use it, and guest permissions should be limited. Check whether guests can create channels, add or remove apps, or access files you do not intend them to see.

13. App consent and permissions

In Entra > Enterprise applications, review the list of third-party applications that have been granted access to your tenant. Sort by permissions granted and focus on apps with broad access like “Read and write all users’ full profiles,” “Read all mail,” or “Have full access to all files.”

Verify that user consent settings are configured to prevent users from granting access to unverified apps without admin approval. Check whether any apps have been granted admin consent, which means they have tenant-wide access regardless of individual user permissions. Revoke consent for any app that is no longer used or that you do not recognize.

Logging and Monitoring

14. Audit log status and retention

In the Microsoft Purview compliance portal, go to Audit and verify that audit logging is active. Check the retention period, which is 90 days on standard plans and 180 days on E5 and Business Premium.

If your industry requires longer retention (HIPAA, PCI DSS, SOC 2), verify that you are exporting logs to external storage or that you have the appropriate licensing for extended retention. Audit logs that expire before you need them are useless during an investigation. Note that audit log retention is separate from data backup. Retention policies keep data from being deleted but do not provide point-in-time recovery.

15. Alert policies

In Microsoft 365 Defender > Policies & rules > Alert policy, review all active alert policies. Verify that you have alerts for: inbox forwarding rule creation, admin role changes, mass file downloads or deletions, mailbox permission changes, and unusual sign-in activity.

Check who receives these alerts. If they go to a shared mailbox that nobody monitors, they are not providing value. Alerts should go to specific individuals who are responsible for investigating them, or to your managed security provider if you have one.

16. Sign-in logs review

Pull the last 30 days of sign-in logs from Entra > Monitoring > Sign-in logs. Look for failed sign-ins from unusual locations, successful sign-ins that bypassed conditional access policies, sign-ins using legacy authentication protocols (should be zero if your blocking policy is working), and any sign-ins flagged as risky by Entra ID Protection.

This is not a one-time check. Sign-in logs should be reviewed regularly, ideally weekly, to catch anomalies before they become incidents. If nobody has time to review them, that is a strong signal that you need a managed security provider monitoring your environment.

Device and Endpoint

17. Intune device compliance

If you use Intune for device management, review your compliance policies in the Intune admin center. Verify that policies require disk encryption, current operating system versions, active antivirus or EDR, and screen lock with a PIN or biometric.

Check the device compliance dashboard for non-compliant devices. If devices have been non-compliant for more than a few days without remediation, your enforcement process has a gap. Non-compliant devices that can still access M365 resources defeat the purpose of the compliance policy.

18. Defender for Business or Defender for Endpoint status

If you are on Business Premium or have Defender for Endpoint licensed, check the Defender portal for device onboarding status. Every managed device should be reporting to Defender. Look for devices that have stopped reporting, devices that were never onboarded, and any active alerts or incidents that have not been investigated.

Running This Audit on a Schedule

This checklist is most valuable when run regularly. A quarterly audit catches configuration drift, stale accounts, and changes that were made as quick fixes and never reverted. Keep a record of each audit with dates, findings, and remediation actions taken. This documentation is useful for compliance audits, cyber insurance renewals, and internal accountability.

If running this audit internally feels like more than your team can handle alongside their other responsibilities, that is normal for a small business IT team. Sequentur runs M365 security audits as part of our managed security services and can handle this on a recurring basis so nothing falls through the cracks. Reach out through our contact page if you want help getting started.