Office 365 Security Checklist: 2026 Complete Guide

Why Your Organization Needs an Office 365 Security Checklist

Microsoft 365 powers productivity for millions of organizations worldwide. But with great capability comes great responsibility: every mailbox, SharePoint site, and Teams channel represents a potential attack surface if left misconfigured.

For IT teams at mid-sized companies (100-1000 employees), the challenge is real. You lack the dedicated security operations center of an enterprise, but your attack surface rivals theirs. You need a systematic approach to Microsoft 365 security that covers the essentials without requiring a full-time security analyst.

That is where this Office 365 security checklist comes in. We have compiled the most critical security configurations based on CIS benchmarks, Microsoft best practices, and real-world incident analysis. Follow this checklist quarterly, and you will dramatically reduce your exposure to common attacks.

What this checklist covers:

• Identity and access management (including comprehensive access review processes)
• Conditional Access policies
• Data protection and DLP
• Audit logging and monitoring
• Application security and OAuth governance

---

Identity and Access Management Checklist

Identity is the new perimeter. In a cloud-first world, your users' credentials are the keys to your kingdom. This section covers the identity controls that stop the majority of attacks.

MFA Enforcement

Multi-factor authentication remains the single most effective control against credential-based attacks. Microsoft reports that MFA blocks 99.9% of automated attacks.

• Enable MFA for all users without exceptions - Every account, including service accounts and break-glass accounts, needs a second factor
• Use phishing-resistant MFA for administrators - FIDO2 security keys or Windows Hello for Business for Global Admins and other privileged roles
• Enable number matching in Microsoft Authenticator - Prevents MFA fatigue attacks where users approve prompts blindly
• Review MFA registration status monthly - Identify users who registered MFA but later removed their authentication methods
• Document and justify any MFA exclusions - If a service account cannot use MFA, document why and implement compensating controls

Privileged Access Review

Global Administrators have unrestricted access to your entire Microsoft 365 tenant. Every additional admin increases your attack surface.

• Limit Global Admins to 2-4 accounts maximum - Microsoft recommends no more than 5; we recommend 2-4 for most mid-sized organizations
• Conduct monthly access review of all privileged role assignments - Who has Global Admin, Exchange Admin, SharePoint Admin, and Security Admin roles?
• Implement Privileged Identity Management (PIM) - Require just-in-time activation for admin roles rather than standing access
• Remove inactive admin accounts during access review - Any admin who has not used their privileges in 30 days should have them revoked
• Require separate admin accounts - Administrators should not use their daily accounts for admin tasks
• Audit admin role changes weekly - Review the Entra ID audit log for any role assignment changes

Guest Access Review

External users (guests) in your tenant can access shared resources. Without proper governance, guest access becomes a data leak waiting to happen.

• Conduct quarterly guest access review - Review all guest users and validate their continued business need
• Restrict who can invite guests - Limit guest invitations to specific roles, not all users
• Enable guest access expiration - Configure guests to automatically expire after 30-90 days unless renewed
• Review guest permissions on SharePoint sites - Ensure guests only have access to resources they need
• Block guest access to sensitive groups - Some Teams and groups should never include external users
• Document guest access justification - Every guest should have a documented business reason for access

Stale Account Cleanup

Abandoned accounts are prime targets for attackers. They are often overlooked in security reviews and may have weaker credentials.

• Identify accounts with no sign-in for 90+ days - Run a report monthly to find inactive accounts
• Disable stale accounts immediately - Do not delete initially; disable and wait 30 days to confirm no business impact
• Review shared mailboxes annually - Shared mailboxes do not sign in but may have outdated delegates
• Implement automated lifecycle management - Use Identity Governance to automate access review and removal
• Cross-reference with HR systems - Ensure terminated employees are disabled within 24 hours

Access Review Processes

Systematic access review is the backbone of identity governance. Without regular reviews, privilege creep and orphaned access accumulate over time.

• Schedule quarterly access review for all applications - Who can access each business application? Is it still appropriate?
• Implement access review for group memberships - Group owners should certify members regularly
• Create access review campaigns for privileged access - Elevated permissions require more frequent review (monthly recommended)
• Document access review outcomes - Keep records of review decisions for audit purposes
• Remediate access review findings within 7 days - Inappropriate access identified during review should be removed promptly

---

Conditional Access Checklist

Conditional Access policies are your adaptive access controls. They evaluate context (user, device, location, risk) to make real-time access decisions.

Block Legacy Authentication

Legacy authentication protocols (POP3, IMAP, SMTP AUTH) cannot support MFA. If these remain enabled, your MFA deployment has a backdoor.

• Create a Conditional Access policy to block legacy auth for all users - This is non-negotiable for any secure tenant
• Run the policy in report-only mode for 7 days first - Identify any legitimate usage before blocking
• Document exceptions with compensating controls - If a specific application requires legacy auth, document it and restrict access further
• Monitor legacy auth attempts monthly - Even after blocking, monitor for attempts that might indicate credential compromise
• Disable legacy auth at the tenant level - In addition to Conditional Access, disable protocols in Exchange Online settings

Risk-Based Policies

Microsoft Entra ID Protection detects anomalous sign-in behavior and flags risky users. Your policies should respond to these signals.

• Enable sign-in risk policy at medium and above - Require MFA or block access when Microsoft detects risky sign-in patterns
• Enable user risk policy at high - Force password reset for users flagged as compromised
• Review risky sign-ins weekly - Do not just automate; manually review risky sign-in reports for false positives and real threats
• Integrate risk signals into Conditional Access - Create policies that require stronger authentication for risky sessions
• Configure automatic risk remediation - Allow users to self-remediate medium-risk scenarios with MFA

Device Compliance Requirements

Allowing access from unmanaged or non-compliant devices expands your risk surface significantly.

• Require compliant devices for access to sensitive apps - At minimum, protect Exchange, SharePoint, and Teams
• Block access from unknown or unmanaged devices - Or require app-enforced restrictions that limit what users can download
• Enable device state as a Conditional Access signal - Microsoft Intune compliance status should inform access decisions
• Create specific policies for mobile devices - Mobile access may need different controls than desktop
• Monitor non-compliant device access attempts - Track and investigate access from devices that fail compliance checks

---

Data Protection Checklist

Your data is what attackers want. These controls protect information at rest, in transit, and in use.

DLP Policies

Data Loss Prevention identifies and protects sensitive information from leaving your organization inappropriately.

• Enable built-in DLP policy templates for your industry - Financial services, healthcare, and general templates are available
• Create custom DLP rules for your sensitive data types - Employee IDs, project codes, customer account numbers
• Configure DLP for Exchange, SharePoint, OneDrive, and Teams - Data moves across all these services
• Set appropriate actions: notify, restrict, block - Start with notifications, then escalate based on sensitivity
• Review DLP alerts weekly - Tune policies to reduce false positives while catching real incidents
• Test DLP policies before enabling in enforce mode - Simulation mode prevents business disruption

Sensitivity Labels

Sensitivity labels classify and protect documents based on their content and business impact.

• Define sensitivity label taxonomy - Typically: Public, Internal, Confidential, Highly Confidential
• Apply default labels to new documents - Ensure all content is classified from creation
• Enable mandatory labeling for sensitive locations - Certain SharePoint sites or Teams should require explicit classification
• Configure encryption for Confidential and above - Labels can automatically apply Azure Information Protection encryption
• Audit label changes - Track when users downgrade sensitivity classifications
• Train users on label selection - Technical controls fail without user understanding

External Sharing Settings

SharePoint and OneDrive external sharing is a common data leak vector.

• Restrict SharePoint external sharing to authenticated guests - Do not allow anonymous links for sensitive content
• Limit OneDrive sharing to existing guests only - Users should not be able to invite new external users without oversight
• Enable sharing expiration - External links should expire automatically after 30-90 days
• Block sharing of specific file types - Prevent sharing of .pst, .bak, and other risky file types
• Audit sharing activity monthly - Review who is sharing what with whom
• Restrict sharing to specific domains - For B2B scenarios, limit sharing to approved partner domains

---

Audit and Monitoring Checklist

You cannot protect what you cannot see. Audit logging provides the visibility you need for incident detection and compliance.

Unified Audit Log

The Unified Audit Log captures activities across Microsoft 365 services. Without it, you are blind to what is happening in your tenant.

• Verify Unified Audit Log is enabled - This is on by default but verify it has not been disabled
• Enable mailbox auditing for all mailboxes - Captures email access and actions at the mailbox level
• Configure audit log retention for 180+ days - Default retention is 180 days; extend to 1 year for compliance
• Export logs to external storage monthly - Audit logs beyond retention period are lost forever
• Integrate with SIEM if available - Microsoft Sentinel or third-party SIEM for correlation and alerting
• Test log retrieval quarterly - Ensure you can actually find what you need when an incident occurs

Alert Policies

Proactive alerting surfaces suspicious activity before it becomes a breach.

• Enable default Microsoft 365 alert policies - Microsoft provides pre-built alerts for common threats
• Create custom alerts for critical events - New Global Admin, Conditional Access policy change, mass file deletion
• Configure alert notification recipients - Alerts are useless if no one sees them
• Tune alert thresholds to reduce noise - Too many false positives leads to alert fatigue
• Review triggered alerts daily - Build a process for alert review and triage
• Document alert handling procedures - What should happen when each alert type fires?

Sign-In Monitoring

Sign-in logs reveal authentication patterns, compromised accounts, and access anomalies.

• Review sign-in failures weekly - High failure rates may indicate password spray attacks
• Monitor sign-ins from unusual locations - Flag access from countries where you have no employees
• Track legacy authentication sign-ins - Even if blocked, monitor attempts for credential compromise indicators
• Investigate risky sign-ins within 24 hours - Time matters in incident response
• Export sign-in logs to long-term storage - Default retention is 30 days; you need longer for investigations
• Create reports for executive security reviews - Summarize sign-in trends and anomalies monthly

---

Application Security Checklist

Third-party applications integrated with Microsoft 365 can access your data. Without governance, OAuth consent becomes a backdoor.

OAuth App Consent Review

When users consent to applications, they grant API permissions that persist until revoked. Attackers exploit this through consent phishing.

• Restrict user consent to verified publishers only - Block users from granting consent to unverified apps
• Enable admin consent workflow - Users can request apps; admins approve with visibility
• Conduct quarterly access review of consented applications - What apps have access? What permissions did users grant?
• Revoke consent for unused applications - Apps not used in 90 days should have consent revoked
• Block consent to high-risk permissions - Mail.ReadWrite, Directory.ReadWrite.All, and similar permissions require admin approval
• Audit new consent grants weekly - Monitor for suspicious consent activity

Third-Party App Permissions Access Review

Enterprise applications and service principals also accumulate permissions over time.

• Inventory all enterprise applications - Know what applications are registered in your tenant
• Conduct annual access review of application permissions - Are these permissions still needed? Are they appropriately scoped?
• Review service principal credentials - Secrets and certificates should rotate and have expiration dates
• Remove orphaned app registrations - Apps registered by former employees or for abandoned projects
• Limit application permissions to least privilege - Apps should only have the permissions they actually need
• Document business justification for each app - Why does this app need access to your tenant?

---

How Often to Run Access Reviews and Security Audits

Consistency matters more than perfection. Establish a regular cadence and stick to it.

Weekly Reviews

• Sign-in failure patterns
• Triggered alert triage
• New admin role assignments
• OAuth consent grants

Monthly Reviews

• Privileged access review (Global Admins, role assignments)
• MFA registration status
• Stale account identification
• DLP and sharing activity

Quarterly Reviews

• Guest access review across all resources
• Application consent audit
• Conditional Access policy review
• Full Microsoft 365 security checklist walkthrough

Annual Reviews

• Complete access review of all users, groups, and applications
• Third-party application permissions access review
• Security baseline reassessment
• Disaster recovery and incident response plan testing

---

Automate Your Office 365 Security Checklist

Manual checklists work, but they do not scale. As your organization grows, you need automated monitoring that continuously evaluates your security posture.

The problem with manual checklists:

• Drift happens between review cycles
• Human error leads to missed items
• No audit trail of review completion
• Reactive rather than proactive

What automation provides:

• 24/7 configuration monitoring
• Immediate drift detection and alerting
• Complete audit evidence for compliance
• Auto-remediation for common deviations

---

Take the Next Step

This Office 365 security checklist covers the essential configurations for a secure Microsoft 365 tenant. But reading a checklist is just the beginning; implementing and maintaining these controls requires ongoing effort.

For a comprehensive, actionable version of this checklist:

Access the Interactive Office 365 Security Checklist

TrueConfig continuously monitors your Microsoft 365 tenant against security baselines like this one. Instead of quarterly manual reviews, you get 24/7 visibility with automatic drift detection and remediation. Every access review finding, every configuration drift, every policy change is tracked and auditable.

When your next security audit comes, you will not be scrambling to collect evidence. You will have a complete timeline showing continuous compliance.

See How TrueConfig Works