Checklist
intermediate

Office 365 Security Checklist: Complete Access Review Guide

Comprehensive Office 365 security checklist covering identity, access review, Conditional Access, data protection, and audit logging. Use this for quarterly security reviews or compliance preparation.

23 items
4-6 hours
IT administrators and security teams managing Microsoft 365

Prerequisites

  • Global Admin or Security Admin access
  • Access to Microsoft Entra admin center
  • Access to Microsoft Purview compliance portal

Identity & Access Review

Review user identities, MFA status, and access permissions.

Verify MFA is enforced for all userscritical~15 minutes

Review Conditional Access policies requiring MFA for all cloud apps.

Related: CA-01

Tips:

  • Check for users excluded from MFA policies
  • Verify MFA registration completion rate is >95%
Conduct privileged access reviewcritical~30 minutes

Review all Global Admin and privileged role assignments. Verify each assignment has business justification.

Related: PA-01

Tips:

  • Global Admins should be limited to 2-4
  • Use dedicated admin accounts, not daily-use accounts
Complete guest user access reviewhigh~45 minutes

Review all external/guest users. Remove guests who no longer need access.

Related: EXT-01

Tips:

  • Check guest last sign-in date
  • Verify sponsoring employee still at company
Identify and disable stale accountshigh~30 minutes

Find accounts with no sign-in activity in 90+ days. Disable or delete as appropriate.

Related: ID-03
Review security group membershipsmedium~45 minutes

Audit membership of groups with privileged access or sensitive data access.

Related: GOV-03

Conditional Access Review

Audit Conditional Access policies for gaps and misconfigurations.

Verify legacy authentication is blockedcritical~10 minutes

Confirm CA policy blocks IMAP, POP3, SMTP AUTH, and other legacy protocols.

Related: CA-09
Review CA policy coveragehigh~20 minutes

Ensure all users and apps are covered by appropriate CA policies.

Tips:

  • Use CA "What If" tool to test policy coverage
  • Check for gaps in user/app targeting
Review risk-based Conditional Accesshigh~15 minutes

Verify sign-in risk and user risk policies are configured appropriately.

Related: CA-03
Audit CA policy exclusionshigh~20 minutes

Review all exclusions from CA policies. Verify each exclusion is still justified.

Verify emergency access accountscritical~15 minutes

Confirm 2 break-glass accounts exist and are properly excluded from CA.

Related: PA-05

Application Security Review

Review OAuth apps and third-party integrations.

Conduct OAuth application access reviewhigh~45 minutes

Review all enterprise applications and their permissions. Remove unused or excessive apps.

Related: APP-01

Tips:

  • Focus on apps with Mail.Read, Files.ReadWrite permissions
  • Check app last used date
Review app consent configurationhigh~10 minutes

Verify user consent is restricted and admin approval is required for risky permissions.

Related: APP-02
Review service principal permissionsmedium~30 minutes

Audit service principals and their API permissions. Remove overprivileged access.

Related: APP-03

Data Protection Review

Review data loss prevention and sharing settings.

Review DLP policieshigh~30 minutes

Verify DLP policies are enabled and covering sensitive data types.

Review external sharing settingshigh~20 minutes

Audit SharePoint and OneDrive external sharing configuration.

Review sensitivity label usagemedium~20 minutes

Check sensitivity label adoption and policy effectiveness.

Audit & Monitoring Review

Verify logging and alerting configuration.

Verify unified audit log is enabledcritical~10 minutes

Confirm audit logging is active with appropriate retention.

Related: LOG-01
Review security alert policieshigh~20 minutes

Verify alerts are configured for suspicious activities and admin actions.

Review sign-in logs for anomaliesmedium~30 minutes

Check for failed sign-ins, risky sign-ins, and unusual locations.

Review admin activity logshigh~20 minutes

Audit recent administrative actions for unauthorized changes.

Access Review Schedule

Set up recurring access reviews for continuous compliance.

Schedule quarterly admin access reviewhigh~15 minutes

Configure recurring access review for all privileged roles.

Related: GOV-03
Schedule monthly guest access reviewmedium~15 minutes

Configure recurring review for external/guest users.

Schedule annual application access reviewmedium~15 minutes

Configure yearly review of all OAuth app permissions.

Automate this checklist with TrueConfig

TrueConfig automatically monitors your Microsoft 365 configuration against these best practices and alerts you when settings drift.