Checklist
advanced

SOC 2 Microsoft 365 Readiness Checklist

Prepare your Microsoft 365 environment for SOC 2 Type II audit. This checklist covers identity and access management controls required for SOC 2 compliance.

14 items
1-2 weeks
Organizations preparing for SOC 2 certification

Prerequisites

  • Understanding of SOC 2 Trust Service Criteria
  • Admin access to Microsoft 365
  • Existing SOC 2 policy documentation

CC6.1 - Logical Access Security

Controls for user authentication and access.

Document MFA enforcement for all userscritical

Provide evidence of MFA policy and enforcement.

Related: CA-01
Document password policy configurationhigh

Show password complexity and banned password settings.

Related: ID-02
Evidence of legacy authentication blockinghigh

Provide Conditional Access policy blocking legacy auth.

Related: CA-09

CC6.2 - Access Authorization

Controls for access provisioning and authorization.

Document user provisioning processhigh

Show how users are granted access and by whom.

Related: GOV-01
Document role assignment processhigh

Evidence of approval workflow for privileged roles.

Related: PA-04
Evidence of least privilege implementationhigh

Show users have minimum required access.

CC6.3 - Access Removal

Controls for timely access removal.

Document offboarding processcritical

Show how access is revoked when users leave.

Related: GOV-02
Evidence of stale account remediationhigh

Show process for identifying and disabling inactive accounts.

Document guest access lifecyclemedium

Show how guest access is reviewed and removed.

Related: EXT-01

CC6.6 - Access Reviews

Controls for periodic access review.

Evidence of periodic access reviewshigh

Show recurring access review configuration and completion.

Related: GOV-03
Document review remediation processmedium

Show how access review findings are addressed.

CC7.2 - Security Monitoring

Controls for monitoring and detecting anomalies.

Evidence of audit logging enabledcritical

Show unified audit log configuration and retention.

Related: LOG-01
Document security alertinghigh

Show alert policies for security events.

Document incident response processhigh

Provide incident response procedures and evidence of testing.

Automate this checklist with TrueConfig

TrueConfig automatically monitors your Microsoft 365 configuration against these best practices and alerts you when settings drift.