How to Audit Microsoft 365 Security Settings in 7 Steps
Regular security audits are essential to protect your Microsoft 365 environment from data leaks, unauthorised access, and compliance risks. Follow these 7 steps to carry out an effective audit using Microsoft’s built-in tools.
Step 1: Run Microsoft Secure Score
Tool: Microsoft Secure Score
What to Review: Overall security posture
Action:
- Go to Microsoft 365 Defender > Secure Score.
- Review your organisation’s current score and recommended actions.
- Prioritise critical items like MFA, email protections, and admin roles.
Tip: Secure Score gives you tailored suggestions and shows the potential impact of each one.
Step 2: Review Admin Roles and Permissions
Tool: Microsoft 365 Admin Centre
What to Review: Role-based access, global admin usage
Action:
- Go to Users > Active users and filter by admin roles.
- Minimise the number of Global Admins to reduce risk.
- Use least privilege access by assigning more specific roles (e.g. Exchange Admin, Compliance Admin).
Tip: Use Privileged Identity Management (PIM) in Azure AD to grant time-limited admin access.
Step 3: Audit Multi-Factor Authentication (MFA) Settings
Tool: Azure Active Directory > Security > MFA
What to Review: MFA enrolment, enforcement, exceptions
Action:
- Check MFA status for all users.
- Require MFA for all admins and users handling sensitive data.
- Use Conditional Access policies to enforce MFA for high-risk sign-ins or based on location.
Tip: Microsoft now recommends using Authentication Strength in Conditional Access instead of traditional security defaults.
Step 4: Assess Conditional Access Policies
Tool: Azure Active Directory > Security > Conditional Access
What to Review: Policies enforcing access control
Action:
- Review existing policies for effectiveness and gaps.
- Ensure you have rules for risky sign-ins, location-based access, and device compliance.
- Use the “What If” tool to test new policies without affecting users.
Tip: Start with a report-only mode when introducing new policies to avoid disruptions.
Step 5: Check Audit Logs and Sign-In Activity
Tool: Microsoft Purview (Compliance Centre) and Azure AD Sign-in Logs
What to Review: Suspicious activity, unauthorised access, compliance risks
Action:
- Enable Unified Audit Logging in Microsoft Purview.
- Regularly review logs for unusual sign-in patterns or file access.
- Set up alerts for specific events like mailbox access by non-owners or external sharing.
Tip: Use Microsoft Sentinel for advanced log analysis and threat detection.
Step 6: Review Email Security Settings
Tool: Microsoft Defender for Office 365
What to Review: Anti-phishing, anti-spam, malware filters
Action:
- Go to the Microsoft 365 Security Centre > Policies & Rules.
- Review and update rules for spoofing, phishing, and malware detection.
- Enable Safe Links, Safe Attachments, and Anti-Spam Policies.
Tip: Turn on User Submissions to let employees report phishing directly from Outlook.
Step 7: Protect Data with Information Governance Tools
Tool: Microsoft Purview Compliance Portal
What to Review: Data Loss Prevention (DLP), sensitivity labels, retention policies
Action:
- Set up DLP policies to prevent accidental sharing of sensitive info.
- Apply Sensitivity Labels to classify and protect documents and emails.
- Use Retention Policies to meet legal and compliance requirements.
Tip: Start with monitoring mode to understand data flow before enforcing restrictions.
Auditing Microsoft 365 security is not a one-time task. It should be done regularly, especially after major changes like onboarding new users, switching services, or responding to a security incident.
By using Microsoft’s built-in tools, you can find and fix gaps before they become threats.
Need Expert Help Managing Microsoft 365 Security?
Protecting your Microsoft 365 environment requires expertise and attention to detail. Our IT security specialists can manage your audits, strengthen your defenses, and keep your business safe.
