May 19, 2026 ยท 9 min read ยท M365Security AuditMicrosoft 365
M365 Security Audit Checklist 2026: 9 Checks Every Admin Must Run
Most Microsoft 365 breaches aren't sophisticated. They exploit the same misconfigurations: MFA disabled for a few accounts, legacy auth left open, an admin who left six months ago still has Global Admin rights. This checklist closes those gaps in under an hour.
Microsoft 365 manages email, files, identity, and device access for hundreds of millions of users โ which makes it the single highest-value target in most small and mid-sized businesses. The problem isn't that M365 is insecure by default. It's that the default settings prioritise compatibility over security, and most tenants never change them.
What follows is the exact audit checklist we run against every M365 tenant enrolled in Workspace Posture Pro. Each check takes minutes, and every finding maps to a concrete remediation step.
The 9-Point M365 Security Audit Checklist
1
MFA enforcement across all users Critical
Navigate to Azure AD โ Users โ Per-user MFA or check Conditional Access policies. Every account โ including service accounts and shared mailboxes โ should have MFA enforced. Accounts with MFA disabled are the #1 entry point for business email compromise. Look for accounts where MFA status shows "Disabled" or "Not registered".
2
Legacy authentication protocols blocked Critical
Legacy auth (SMTP AUTH, POP3, IMAP, Basic Auth) bypasses MFA entirely. Check Azure AD โ Security โ Authentication methods โ Legacy authentication. Create a Conditional Access policy to block legacy auth for all users, then verify no line-of-business apps depend on it before enforcing. Microsoft has been disabling this by default since 2023 but many tenants opted out.
3
Stale admin accounts (inactive 30+ days) Critical
In Azure AD โ Users, filter by admin roles and sort by last sign-in. Any Global Admin, Exchange Admin, or SharePoint Admin who hasn't signed in for 30+ days is a liability โ especially former employees. Revoke roles immediately, disable the account, then delete after 30-day soft-delete window. Attackers specifically target dormant privileged accounts.
4
Email forwarding rules to external domains High
Go to Exchange Admin Center โ Mail flow โ Rules and also check individual mailboxes under Outlook โ Settings โ Mail โ Forwarding. Auto-forwarding to external addresses is a primary data exfiltration technique โ attackers who compromise a mailbox immediately set up forwarding to their own address. Any external forwarding rule you didn't deliberately set should be treated as an indicator of compromise.
5
OAuth app consent grants High
In Azure AD โ Enterprise applications โ All applications, filter by "User assigned required: No" โ these apps have tenant-wide access granted by any user who clicked "Allow". Review every third-party app with Mail.Read, Files.ReadWrite, or User.ReadAll permissions. Illicit consent grant attacks are rising sharply because they bypass password and MFA controls entirely.
6
External sharing settings (SharePoint & OneDrive) High
Check SharePoint Admin Center โ Policies โ Sharing. The setting should be "New and existing guests" at most โ never "Anyone with the link". Files shared with "Anyone" links are effectively public. Audit existing shares: SharePoint Admin Center โ Active sites โ Sharing column. Also check whether guests can share items they don't own.
7
Conditional Access policy coverage High
In Azure AD โ Security โ Conditional Access, check that your CA policies cover all users, not just "All users minus break-glass". Common gap: CA policy excludes service accounts and shared mailboxes. Also verify you have policies for: sign-in risk > medium โ require MFA, unmanaged devices โ block or limit access, and risky users โ require password change.
8
Audit log retention enabled Medium
Go to Microsoft Purview compliance portal โ Audit โ Audit log search and verify logging is enabled. Default retention is 90 days on E3, 365 days on E5. Without audit logs you cannot detect or investigate incidents. Enable unified audit logging if it's off (Security & Compliance โ Search โ Audit log search โ Turn on auditing).
9
Mobile device management (MDM) enrollment Medium
Check Intune โ Devices โ All devices. Any device accessing corporate email or files that isn't enrolled in MDM (Intune or a third-party MDM) can't be wiped if lost or stolen. At minimum, enforce a Conditional Access policy that requires compliant or Azure AD-joined devices for access to sensitive data.
How often should you run this audit?
Most teams do this annually โ which means they're running 11 months blind. The configuration drift problem is real: new employees get onboarded without MFA enforced, OAuth apps get consented by someone clicking through a phishing page, external sharing policies get loosened to solve a short-term business problem and never tightened again.
Our recommendation: run this checklist monthly or, better, automate it. The items that change most frequently are forwarding rules (immediate indicator of compromise if unexpected), OAuth app grants, and stale admin accounts.
What attackers look for first
When a threat actor gains any foothold in an M365 tenant โ usually through a phished credential or a consented OAuth app โ the first three things they check are:
- Is MFA enforced? If not, they can use the credential directly from anywhere.
- Are there forwarding rules? Setting one up gives persistent email access even after a password reset.
- What Global Admin accounts exist? Lateral movement to a GA account gives complete tenant control.
All three of these are in the checklist above. Closing them doesn't require E5 licences or a security team โ just an hour with the admin portal.
๐ก Pro tip: Use Microsoft's free Secure Score tool to track your posture over time. A score below 40% means you have critical issues to address immediately.
The automation problem
Manually running this checklist is better than nothing, but it requires remembering to do it, having time to do it, and knowing what "normal" looks like so you can spot anomalies. A forwarding rule that appeared last Tuesday is only suspicious if you know it wasn't there last Monday.
This is why automated monthly posture monitoring exists. You set it up once and get a digest every month showing what changed, what the current score is, and exactly what to fix โ prioritised by severity.
๐ฌ
Get the EdgeIQ weekly security digest
Practical tips, new threat intel, and product updates. No spam โ unsubscribe anytime.
โ
You're in. Check your inbox.
Run this audit automatically every month
Workspace Posture Pro connects read-only to your M365 or Google Workspace tenant and runs all 9 checks on a monthly schedule. You get a plain-English digest with your posture score, what changed, and prioritised remediation steps. No IT ticket required โ setup takes 2 minutes.
Start Workspace Posture Pro โ $19/mo โ