Cybersecurity

How to Audit Your Microsoft 365 Tenant Security

Published 21 February 2026 · 8 min read

Auditing your Microsoft 365 tenant gives you a clear picture of where you stand and what needs improving. This guide walks through a structured audit covering identity, email, devices, and admin practices - no external consultant required.

Start with Secure Score

Microsoft 365 Defender → Secure score

Microsoft Secure Score gives you a numerical score based on your current configuration. A score of 60+ is a reasonable target for a small business. Scores below 40 indicate significant gaps.

Identity and access audit

✅

Identity audit checklist

MFA enabled for all users

Entra ID → Security → Authentication methods

Legacy authentication blocked

CA policy blocking all legacy auth

No permanent Global Admin (except break-glass)

Entra ID → Roles → Global Administrator → Assignments

Break-glass accounts configured

Two accounts, excluded from CA

Guest access reviewed

Entra ID → External Identities - filter UserType = Guest

Email security audit

✅

Email security checklist

SPF configured

MXToolbox → spf:yourdomain.com

DKIM enabled

Defender → DKIM → Enabled

DMARC at p=quarantine or p=reject

MXToolbox → dmarc:yourdomain.com

Safe Links applied to all users

Defender → Safe Links → check assignment

Anti-phishing with impersonation

Executives and domains protected

Device and admin audit

✅

Device and admin checklist

All devices enrolled in Intune

Intune → Devices → Overview

Compliance policies configured

All devices compliant or action on non-compliant

BitLocker encryption enforced

Intune → Encryption report

Third-party OAuth apps reviewed

Entra ID → Enterprise applications

Admin actions logged

Entra ID → Audit logs

Frequently Asked Questions

Q: How often should I audit?

A full audit quarterly. Some checks like reviewing sign-in logs should be monthly.

Q: What is a good Secure Score target?

Above 60% is generally good for a small business. Large enterprises should aim for 70-80%. The trend matters more than the absolute score.

Q: Can I hire someone to do this?

Yes - I offer a fixed-price M365 Gap Report at jackdjd.com/consulting.

Related Guides

-> Zero Trust for Small Business -> Cyber Essentials Setup -> Conditional Access

// need intune set up properly?

Fixed-price Intune setup for UK businesses

App deployment, compliance policies, Conditional Access, and full documentation at a fixed price.

View Packages