How to Audit Your Microsoft 365 Tenant in 30 Minutes

Microsoft 365 tenants drift. The configuration that was correct on day one quietly slips out of alignment as people leave, vendors come and go, and policies get nudged for a single project and never put back.

The good news is that most of the configuration drift that matters for security can be checked in half an hour, by a single competent person, without buying anything new. This is that walkthrough. It assumes a Business Standard or Business Premium tenant, a global admin account with MFA, and a willingness to write down what you find before you start fixing it.

Set a thirty minute timer. Open the Microsoft 365 admin centre and the Microsoft Entra admin centre side by side. Have a notebook open.

Check 1: Global Administrators

The single highest-value check. Open the Entra admin centre, go to Roles and administrators, and open the Global Administrator role. List the members.

A healthy fifty-person tenant has between two and four members of this role. One is your daily-use IT admin account or your provider's account. One is a break-glass account that has a long, offline password and is used only in an emergency. Anything beyond that should be specifically justified.

Common findings: an old IT provider still has an account. A long-departed staff member is still there. A vendor account from a one-time project never got removed. Each of those is one stolen credential away from full tenant takeover.

Write down every Global Admin you do not immediately recognise, and ask why they are there. Remove the ones that cannot be justified.

Check 2: MFA coverage

Still in Entra, go to Users and look for the MFA registration report or the per-user MFA status. The aim is simple: every active user account should have at least one strong MFA method registered.

Common findings: a service account that nobody can remember the purpose of, with no MFA. A senior leader who set themselves up but never added a second method. Shared mailbox accounts that are technically users with sign-in privileges. Each of those is a soft entry point.

Note any user without MFA registered, and any user whose only registered method is SMS. SMS is better than nothing, but it has been beaten in real attacks. Plan to upgrade to authenticator app or, for high-privilege accounts, a hardware key or passkey.

Check 3: Conditional Access (Business Premium / P1)

If you are on Business Premium or have Entra ID P1 licensing, you have access to Conditional Access. Go to the Entra admin centre, Protection, Conditional Access.

A minimum healthy posture has at least three policies. One requires MFA for every sign-in to every cloud app. One blocks legacy authentication protocols. One requires MFA or device compliance for administrative roles, with the break-glass account excluded.

Common findings: no policies at all, even though the licensing covers them. A single policy that has been in "Report-only" mode for a year. A blanket exclusion that includes too many users. The policy console is one of the highest-leverage tools in Microsoft 365 and is also the most frequently neglected.

If you have no Conditional Access policies and the licensing is there, this is the highest-priority gap to close after Check 1.

Check 4: External sharing settings

Open the SharePoint admin centre, then the Sharing page. Note the tenant-level external sharing setting. Then go to OneDrive admin and check its sharing setting.

A reasonable default for most SMBs is "New and existing guests" with link expiration, sign-in required for shared content, and no anonymous access. Anonymous "anyone with the link" access should be off unless you have a specific business reason and a compensating control.

Then go to Sites in the SharePoint admin centre and look at the most active sites. Check whether any have been individually configured to allow more permissive sharing than the tenant default. This is the most common source of unintentional public-on-the-internet documents.

Common findings: anonymous link sharing is on by default. A handful of high-traffic sites have been opened up for a project that ended six months ago and never been locked back down.

Check 5: Audit log configuration

Go to the Microsoft Purview compliance portal, then Audit. Confirm that unified audit logging is on.

Then check the retention. The default in many tenants is the minimum one hundred and eighty days. If your licensing supports a longer retention period, extend it. The day you need audit logs is always twelve months after the day you configured them.

While you are there, run a quick search for the last seven days against your most sensitive site, and against your highest-privilege account, just to verify that audit data is actually being captured.

Common findings: logging was on but the retention was at the default. Logging was off because someone toggled it during a project and never put it back.

Check 6: Inbox rules and forwarding

This is the audit step nobody runs and everyone wishes they had after an incident.

In the Exchange admin centre, run a report on mailbox rules and on external forwarding. The aim is to find any inbox rule that forwards email to an external address, deletes mail without reading, or moves mail to deleted items based on a sender pattern.

These are the classic signatures of a compromised mailbox. An attacker who has access to a mailbox often sets a forwarding rule so that they continue to receive copies of incoming mail even after the password is changed. Many of these rules are invisible from the user's normal Outlook view.

Common findings: a forwarding rule from a long-fixed compromise that nobody removed. A "delete bank notifications" rule on a finance staff member's account, set up by an attacker who was preparing for a wire fraud.

Anything you find here that you cannot immediately explain is an incident, not a hygiene item. Investigate before you simply delete the rule.

Check 7: Service accounts and connected applications

In the Entra admin centre, go to Enterprise applications. Sort by date last signed in. Note any application that has admin consent, that has broad permissions like Mail.Read or Files.Read.All across the tenant, and that you do not recognise.

In the Microsoft 365 admin centre, also list service accounts and accounts marked as not assigned to a person. Each one should have a documented purpose, an owner, and a defined review date.

Common findings: an OAuth-connected application from a vendor evaluation eighteen months ago that still has tenant-wide permissions. A service account with no MFA, used for a single integration that was retired last year.

These are the back doors that survive password resets and policy changes. They are also the most common vehicle for an attacker to maintain access to a tenant after the visible compromise has been cleaned up.

After the half hour

You should now have a list, on a single piece of paper, of the issues to address. In our experience auditing dozens of small business tenants, most produce between four and ten findings on this checklist, with at least one being material.

Prioritise the findings against the level of risk and the effort to fix. Global Admin cleanup, MFA gaps, missing Conditional Access, and inbox forwarding rules are usually the top of the list. Sharing and audit retention follow.

If the findings are more extensive than you expected, that is normal. Most tenants we audit have not had this kind of focused review in over a year.

If you would like a second set of eyes on your tenant, our free IT health check includes a Microsoft 365 configuration audit. We run an extended version of this checklist, plus a licensing review, and we deliver a prioritised remediation plan. No obligation, no sales pitch.

Learn more about our Microsoft 365 services