Home / Resources / M365 Security Checklist
Essential security controls every M365 tenant should have configured. Download our checklist to identify gaps.
Most Microsoft 365 tenants have security gaps. Default configurations prioritise ease of use over security. Features that should be enabled are off. Settings that should be restricted are wide open. This guide covers what to check and why it matters.
The old security model protected the network edge. Firewalls, intrusion detection, perimeter defences. That model assumed your data lived inside your building and attackers came from outside.
With M365, your data lives in the cloud. Your users sign in from home, from client sites, from airports. The perimeter is now the login screen. If an attacker gets valid credentials, they walk straight into your environment like a legitimate user.
Multi-factor authentication stops 99.9% of account compromise attacks. It should be mandatory for every user, no exceptions. Use the Microsoft Authenticator app or hardware security keys. SMS codes are better than nothing but weaker against sophisticated attacks.
Legacy authentication protocols like IMAP, POP3, and basic SMTP authentication cannot use MFA at all. Attackers know this and specifically target these protocols. Block them completely unless you have a documented business requirement and compensating controls.
Admin accounts need extra protection. Use separate accounts for administrative tasks, never your daily email account. Require phishing-resistant MFA. Consider privileged access workstations for Global Admin activities. If an attacker compromises a Global Admin, they own your entire tenant.
Despite decades of security investment, email is still how most attacks start. Phishing, business email compromise, malware attachments. Your M365 email configuration determines how much protection stands between your users and these threats.
Start with email authentication. SPF records tell the world which servers can send mail from your domain. DKIM adds cryptographic signatures proving emails genuinely came from you. DMARC tells receiving servers what to do when emails fail these checks. Together, they prevent attackers from spoofing your domain to attack your clients, partners, and your own staff. If you haven't configured these, attackers can send emails that appear to come from your CEO.
Auto-forwarding rules are a favourite persistence mechanism for attackers. They compromise an account, set up a forwarding rule to an external address, then quietly collect emails for weeks or months. The user never notices because mail still arrives normally. Block external auto-forwarding at the tenant level and regularly audit inbox rules.
Microsoft Defender for Office 365 adds Safe Links and Safe Attachments. Safe Links rewrites URLs and checks them at time of click, catching phishing links that were clean when delivered but weaponised later. Safe Attachments detonates suspicious files in a sandbox before delivery, catching malware that signature-based scanning misses. Anti-phishing policies protect against impersonation of executives and trusted partners. Configure all of these.
M365 makes sharing easy. Sometimes too easy. Default settings often allow users to share documents with anyone, create anonymous links, invite external guests without approval. This flexibility is great for collaboration but creates data exposure risks if not properly controlled.
Audit your OneDrive and SharePoint sharing settings. Can users share with anyone on the internet? Can they create links that work without signing in? Can external guests access your Teams channels? The answers should align with your business requirements and risk tolerance, not Microsoft's out-of-box defaults.
Unified Audit Log captures all user and admin activity across your M365 tenant. Essential for incident investigation and compliance evidence. Make sure it's enabled and retention is set appropriately for your industry requirements.
We configure and manage Microsoft 365 security for NZ businesses every day.