Get the M365 Tenant Security Audit Checklist — a 50-point, hands-on security audit for Microsoft 365 administrators, MSPs, and IT consultants. Built from ~60 real tenant audits across law firms, architecture practices, and SMBs. Delivered to your inbox as a PDF in under a minute.
📥 Download the M365 Tenant Security Audit Checklist (Free)
17-page PDF in your inbox within a minute. No credit card, no newsletter subscription, unsubscribe in one click.
Why This Checklist Exists
🚨 80% of tenant breaches come from 10 misconfigurations
After auditing dozens of Microsoft 365 tenants, we found the same handful of problems over and over: legacy authentication still enabled, no break-glass account, Conditional Access missing, auto-forwarding open to the outside. The checklist covers all of them — with the exact PowerShell command to fix each one.
💰 License waste hides 10 to 30% of your M365 bill
Section 6 is a pure cost-optimization sweep: unassigned licenses, inactive accounts, mailbox size mismatches, duplicate add-ons, monthly vs annual billing. For many tenants, this one section alone pays back the audit time ten times over — sometimes in the first hour.
📝 Severity ratings so you know what to fix first
Every check is tagged Critical, High, Medium, or Low. Criticals (fix within 48h), Highs (2 weeks), Mediums (90 days), Lows (when convenient). No guessing, no judgment calls at 11pm on a Friday.
🔧 PowerShell commands included, ready to run
Each finding ships with the audit command to check the setting, and — where applicable — the remediation command. Microsoft Graph, Exchange Online, and Intune modules are all covered. Test in a non-production tenant first, obviously.
What’s Inside the 50-Point PDF
The checklist is 17 pages of dense, scannable reference material. It is organized into 7 sections covering every major service of the Microsoft 365 stack — each check tells you what to look at, why it matters, how to verify, and how to fix.
- 🔐 Section 1 — Entra ID & Identity (10 checks): security defaults, Conditional Access, legacy auth, break-glass, admin MFA, SSPR, Identity Protection, PIM, guest restrictions, admin consent
- 📧 Section 2 — Exchange Online (8 checks): SPF, DKIM, DMARC, anti-phish impersonation, Safe Attachments & Links, outbound spam, mailbox auditing, auto-forward blocking
- 📁 Section 3 — SharePoint & OneDrive (7 checks): external sharing, anonymous link expiration, KFM, versioning, sensitivity labels, ex-employee retention, site creation
- 💬 Section 4 — Teams Security (6 checks): guest access, external comms, meeting lobby, recording policies, third-party apps, anonymous join
- 📱 Section 5 — Intune & Device Compliance (8 checks): compliance policy + CA, disk encryption, OS version, Defender Endpoint, Autopilot, App Protection, lost device procedure, stale cleanup
- 💸 Section 6 — License Waste & Cost Control (5 checks): unassigned licenses, inactive accounts, mailbox size vs plan, duplicate add-ons, annual vs monthly
- 📊 Section 7 — Audit Logging & Incident Response (6 checks): unified audit log, retention, SIEM export, alert policies, IR runbook, third-party backup
How To Use The Checklist In 3 Steps
Block 3 Hours
Open the Entra ID admin center, the Exchange admin center, and a PowerShell window with the Graph and Exchange Online modules installed. Work top to bottom.
Record Findings, Don’t Fix Yet
Resist the urge to fix as you go. Write down what fails each check first. Then prioritize using the severity ratings and fix in batches.
Criticals In 48h, Then Iterate
Fix all Critical items within 48 hours. High items within 2 weeks. Medium items into your quarterly change window. Low items when it suits you.
Checklist FAQ
Who is this checklist for?
Internal IT running an M365 tenant, freelance MSPs doing client audits, and consultants pitching Microsoft work. It assumes you are comfortable in PowerShell and familiar with the Entra ID / Exchange admin centers. It is not for end users.
Do I need E5 or Defender P2 to run these checks?
No. The core audit runs on E3. A handful of advanced checks (Identity Protection risk policies, some Defender features) require E5 or specific add-ons — those are clearly flagged in the PDF. Nothing is gated behind a license you probably don’t have.
Can I share the checklist with my team or my clients?
Yes, sharing internally with your team or with a direct client is fine. Republishing it online or reselling it is not. If you want to use it as part of a paid audit for a client, feel free — that is exactly why we built it.
Will you spam me after I download?
You will receive 4 short follow-up emails over 7 days with context on the checklist and a few real-world stories from tenants we have audited. Then we stop. One-click unsubscribe in every email. No newsletter, no marketing automation chain you need to escape.
What if I don’t have time to run all 50 checks myself?
That is exactly why we offer the Tenant Health Check — a $97 package that runs all 50 checks in 8 minutes via a signed PowerShell script and generates a branded PDF report you can hand to your boss or your client. Optional, obviously.
Want more like this? Read our M365 admin tutorials, explore our Microsoft 365 managed plans, or learn about the team behind Wintive.
Get The M365 Tenant Security Audit Checklist now
Drop your work email below. You will receive the PDF within a minute, plus 4 short follow-up emails with context and real-world audit stories. Unsubscribe any time.
Our Contact Details
Wintive LLC
2105 Vista Oeste NW Unit E3338
Albuquerque, NM 87120, USA
Questions before you download?
Reply to the delivery email once you get it — Nicolas (the author) reads every reply personally. For technical questions about specific checks, include your tenant region and license SKU and we will answer faster.