Browse all topics
All guidesGlossary
Microsoft 365 essentials

Microsoft 365 tenant audit checklist

A practical checklist for auditing a Microsoft 365 tenant's configuration, security posture, and compliance.

For organisations preparing for an external audit, an acquisition due diligence, or just an internal health-check, a Microsoft 365 tenant audit is the systematic walk-through of the tenant's configuration, security posture, and compliance. Here's the practical checklist.

Identity and access

Entra ID

  • Total user count — active vs disabled vs guest.
  • Admin role assignments — who has Global Admin (should be fewer than 5 plus break-glass), Privileged Role Administrator, security roles.
  • PIM coverage — eligible vs active assignments per privileged role.
  • MFA coverage — percentage of users with MFA enabled and registered.
  • Conditional Access policies — what's in place, what's in report-only, what's gaps.
  • Risky users / risky sign-ins in Identity Protection.
  • External users — guest count, recent activity, sponsorship.
  • Service principals — count, permissions, recent OAuth consents.

Authentication methods

  • Passwordless adoption — percentage of users using Authenticator passwordless / FIDO2 / passkeys.
  • Legacy authentication — blocked tenant-wide, or any exceptions remaining.
  • Self-service password reset — enabled, with how many methods required.

Devices

Intune

  • Devices enrolled by platform — Windows, macOS, iOS, Android.
  • Compliance state — percentage compliant.
  • Defender for Endpoint onboarded vs not.
  • App protection policies for personal devices.
  • Autopilot configured for Windows provisioning.

Defender for Endpoint

  • Coverage across the fleet.
  • Tamper protection on.
  • ASR rules in block mode for critical rules.
  • Exposure score trend.
  • Critical vulnerabilities count and trend.

Data protection

Sensitivity labels

  • Label taxonomy published.
  • Adoption rate — percentage of files labelled.
  • Auto-labelling policies active.
  • Container labels applied to high-risk sites and groups.

DLP

  • DLP policies active.
  • Policy mode — audit vs notify vs block.
  • Detection volume trend.

Retention

  • Retention policies covering Exchange, SharePoint, OneDrive, Teams.
  • Adaptive vs static scopes.
  • Retention period appropriate to compliance requirements.
  • Records management for regulated content.

Email security

EOP / Defender for Office 365

  • Plan tier in effect.
  • Preset security policies — Standard or Strict.
  • DMARC posturep=none, quarantine, or reject.
  • SPF, DKIM correctly configured.
  • Safe Links and Safe Attachments policies active.
  • Anti-phishing protections with protected users / domains.
  • Quarantine policies appropriate per category.

Storage and content

SharePoint and OneDrive

  • External sharing posture — Anyone, Existing guests, or Only people in your org.
  • Sites with broad sharing — top 20 by external user count.
  • Oversharing flagged by SharePoint Advanced Management.
  • Storage utilisation — tenant pool, OneDrive top users.

Teams

  • External access posture.
  • Shared channel configuration.
  • Guest access.
  • Anonymous join for meetings.

Compliance

Audit

  • Audit logging enabled in the tenant.
  • Retention — 180 days, 1 year, or 10 years (Premium).
  • Recent audit search activity — who's looking at what.

eDiscovery

  • eDiscovery cases — active and recently closed.
  • Holds on user accounts under investigation.

Compliance Manager

  • Score for each relevant assessment.
  • High-priority actions open.

Operational

Service health

  • Recent incidents affecting the tenant.
  • Message Center backlog of upcoming changes.

Licence allocation

  • Total licences vs assigned vs active.
  • Inactive licensed users — candidates for reclamation.
  • Per-SKU breakdown.

How to use this list

For a one-time audit, walk through each item, document the current state, and identify gaps. For ongoing operations, partition into quarterly reviews — security one quarter, data protection the next, operational the next, etc.

The output is a gap analysis with prioritised remediation actions. For each gap, assign an owner, timeline, and success criteria. Track to closure.

For organisations facing external audit, this checklist plus Compliance Manager scores plus documentation of policies typically satisfies most auditor questions about the Microsoft 365 estate. The work is one-time investment; the payback is durable.