Tenant Security Checklist
A baseline checklist for M365 tenant security. Use this to validate your current configuration against standard expectations. Each item maps to a specific control area covered in the detailed guides.
Identity and Access
Conditional Access policies enforce MFA for all users (excluding break-glass accounts)
Break-glass accounts configured and tested
PIM enabled for privileged roles (Global Admin, Exchange Admin)
Stale app registrations audited and removed
Service principals scoped to least privilege
Legacy authentication protocols blocked
Email Authentication
SPF record valid with fewer than 10 lookups
DKIM enabled and signing for all domains
DMARC at p=quarantine or p=reject
All sending sources aligned (SPF or DKIM)
DMARC aggregate reports monitored
Defender and Threat Protection
Anti-phishing policy with impersonation protection enabled
Safe Attachments policy active (dynamic delivery or block)
Safe Links policy active with URL rewriting
Anti-spam policy tuned (not default)
Quarantine notifications configured
Tenant Configuration
Unified audit log enabled with retention set
External sharing scoped (not open to everyone)
Guest access policies reviewed and restricted
Azure AD sign-in logs exported or monitored
Admin consent workflow configured
Endpoints
Intune device compliance policies deployed
Conditional Access requires compliant device (if applicable)
BitLocker encryption enforced
Windows Update rings configured