All resources

Microsoft 365 security checklist

Essential steps to secure an SMB Microsoft 365 tenant — MFA, access, mail, and backup.

Microsoft 365 is the nerve centre of most SMBs. MFA, admin access, mail, and third-party backup — what to verify on your tenant.

Identity and access

  • [ ] MFA required for all users (no exceptions)
  • [ ] Admin accounts separate from daily-use accounts
  • [ ] Orphaned / former employee accounts disabled
  • [ ] External guests reviewed quarterly

Email and collaboration

  • [ ] SPF, DKIM, and DMARC configured on domain
  • [ ] Anti-phishing and anti-spam enabled
  • [ ] Suspicious external forwarding blocked or alerted
  • [ ] Shared mailboxes: access documented

Devices and data

  • [ ] OneDrive / SharePoint: least-privilege permissions
  • [ ] Avoid "anyone" sharing links
  • [ ] Sensible password policy + MFA
  • [ ] Third-party tenant backup (Microsoft does not restore everything)

Monitoring

  • [ ] Risky sign-in alerts enabled
  • [ ] Audit log reviewed during incidents
  • [ ] Secure Score reviewed — high priorities addressed

Next step

Free IT assessment — we'll review your tenant and propose a prioritized plan.

Ready to review your IT setup?

Request a free assessment — we reply within one business day.

Free IT assessment