Microsoft 365 is the nerve centre of most SMBs. MFA, admin access, mail, and third-party backup — what to verify on your tenant.
Identity and access
- [ ] MFA required for all users (no exceptions)
- [ ] Admin accounts separate from daily-use accounts
- [ ] Orphaned / former employee accounts disabled
- [ ] External guests reviewed quarterly
Email and collaboration
- [ ] SPF, DKIM, and DMARC configured on domain
- [ ] Anti-phishing and anti-spam enabled
- [ ] Suspicious external forwarding blocked or alerted
- [ ] Shared mailboxes: access documented
Devices and data
- [ ] OneDrive / SharePoint: least-privilege permissions
- [ ] Avoid "anyone" sharing links
- [ ] Sensible password policy + MFA
- [ ] Third-party tenant backup (Microsoft does not restore everything)
Monitoring
- [ ] Risky sign-in alerts enabled
- [ ] Audit log reviewed during incidents
- [ ] Secure Score reviewed — high priorities addressed
Next step
Free IT assessment — we'll review your tenant and propose a prioritized plan.