Be Secure Cyber

Microsoft 365 security checklist for small organisations

A practical Microsoft 365 security checklist covering MFA, administrator accounts, email security, external sharing, devices and monitoring.

Why Microsoft 365 security matters

Many organisations rely on Microsoft 365 for email, files, collaboration and identity. That makes it one of the most important parts of the security environment.

The aim of this checklist is not to cover every possible setting. It highlights practical areas that small and mid-sized organisations should understand and review.

Microsoft services change over time, so configuration should be checked against the current options available in your tenant and licensing.

Multi-factor authentication

Multi-factor authentication should be enforced for users and administrators, especially where accounts can access email, files, finance systems, remote access or customer data.

Check:

  • MFA is enforced, not merely available;
  • administrator accounts are protected;
  • legacy authentication is disabled where possible;
  • break-glass accounts are managed carefully;
  • staff understand what MFA prompts should look like.

Administrator accounts

Administrator privileges should be limited and reviewed regularly.

Check:

  • who has administrator roles;
  • whether admin accounts are separate from everyday user accounts;
  • whether roles are appropriate;
  • whether former staff and old supplier accounts have been removed;
  • whether shared admin accounts exist.

Email security

Email remains a common route for compromise.

Review:

  • anti-phishing and anti-malware settings;
  • external sender warnings where appropriate;
  • mailbox forwarding rules;
  • suspicious inbox rules;
  • domain authentication, such as SPF, DKIM and DMARC;
  • staff reporting routes for suspicious messages.

External sharing

File sharing is useful, but it needs to be controlled.

Check:

  • whether anonymous links are allowed;
  • whether sharing is limited by site or group;
  • how guest users are reviewed;
  • whether sensitive locations have stronger controls;
  • whether staff understand what is safe to share externally.

Devices and access

Access to Microsoft 365 is often from laptops, phones and personal devices.

Consider:

  • whether unmanaged devices can access company data;
  • whether device compliance is required;
  • whether mobile devices can be wiped if lost;
  • whether downloads are restricted in higher-risk situations;
  • how remote workers access business systems.

Logging and review

Security controls are stronger when important events are logged and reviewed.

Check whether you can see:

  • risky sign-ins;
  • unusual geographic access;
  • failed login patterns;
  • new forwarding rules;
  • administrator changes;
  • guest user activity.

The level of monitoring available may depend on licensing, but the organisation should still understand what visibility it has.

Backups and recovery

Microsoft 365 provides resilience, but organisations should still understand their recovery position.

Consider what would happen if email, files or accounts were deleted, encrypted, misconfigured or compromised. Backup and recovery expectations should be clear before an incident occurs.

How Be Secure Cyber can help

Be Secure Cyber can review Microsoft 365 security configuration as part of cloud security consultancy, wider security review, Cyber Essentials preparation or vCISO support.

View cloud security services or speak to us.