What I Check When I Do a Microsoft 365 Tenant Security Review

Most Microsoft 365 tenants I work with have security features that are licensed but never configured, policies that exist but aren't enforcing anything, and accounts that should have been cleaned up months ago. A proper tenant review covers licensing, identity and access controls, email protocol security, device management, Defender configuration, and more. If nobody has walked through your tenant, there's a good chance it's not as secure as you think.

I was working in a client's Microsoft 365 tenant recently and started pulling up their Conditional Access policies. They looked good. Named properly, scoped to the right users. I clicked into the first one and it was in report-only mode. Then the second. Then the third.

Every single policy had been sitting in report-only for eight months.

Report-only doesn't enforce anything. It just watches. No MFA being required, no risky sign-ins getting blocked. The tenant looked configured. It wasn't.

That's the kind of thing you don't find unless someone actually goes in and looks. And that's what a Microsoft 365 tenant security review is for.

I do these reviews for small businesses across Columbia, MD, Northern Virginia, Maryland, Pennsylvania, West Virginia, Delaware, and DC. And because most of this work is done remotely, location doesn't matter. If you have a Microsoft 365 tenant, I can review it.

Here's what I actually go through.

Microsoft 365 Licensing: Start Here Because Everything Else Depends on It

Before I look at anything else, I need to know what's actually assigned and to whom.

The most common thing I find is old mailboxes still on paid licenses for people who left. The owner didn't want to lose the emails, which makes sense, but you don't need a paid license to keep that email accessible. The fix is to convert the mailbox to a shared mailbox and give whoever needs access permission to it. The emails stay. The license cost goes away.

The other thing I always check on those old accounts is whether sign-in has been blocked. Most of the time it hasn't. That's a problem. An account sitting there with an active sign-in, attached to someone who no longer works there, with nobody monitoring it. That account can still be targeted. If it gets compromised, nobody's going to notice because nobody's logging in to check.

Block the sign-in. Handle the mailbox. Clean up what's left.

Global Admin Accounts: Who Has the Keys

I look at how many people have global admin access and whether they're using those accounts for everyday work like checking email or jumping into Teams meetings.

Global admin accounts should be dedicated accounts used only for admin tasks. Not the same account someone uses to do their regular job. If a global admin account gets compromised while someone's using it to click through their inbox, the attacker gets access to everything in the tenant. I see this pretty regularly with small businesses in Columbia, MD and it's a straightforward fix once someone flags it.

Break Glass Accounts: The Emergency Exit

I check whether the tenant has break glass accounts set up. These are emergency admin accounts that sit outside of normal Conditional Access policies, specifically for situations where something goes wrong and the regular admins can't get in.

Most tenants I look at don't have them. That's a real gap. I always recommend setting up two and pairing each one with a physical security key. Yubikeys are what I point clients toward. The keys get stored somewhere secure, those accounts never get used for anything day to day, and they're there in case a misconfiguration or a policy change locks everyone out with no way back in.

Without break glass accounts, one bad change can end your day fast.

MFA Enrollment: The Policy Isn't Enough

Conditional Access can require MFA all day long. But if users never actually completed enrollment, the requirement doesn't protect them.

I check who's required to use MFA and whether they actually went through the setup. There's a gap in a lot of tenants where the requirement exists on paper but a few users never finished the process and nobody followed up. Those accounts are sitting there with effectively no MFA protection, regardless of what the policy says.

Conditional Access Policies: Are They Actually Running

This is where I found that client's eight months of report-only policies.

Report-only mode is meant for testing. You turn on a policy in report-only to see what it would do before you enforce it. It's a useful tool. But it's not supposed to stay there indefinitely, and nobody told this client that every single policy they had was still in observation mode. Microsoft's own documentation on Conditional Access policy best practices makes clear that report-only is a staging state, not a permanent configuration.

I go through every policy. Is it enabled or disabled. What's it scoped to. Is it actually enforcing or just watching. For small businesses across Maryland, Northern Virginia, the DMV, and beyond that have cyber insurance requirements or any kind of compliance obligation, having policies that aren't enforcing is a significant exposure. The policies look good on paper. The protection isn't there.

Email Protocol Security: Shut the Old Doors

I check whether legacy email protocols have been disabled across the tenant. IMAP, POP3, SMTP. These are older protocols that don't support modern authentication and they're an easy path in for an attacker.

For most tenants, these should be off at the tenant level. The exception is something like a copier or printer that needs to send scanned documents through email. That's a real and common scenario. In that case I handle it at the individual mailbox level so that one device works the way it needs to without leaving the door open across the whole organization.

I also check SPF, DKIM, and DMARC for every domain in the tenant. These are DNS records that tell the world which servers are allowed to send email on your behalf and what to do when something doesn't match. A lot of tenants have them set up for the primary domain but nobody ever configured them for the secondary domains sitting in the tenant.

The other thing I look for is domains that aren't actively sending email at all. Those still need records. If there's no SPF, DKIM, or DMARC on a parked domain, anyone can spoof that domain and send email that looks like it came from you. The fix is to set the records to explicitly block all sending from that domain. It's a small thing that most people never think about until someone calls them saying they got a suspicious email from their company.

Enterprise Applications: What Has Access to Your Tenant

I pull up the Enterprise Applications list in Entra ID and go through every entry.

What is it. Is it active or has it been disabled. When was it added and does anyone still need it.

Some of these are obvious. Others have names nobody on the team can identify. And some have permissions that genuinely surprised me when I started paying close attention to this area. Things like full access to all files the signed-in user can access, or read and write access to every email in the mailbox.

Every app that's connected to your tenant without a current business reason is an unnecessary risk. If that app ever gets compromised, the attacker inherits whatever permissions were granted. If nobody can tell me why something is there or who authorized it, it gets removed.

Intune Device Policies: The License Isn't the Protection

Microsoft 365 Business Premium includes Intune. A lot of clients are paying for it and getting nothing out of it.

Either the devices were never enrolled, or policies were set up at some point and never assigned to anyone. Compliance policies, configuration profiles, BitLocker encryption requirements, rules that block company resource access from devices that aren't marked compliant. All of it is available. None of it does anything until it's actually deployed and pushed to the devices.

Having the feature included in your license is not the same as having it running.

Security Groups and Least Privilege Access

I look at how access is being granted across the tenant. What I typically find is permissions assigned directly to individual users, no real structure, and a lot of people with more access than they actually need for their job.

The right way to manage it is through security groups where access is tied to someone's role. It keeps things organized. It makes audits faster. And when someone leaves or changes positions, you're not hunting down individual permissions scattered across a dozen different places. You remove them from the group and they're done.

Defender for Office 365: The License Doesn't Do It Automatically

Same pattern as Intune. The license includes Defender for Office 365 and nobody ever went in and configured it.

I apply the Standard Protection preset policy and scope it to the users and the domain. That covers anti-phishing, anti-malware, Safe Links, and Safe Attachments in one consistent setup rather than trying to piece together individual policies from scratch. Microsoft's Defender for Office 365 preset security policies are designed exactly for this: one configuration that gets you to a solid baseline fast.

For small businesses in Columbia, MD, across Northern Virginia, and anywhere in the DMV, this is one of the highest-value things I do during a review. The protection was available the whole time. It just wasn't on.

Guest Accounts and External Sharing: The Slow Accumulation

Tenants accumulate guest accounts over time. Old vendors, contractors, people from projects that wrapped up a year ago. Nobody goes back and cleans them up, and they end up retaining access to things long after the relationship ended.

I also check the external sharing settings in SharePoint and OneDrive. A lot of tenants have this wide open, meaning anyone in the organization can share files externally without any restrictions. Most business owners have no idea that's the case until someone shows them.

Retention Policies: Give Yourself More Time

I review the retention policies for OneDrive and SharePoint. The default configuration is usually a basic 30, 60, 90 day setup. I recommend extending that to 180 days.

The reason is simple. If something gets deleted or corrupted and nobody notices for six weeks, you want a window long enough to actually recover it. Thirty days goes fast when nobody's watching.

The Backup Conversation: Microsoft 365 Is Not a Backup

This one comes up at every review.

Microsoft 365 is a collaboration platform. It's not a backup solution. Data can be deleted. It can get corrupted. A ransomware attack can tear through SharePoint and OneDrive and Microsoft's built-in retention policies won't save you the way an actual backup would.

Most small business owners assume that because their files are in the cloud, they're protected. That assumption has cost people a lot. I recommend a third-party backup solution to every client on Microsoft 365. Every one. It's still one of the most misunderstood things about the platform and it's one of the conversations I have most often with businesses across Maryland, Virginia, Pennsylvania, West Virginia, Delaware, and DC.

Frequently Asked Questions

How long does a Microsoft 365 tenant security review take?

For most small businesses with 5 to 50 users, a review takes two to four hours depending on the complexity of the tenant. If policies were set up over time by different people or inherited from a previous IT provider, it can take longer to work through everything.

Do I need Microsoft 365 Business Premium to get the security features you're describing?

Most of them, yes. Business Standard doesn't include Defender for Office 365, Intune, or Conditional Access. Business Premium includes all of those. If you're on Standard and you're concerned about security, that's a conversation worth having.

What if I've had Microsoft 365 for years and nobody has done a review?

That's actually the most common situation I walk into. The tenant was set up by whoever set it up, settings were left at defaults, and nobody's touched it since. That doesn't mean everything is wrong. But there's almost always something worth fixing.

Can my current IT provider do this review?

If they're managing your Microsoft 365 environment they should be. If they haven't offered it or you're not sure what's been configured, that's worth asking about directly.

Is Conditional Access complicated to set up?

It doesn't have to be. For most small businesses, a handful of policies covering MFA requirements and basic access controls are enough to get most of the protection you need. The complexity comes when organizations have unusual access requirements or mixed device environments.

What does it mean if an app in Enterprise Applications has permissions I don't recognize?

It means something in your organization connected that app to your tenant at some point and granted it permissions. It doesn't automatically mean something bad happened, but it does mean you need to figure out what it is and whether it should still be there. Unknown apps with high-permission access are one of the things I take most seriously during a review.

Do I need a separate backup solution if I already have Microsoft 365?

Yes. Microsoft's built-in retention features are not a backup. They're designed for compliance and accidental deletion recovery within a limited window. A proper third-party backup gives you independent copies of your data that aren't affected by what happens inside your Microsoft tenant.

Do you do Microsoft 365 tenant reviews remotely?

Yes, and that's actually how most of this work gets done. I don't need to be on-site to review your tenant. I work with small businesses across the full DMV area including Maryland, Northern Virginia, Washington DC, Pennsylvania, West Virginia, and Delaware. Most of this work is done remotely so geography isn't a barrier. If you have a Microsoft 365 tenant, I can review it from anywhere.

How often should a Microsoft 365 tenant be reviewed?

At minimum, once a year. More often if you've had staff turnover, added new vendors, gone through a business change, or if your cyber insurance carrier is asking about your security controls.

What happens after the review?

You get a written report that covers everything I found. What's configured correctly, what I flagged, and what needs to change. I also pull your Microsoft Secure Score at the time of the review and use it as your baseline snapshot so you have a starting point to measure against going forward.

The report is written in plain language, not IT jargon, so you can actually read it and understand where you stand. From there we walk through the findings together, prioritize what gets addressed first, and put a short-term plan together for anything that can't be fixed the same day.

Get a Microsoft 365 Tenant Audit for Your Business

If you're not sure when someone last looked at your tenant, or if you've never had a proper review done, that's the place to start.

SNL-Tech Services offers a Microsoft 365 Tenant Audit that covers everything in this post. Licensing, identity and access, email protocol security, device policies, Defender configuration, guest accounts, retention policies, and a third-party backup recommendation if you don't already have one.

At the end of the audit, you'll have a clear picture of what's actually running in your environment and a prioritized list of what needs attention.

I work with small businesses across Maryland, Northern Virginia, Pennsylvania, West Virginia, Delaware, and DC. Most of this work is done remotely so you don't need to be local. The first conversation is free.

Schedule a call