Microsoft 365 Security Audit: A Complete Step-by-Step Guide

Running a Microsoft 365 security audit without a framework is how you end up with a 40-page report full of low-severity findings that nobody acts on. This guide walks you through a structured audit built on the CIS Microsoft 365 Foundations Benchmark v5.0.0, which defines 129 controls across 9 sections of your M365 environment.

Whether you are preparing for an internal review, responding to an audit request, or trying to establish a security baseline before a major rollout, this is the process that produces actionable results — not a generic checklist that could apply to any SaaS product.

What a Microsoft 365 Security Audit Actually Covers

A proper M365 security audit is not a scan of one service. It is a structured review of every control surface across your Microsoft 365 tenant — identity, email security, data governance, device management, collaboration tools, and more.

The CIS Microsoft 365 Foundations Benchmark v5.0.0 is the most widely referenced framework for this work. It defines 129 controls organised into 9 sections:

1. Microsoft 365 admin center — 14 controls covering administrative accounts, Microsoft 365 Groups, and tenant password policies
2. Microsoft Defender / Defender for Office 365 — 19 controls covering Safe Links, Safe Attachments, threat policies, and priority-account protection
3. Microsoft Purview — 4 controls covering audit log search, Data Loss Prevention, and Information Protection
4. Microsoft Intune — 2 controls covering device compliance policies and enrollment restrictions
5. Microsoft Entra (Identity) — 37 controls covering MFA, Conditional Access, password protection, authentication methods, and Privileged Identity Management
6. Microsoft Exchange Online — 11 controls covering mailbox auditing, mail flow, anti-phishing, and modern authentication
7. Microsoft SharePoint Online & OneDrive — 15 controls covering external sharing defaults and site settings
8. Microsoft Teams — 16 controls covering external access, file sharing, meetings, and messaging policies
9. Microsoft Fabric / Power BI — 11 controls covering tenant settings

A complete audit checks all 129. In practice, most teams start with Microsoft Entra (37 controls) and Microsoft Defender (19 controls) because these sections hold the most common — and most consequential — misconfigurations.

Step 1: Audit Identity — the Microsoft Entra Section

Identity is the largest section in the benchmark because it is the most exploited attack vector. Before you check any other service, work through these controls.

Are all administrators enrolled in MFA? The answer is almost never "yes, all of them." Conditional Access exclusions accumulate silently — each one added for a legitimate reason (a break-glass account, a service account that cannot complete an interactive prompt, a vendor migration) — but rarely cleaned up afterward. Six months later, your "MFA required for all users" policy has a quiet list of exceptions, and some of them are Global Administrators.

Check the exclusion list for every Conditional Access policy that enforces MFA. Any non-break-glass account on that list is an open door.

Are legacy authentication protocols disabled? Basic authentication for protocols like SMTP AUTH, IMAP, and POP3 bypasses modern authentication entirely — which means it bypasses MFA. If those protocols are active, an attacker with a stolen password does not need to defeat your Conditional Access policy at all. Disable them at the tenant level and create explicit exceptions only for the accounts that genuinely cannot migrate yet.

Is Privileged Identity Management active? PIM enforces just-in-time access for privileged roles. Without it, standing admin assignments persist indefinitely — a permanent Global Administrator seat that was created for a project two years ago and never removed is a standing risk.

Work through all 37 Entra controls before moving to the next section. This section alone covers more ground than most informal "security reviews" attempt in their entirety.

Step 2: Review Email Security — Defender for Office 365

With 19 controls, the Defender section determines whether malicious email reaches your users or gets caught upstream. The most common findings:

Safe Links and Safe Attachments are not applied to all users. Microsoft's out-of-the-box protection policies exist, but they are not sufficient for a benchmark-compliant posture. Safe Links must be configured to rewrite URLs at click time (not just at delivery), and Safe Attachments must detonate files in a sandbox before they are delivered to the mailbox. Confirm that your policies cover every user, not just a pilot group from an initial rollout.

Anti-phishing protection is not configured for executive accounts. The benchmark requires impersonation protection to be active for key personnel and sending domains. Default policies cover the broadest-possible case, but they do not replace explicitly naming the domains and users most likely to be impersonated.

DMARC is missing or set to p=none. DMARC at p=none is monitoring mode — it collects reports but does not quarantine or reject spoofed mail. A p=none DMARC record means your domain can be spoofed to your own users or to anyone else. Upgrade it to p=quarantine at minimum, and p=reject once you are confident the policy is not blocking legitimate mail.

Step 3: Check Data Governance — Purview and SharePoint

The Purview section is small (4 controls) but the most foundational: if the Unified Audit Log is not enabled, you have no record of activity in your tenant. You cannot investigate an incident, answer an auditor's questions, or detect that anything happened at all. Enabling the Unified Audit Log and configuring retention should be among the first things you verify — not something addressed after the rest of the audit.

The SharePoint and OneDrive section (15 controls) is where data exfiltration risk concentrates. The settings that most commonly fail audit:

• External sharing set to "Anyone" or "New and existing guests" with no expiry controls. This allows users to share files with unauthenticated external recipients. At minimum, external links should require authentication.
• Anonymous link expiry not enforced. If anonymous sharing is permitted, links that never expire are a persistent data leak risk.
• Legacy authentication for SharePoint still active. Some SharePoint clients still support basic authentication. Disable it unless you have a specific, documented dependency.

Step 4: Review Microsoft Teams and Exchange Online

Microsoft Teams has 16 controls in the benchmark — more than SharePoint — because it has become the default entry point for external collaboration, and most of its default settings favour usability over restriction.

The controls that most commonly fail:

• External access configured to "All external domains" rather than a named allow-list. This allows users from any organisation to contact your users directly or join meetings.
• Anonymous meeting join enabled. This allows anyone with a meeting link — including forwarded invitations — to join without authentication.
• Guest access not scoped. Teams guest accounts can, by default, see all channels and files in a team. Scope guest permissions to the minimum needed for the specific collaboration.

For Exchange Online (11 controls), the most common findings are:

• SMTP AUTH enabled at the tenant level. SMTP AUTH bypasses modern authentication. Disable it tenant-wide and create mailbox-level exceptions only for services that cannot use OAuth.
• Mailbox auditing not enabled for all mailboxes. The default audit setting changed in 2019 to enable auditing for most mailbox types, but service accounts and shared mailboxes may still have it off. Verify explicitly.
• Modern authentication not enforced. If legacy auth is still permitted for Exchange, users with older Outlook clients can authenticate without MFA.

Step 5: Don't Skip Intune and Fabric

These are the two smallest sections in the benchmark — 2 controls and 11 controls respectively — but they are frequently overlooked because they live in separate admin portals.

For Microsoft Intune: confirm that device compliance policies are configured and that devices are required to be compliant before accessing corporate resources. A compliant-device requirement in Conditional Access is only meaningful if the compliance policy actually defines what compliant means.

For Microsoft Fabric / Power BI: tenant settings control who can publish reports, share dashboards externally, and embed content in external applications. These settings default to permissive. Review the 11 controls in the benchmark and restrict them to the minimum needed for your organisation's use of the platform.

Automate the Audit with ConfigCobra

Manually checking 129 controls across 9 admin portals — each with its own interface, its own role requirements, and its own export format — takes two to three full working days for an experienced M365 engineer. Most organisations do it quarterly at best, which means configuration drift goes undetected for months.

ConfigCobra connects to your tenant on read-only Microsoft Graph permissions — no agents, no admin password sharing — and runs the full CIS Microsoft 365 Foundations Benchmark v5.0.0 assessment in 20–25 minutes. Each finding includes:

• The specific control that failed and the exact configuration that triggered it
• The affected scope — which users, policies, or settings
• A copy-paste remediation script (PowerShell or admin portal steps) pre-filled for your tenant
• A CIS-certified PDF report with a timestamped tenant snapshot for your audit file

After the initial assessment, continuous monitoring runs on a daily, weekly, or monthly cadence and sends an alert the moment a control regresses — so you catch configuration drift when it happens, not at the next review.

For teams using AI assistants in their security workflows, the ConfigCobra MCP server lets you query your live posture data in plain language directly inside Claude, Cursor, or any MCP-compatible client: "Which of my admin accounts are excluded from Conditional Access policies?" or "What are my five highest-severity open findings?" — answered from your actual scan data, not a static report.

Microsoft 365 Security Audit Checklist

A reference for the controls most likely to produce findings on a first audit:

Microsoft Entra (Identity)

• [ ] No non-break-glass accounts excluded from MFA Conditional Access
• [ ] Legacy authentication disabled (SMTP AUTH, IMAP, POP3 basic auth)
• [ ] Self-service password reset configured with secure verification methods
• [ ] Privileged Identity Management active for Global Administrator and other privileged roles
• [ ] Global Administrators using dedicated cloud-only admin accounts

Microsoft Defender / Defender for Office 365

• [ ] Safe Links active with URL rewriting enabled, applied to all users
• [ ] Safe Attachments active in Dynamic Delivery mode, applied to all users
• [ ] Anti-phishing: impersonation protection configured for key domains and personnel
• [ ] DMARC policy set to p=quarantine or p=reject for all sending domains
• [ ] DKIM signing enabled for all sending domains

Microsoft Purview

• [ ] Unified Audit Log enabled and verified
• [ ] Audit log retention meets your policy requirements (90 days minimum, 1 year for E5)
• [ ] Alert policies configured for high-risk activities (mass file download, inbox rules forwarding externally)

Microsoft SharePoint Online & OneDrive

• [ ] Default external sharing restricted to authenticated users at minimum
• [ ] Anonymous link expiry enforced
• [ ] Legacy SharePoint authentication disabled

Microsoft Exchange Online

• [ ] SMTP AUTH disabled at tenant level
• [ ] Mailbox auditing confirmed active for all mailbox types
• [ ] Modern authentication enforced; legacy auth for Exchange blocked

Microsoft Teams

• [ ] External access restricted (allow-list or blocked)
• [ ] Anonymous meeting join disabled or restricted to lobby
• [ ] Guest access permissions scoped per team

Microsoft Intune

• [ ] Device compliance policies defined
• [ ] Conditional Access requires device compliance for corporate resource access

Run through this list every time you make a significant change to your M365 configuration — a new Conditional Access policy, a Teams upgrade, a migration that temporarily required SMTP AUTH. These are the settings most likely to regress, and they are the ones that produce the most damaging findings when they do.

Book a demo to see ConfigCobra run the complete 129-control audit against your tenant — and see exactly which of these findings apply to you, with remediation steps ready to copy.