Microsoft 365 Security Audit Checklist

A Microsoft 365 security audit checklist is a working document, not a single control list. It runs across eight domains and refreshes every quarter.

Key takeaways

A clean audit posture spans identity, mailbox, files, endpoints, audit logs, and the wider Defender stack.
Microsoft 365 E5 is the reference baseline. E3 estates need targeted add ons to match key controls.
Conditional Access policies, MFA coverage, and break glass account governance are the highest impact identity items.
Mailbox audit, retention, and litigation hold settings are the most common gaps in legal review.
Defender for Endpoint Plan 2 and Intune compliance policies must agree, not duplicate each other.
Quarterly review is the operating cadence that keeps the baseline current.

Microsoft 365 audit posture is not a product. It is a configuration baseline across identity, data, and endpoints.

Most audit findings cluster around the same gaps. Identity weaknesses, missing retention, weak endpoint compliance.

This checklist is structured by audit domain. Use it as a working document, refresh quarterly, and document evidence as you go.

Identity controls

Identity is the first domain auditors examine. Conditional Access policies and MFA coverage are the highest impact items.

MFA and Conditional Access

MFA on all admins and all users is the baseline.

MFA enforced for every Global Admin.
Conditional Access policies for all users covering compliant device and trusted location.
Block legacy authentication.
Privileged Identity Management for just in time elevation.

Break glass accounts

Break glass accounts must be excluded from Conditional Access carefully and audited regularly.

At least two break glass accounts.
Excluded from Conditional Access blocking.
Stored in a secured offline vault.
Quarterly sign in test and password rotation.

Guest and external access

Guest user lifecycle is the silent identity risk in most tenants.

Entitlement management for guest invitations.
Access reviews quarterly for all guest users.
B2B collaboration scoping by partner domain.

Mailbox controls

Mailbox audit and retention are commonly mis configured in older tenants.

Mailbox audit

Mailbox audit must be enabled on every user mailbox.

Mailbox audit enabled tenant wide.
MailItemsAccessed enabled for E5 users.
Audit retention aligned with retention policy.

Retention and litigation hold

Retention and litigation hold must be aligned with legal requirements.

Default retention policy applied.
Litigation hold enabled for relevant roles.
Deleted item recovery window documented.

Audit checklist coverage by license tier

Control domain	E3 native	E5 native	Add on needed
MFA and CA	Yes	Yes	None
Privileged Identity Management	No	Yes	Entra ID Plan 2
MailItemsAccessed audit	No	Yes	Purview Audit Premium
DLP for sensitive data	Basic	Yes	Purview Premium
Defender for Endpoint Plan 2	No	Yes	Defender Plan 2 add on
Sentinel ingest	No	No	Sentinel licensed separately

Files and SharePoint controls

SharePoint and OneDrive carry the bulk of unstructured corporate data.

DLP and sensitivity labels

DLP policies must cover the relevant data classes.

Sensitivity labels deployed and adopted.
DLP policies for sensitive data classes.
External sharing scoped by label.

External sharing settings must reflect the data protection stance.

Anonymous link sharing disabled for sensitive sites.
Guest expiration windows applied.
Site level sharing settings reviewed quarterly.

Device and endpoint controls

Intune and Defender for Endpoint must work together, not against each other.

Intune compliance

Intune compliance policies define what counts as a compliant device.

Defender for Endpoint

Defender for Endpoint Plan 2 deployment and tamper protection must be enforced.

Mobile device management

MAM and MDM policies must align with the data protection model.

Audit failure rarely traces back to one missing control. It traces back to a quarterly review that nobody actually ran.

Audit log controls

Audit log retention and search must be operational, not theoretical.

Purview audit

Purview Audit Standard or Premium must be active with appropriate retention.

Sentinel ingest

Sentinel must ingest the audit log feed if longer retention or correlation is required.

Posture review

Secure Score and compliance manager give a running view of posture.

Secure Score targets

Define a Secure Score target by domain and review monthly.

Compliance Manager

Compliance Manager maps controls to regulatory frameworks. Use it as evidence, not just a dashboard.

What to do next

Run the checklist end to end against your tenant.
Document evidence for each control. Screenshots and policy exports count.
Identify license gaps. E3 tenants will need targeted Premium add ons.
Set a quarterly review cadence with security, IT, and legal at the table.
Link your audit posture to your renewal model. Some add ons sit better inside the EA.
Track Secure Score targets by domain, not as a single tenant number.
Engage independent advisory if the next external audit is inside the next two quarters.
Update the checklist whenever Microsoft ships new controls.

Frequently asked questions

What licenses do I need for a full Microsoft 365 security audit baseline?

Microsoft 365 E5 is the reference baseline. E3 estates can match most controls with targeted add ons including Entra ID Plan 2, Purview Audit Premium, Defender for Endpoint Plan 2, and Sentinel for advanced correlation.

How often should the security audit checklist be reviewed?

Quarterly is the working cadence for most regulated industries. Identity items deserve a monthly touch. Posture review through Secure Score should run monthly even if the full checklist is quarterly.

Is Defender for Endpoint Plan 1 enough to pass a security audit?

Plan 1 covers next generation antivirus and attack surface reduction but lacks EDR, threat and vulnerability management, and Defender for Endpoint Plan 2 specific telemetry. Most regulated audits require Plan 2 or equivalent.

Do I need Sentinel for a clean Microsoft 365 audit posture?

Sentinel is not strictly required for a clean audit. Purview Audit covers the Unified Audit Log natively. Sentinel becomes important for correlation, longer retention, and SOC operations beyond the M365 audit feed.

How does Conditional Access fit into the audit checklist?

Conditional Access is the highest impact identity control. Auditors expect MFA enforced for all users, blocked legacy authentication, and compliance based device policies. Documented Conditional Access policies are evidence.

What is the most common audit finding in Microsoft 365 estates?

Mailbox audit and retention gaps are the most common findings. MailItemsAccessed often disabled at E5, retention policies missing, and litigation hold not aligned with legal requirements.

Microsoft 365 security audit checklist.