What a Microsoft 365 Security Assessment Should Cover: A Scope Checklist for Compliance Managers

Why a Microsoft 365 Security Assessment Matters More Than Ever

Microsoft 365 has become the collaboration backbone for thousands of defense contractors, federal agencies, and regulated organizations. With that ubiquity comes a specific and serious risk: most organizations using M365 have never systematically verified that their tenant configuration actually meets their compliance obligations. They activate licenses, migrate users, and assume the defaults are good enough. They are not.

A Microsoft 365 security assessment is a structured review of your tenant configuration, identity architecture, data controls, and security tooling against the requirements of the frameworks that govern your business — CMMC, DFARS, NIST SP 800-171, HIPAA, or FedRAMP, depending on your industry. Without a formal assessment, you are flying blind going into an audit.

This checklist outlines what a thorough M365 security assessment should cover. Whether you are preparing for a CMMC audit, responding to a customer security questionnaire, or simply trying to understand your current exposure, these are the domains your assessment must address.

1. Tenant Licensing and Environment Classification

The assessment starts before you touch a single security setting. You need to confirm that your tenant type matches your compliance obligations.

• Commercial vs. GCC vs. GCC High: Defense contractors handling Controlled Unclassified Information (CUI) must understand whether their current tenant satisfies CMMC and ITAR requirements. Commercial M365 does not. If you are unsure where you stand, our post on what GCC High means for ITAR and CMMC 2.0 is a useful starting point.
• License tier verification: E3 versus E5 licensing determines which security features are available. Conditional Access, Microsoft Defender for Identity, and advanced audit capabilities often require E5 or add-on licensing.
• Tenant isolation: Confirm whether your tenant is properly isolated from personal Microsoft accounts and commercial cloud services that could introduce data leakage risk.

2. Identity and Access Management

Identity is the perimeter in a cloud environment. The majority of M365 security incidents trace back to compromised credentials or misconfigured access policies.

• Multi-Factor Authentication (MFA): Verify that MFA is enforced for all users, not just administrators. Check for legacy authentication protocols that bypass MFA entirely.
• Conditional Access policies: Review whether policies enforce device compliance, restrict access by location or risk level, and require compliant devices before granting access to sensitive data.
• Privileged Identity Management (PIM): Assess whether global administrator and other high-privilege roles are managed through just-in-time access or whether standing privileged access is pervasive.
• Guest and external user access: Document who has external access, under what conditions, and whether those conditions are consistent with your Technology Control Plan or CUI handling requirements.
• Service accounts and application permissions: Identify non-human identities with excessive permissions. These are frequently overlooked attack vectors.

3. Data Loss Prevention and Information Protection

For organizations handling CUI, ITAR-controlled technical data, or protected health information, data controls are not optional — they are the compliance requirement. This is one of the most commonly deficient areas we find during assessments.

• Microsoft Purview sensitivity labels: Confirm that labels are configured, published to appropriate users, and enforced through policy rather than relying on end-user discretion.
• DLP policy coverage: Review whether Data Loss Prevention policies are active across Exchange, SharePoint, Teams, and OneDrive. Check that policies cover the data types relevant to your compliance framework. Our detailed post on understanding Data Loss Prevention covers the foundational concepts.
• Auto-labeling policies: Determine whether auto-labeling is configured to detect and label sensitive content at rest and in transit without depending on users to manually classify documents.
• Retention policies and holds: Verify that retention policies align with contractual and regulatory obligations, and that litigation holds are functional for relevant custodians.

4. Email Security Configuration

Email remains the primary vector for phishing, business email compromise, and data exfiltration. A credible M365 security assessment must evaluate the full email security stack.

• Microsoft Defender for Office 365: Confirm that Safe Links and Safe Attachments policies are active and configured for all users, not just a pilot group.
• Anti-phishing and anti-spoofing policies: Review impersonation protection settings, DMARC/DKIM/SPF configuration, and whether spoof intelligence is enabled.
• Mail flow rules: Audit existing transport rules for logic that may inadvertently route sensitive communications outside the compliance boundary.
• External email warnings: Verify that external sender warnings are active and that users are trained to recognize them.

5. Endpoint Security and Device Management

Endpoints are where users interact with your M365 environment, and they are frequently the weakest link. This domain requires coordination between your M365 assessment and your broader endpoint strategy.

• Microsoft Intune enrollment and compliance policies: Confirm that devices accessing M365 are enrolled in Intune and subject to compliance policies that enforce encryption, screen lock, and OS patching.
• Microsoft Defender for Endpoint: Review onboarding status, alert configuration, and whether threat and vulnerability management is actively monitored.
• Conditional Access device compliance: Verify that access to sensitive workloads is blocked for non-compliant devices, not just flagged.
• BYOD versus managed device policies: Assess whether personal devices are restricted from accessing CUI or other sensitive content and whether that restriction is technically enforced.

For a deeper look at endpoint controls in the context of regulatory requirements, see our post on endpoint security fundamentals.

6. Audit Logging and Monitoring

You cannot investigate what you did not log. Audit logging requirements appear in virtually every compliance framework, and M365's logging capabilities require deliberate configuration to be useful.

• Unified Audit Log (UAL): Confirm that audit logging is enabled at the tenant level and that retention periods align with your framework requirements. CMMC Level 2 and NIST SP 800-171 require specific log retention durations.
• Mailbox auditing: Verify that per-mailbox auditing is enabled for all users, including administrators. Default settings often log less than compliance requires.
• Alert policies: Review whether alert policies are configured for high-risk activities such as mass downloads, forwarding rule creation, or privilege escalation.
• SIEM integration: If your organization uses a Security Information and Event Management platform, confirm that M365 logs are flowing correctly and that alerts are actionable.

7. SharePoint, Teams, and OneDrive Governance

Collaboration tools create significant data governance risk when improperly configured. SharePoint sites and Teams channels are frequently misconfigured to allow broader access than the sensitivity of the content warrants.

• External sharing settings: Review tenant-level and site-level external sharing policies. Assess whether any sites containing sensitive data allow anonymous or broadly-scoped external sharing.
• Teams governance: Confirm that policies govern who can create Teams, whether external guests can be added, and whether sensitive channels have appropriate access restrictions.
• OneDrive sync restrictions: Verify whether sync is restricted to domain-joined or compliant devices to prevent bulk downloads to personal machines.
• Information barriers: For organizations with segregation requirements — common in defense contracting environments — confirm whether information barriers are configured to prevent cross-program data exposure.

8. Secure Score Benchmarking and Gap Analysis

Microsoft Secure Score provides a useful baseline, but it should not be the only measurement in your assessment. Secure Score prioritizes general security hygiene; your assessment needs to map findings to your specific compliance framework.

• Document current Secure Score and identify the highest-impact actions within your licensing tier.
• Map assessment findings to the relevant control families in NIST SP 800-171, CMMC, or HIPAA, depending on your obligations.
• Produce a prioritized remediation list with effort estimates and risk ratings, not just a raw list of gaps.
• Establish a baseline that supports an ongoing monitoring cadence, not just a point-in-time snapshot.

Organizations pursuing CMMC certification should also review how their M365 configuration intersects with their System Security Plan. Our post on SSP and POA&M development explains how these documents interact with your technical controls.

Who Should Conduct the Assessment

A self-assessment using Microsoft Secure Score and internal checklists has value, but it carries obvious limitations. Internal teams are often too close to the configuration to see it objectively, and they may lack the regulatory context to correctly map technical findings to compliance obligations.

For defense contractors with active CMMC requirements, healthcare organizations preparing for OCR scrutiny, or any regulated entity facing an imminent audit, an independent assessment conducted by a firm with both technical M365 expertise and compliance framework knowledge produces materially more reliable results. Our IT compliance services are specifically designed to bridge that gap — combining technical configuration review with regulatory mapping across CMMC, DFARS, HIPAA, and ITAR.

Organizations with complex, multi-framework environments may also benefit from a Regulatory vCISO engagement that can own the assessment process, interpret results for executive leadership, and drive remediation on an ongoing basis rather than treating security as a one-time project.

Take the Next Step

A well-scoped Microsoft 365 security assessment is one of the highest-value compliance investments a regulated organization can make — it surfaces real risk, produces a concrete remediation roadmap, and creates documented evidence of due diligence for auditors. If your organization has not completed a formal M365 assessment against your applicable compliance framework, now is the time. Request a quote to discuss your assessment scope with our team, or explore our engagement models to understand how we structure these engagements for organizations at every stage of their compliance journey.