IT KORR Knowledge Center
Microsoft 365 Security Checklist
A practical, printable checklist covering the full Microsoft 365 Security Baseline across identity, email, device, and data.
Identity
- MFA enforced for all users, no undocumented exceptions.
- Legacy authentication blocked tenant-wide.
- Password expiration disabled for cloud-only accounts, paired with breach screening.
- Entra Password Protection enabled with a custom banned-password list.
- Two break-glass accounts established, excluded from Conditional Access, monitored.
- Administrative roles use just-in-time activation (PIM) where licensed.
- SPF, DKIM, and DMARC configured and enforced for all mail domains.
- Safe Links and Safe Attachments enabled tenant-wide (if Defender for Office 365 licensed).
- Anti-phishing / impersonation protection configured for executives and key domains.
- Auto-forwarding to external domains blocked or requires approval.
Device
- Device compliance policy defined and enforced for sensitive applications.
- App-enforced restrictions applied for unmanaged/BYOD devices at minimum.
Data
- External sharing link defaults set to a restrictive option.
- Sensitivity labels defined for at least the most sensitive data categories.
- Audit logging enabled tenant-wide, retention matched to compliance requirements.
Related Resources
- Microsoft 365 Security Baseline — /knowledge-center/cloud-productivity/microsoft-365-security/microsoft-365-security-baseline
- Microsoft 365 Security Readiness Assessment — /tools/microsoft-365-security-readiness-assessment