Microsoft 365 Governance Assessment
A guided assessment of your tenant's operational maturity across 9 governance areas and 27 checkpoints. No sign-in or tenant access required.
Governance Assessment
Work through each section at your own pace. All questions include operational context and specific next steps. Results are shown immediately — no email required.
Governance Assessment
Microsoft 365 Operational Governance Assessment
A guided assessment of your tenant's operational maturity across nine governance areas. Review each question against your current configuration and select the response that best reflects your environment.
What To Look For
Six Common Microsoft 365 Governance Gaps
These are the most frequently identified configuration gaps in Microsoft 365 governance assessments — each with direct compliance and operational implications.
MFA Enforcement vs. Registration
Requiring users to register for MFA is not the same as enforcing it. Enforcement should be policy-driven — via Conditional Access or Security Defaults — not dependent on individual user compliance.
Legacy Authentication Exposure
Protocols like IMAP, POP3, and Basic Auth bypass MFA entirely. Any user or service account still using these creates an unprotected authentication surface even if MFA is otherwise enforced.
DMARC Policy Level
"p=none" provides monitoring visibility but no protection. The operational target is "p=reject" with a reporting address configured. Many organizations remain at "p=none" for months or years after initial setup.
External Sharing Defaults
SharePoint and OneDrive sharing defaults may allow unauthenticated "Anyone with the link" access. This is a common compliance finding — particularly for organizations with HIPAA, SOC 2, or legal confidentiality requirements.
Microsoft 365 Backup Coverage
Third-party backup should cover all four workloads: Exchange Online, SharePoint, OneDrive, and Teams. Organizations frequently protect mailboxes but leave SharePoint and Teams data unprotected.
Audit Logging Status
Unified audit logging is not always enabled by default on older tenants. Confirm it is active in the Purview Compliance Portal — audit data is only available from the time logging was enabled.
Why This Matters
Microsoft 365 Is Infrastructure — Treat It Like It
Microsoft 365 is the operational backbone of most modern organizations. Its security posture directly affects continuity, compliance, and operational resilience.
Identity Is the Perimeter
In cloud-first environments, identity has replaced the network perimeter. A compromised account is a compromised organization. MFA and Conditional Access are not optional enhancements — they are the foundational control layer.
Email Is the Primary Attack Surface
Phishing, business email compromise, and account takeovers overwhelmingly arrive via email. Proper SPF, DKIM, DMARC, and anti-phishing configuration significantly reduces successful attack surface.
Retention ≠ Backup
Microsoft's recycle bins and retention policies are not a backup. Ransomware targeting SharePoint and OneDrive, accidental bulk deletions, and admin errors require independent third-party backup with point-in-time recovery.
Compliance Audit Readiness
HIPAA, SOC 2, and ISO 27001 auditors routinely inspect Microsoft 365 configuration. Auditing policies, retention settings, external sharing controls, and MFA enforcement are all standard audit checkpoints.
Shadow IT Risk
Permissive external sharing settings, open guest access, and unmanaged third-party app integrations create data exposure that most organizations are unaware of until an incident surfaces it.
Operational Continuity
A misconfigured tenant — wrong MX records, broken retention policies, disabled alerts — creates operational fragility. Governance reviews catch these issues before they become incidents.
FAQ
Common Questions
Is this a scanner or does it access my Microsoft 365 tenant?
No. This is an interactive reference checklist — it does not connect to your tenant, read any data, or require sign-in. You manually review each item against your environment and mark it as reviewed. Think of it as a structured governance questionnaire.
What license tier do I need to implement these recommendations?
Requirements vary by item. MFA and Security Defaults are available in all Microsoft 365 plans. Conditional Access requires Azure AD P1 (included in Microsoft 365 Business Premium and E3+). Defender for Office 365 features require Plan 1 (Business Premium) or Plan 2 (E5). Purview compliance features require E3 or higher. Items are marked accordingly in the expanded guidance.
How often should this checklist be reviewed?
For compliance-aware organizations, a formal review quarterly is a reasonable baseline. Additionally, review after any significant changes: new user onboarding processes, new third-party integrations, staff turnover in administrative roles, or a security incident.
Why is third-party backup listed as critical?
Microsoft's shared responsibility model explicitly states that customers are responsible for protecting their data. Microsoft retains deleted items for limited periods, but this is not equivalent to a backup. Third-party backup is the only way to guarantee point-in-time recovery, protection against admin error, and resilience against ransomware that targets Microsoft 365 data.
What is the difference between Security Defaults and Conditional Access?
Security Defaults are a pre-configured baseline that enforces MFA, blocks legacy auth, and protects privileged accounts — available to all tenants at no additional cost. Conditional Access provides granular, policy-driven control over access decisions based on user, location, device compliance, and application. Organizations with Azure AD P1 licensing should use Conditional Access for more precise enforcement.
Where do I find these settings in Microsoft 365?
Most settings are accessed through the Microsoft 365 Admin Center (admin.microsoft.com), the Microsoft 365 Defender portal (security.microsoft.com), the Microsoft Purview Compliance Portal (compliance.microsoft.com), and the Azure Active Directory admin center (aad.portal.azure.com). Each checklist item's expanded guidance identifies the relevant portal.
Related Operational Resources
Guided assessment of backup coverage, recovery readiness, and disaster recovery governance.
Verify email authentication records for your Microsoft 365 domain.
Full DNS diagnostic including MX routing and email authentication records.
Ongoing Microsoft 365 governance, security configuration, and operational oversight.
Align your Microsoft 365 posture with HIPAA, SOC 2, and NIST requirements.
Third-party Microsoft 365 backup covering Exchange, SharePoint, and Teams.
Operational Support
Need help implementing these controls?
IT KORR provides Microsoft 365 governance reviews, Conditional Access configuration, backup deployment, and ongoing compliance alignment — without replacing your existing IT team.
No commitment required — we respond within one business day.