Office 365 Security Checklist

Title Page

ACCOUNT / AUTHENTICATION POLICIES

Is multi factor authentication (MFA) enabled for all users in administrative roles?
Is multi factor authentication enabled for all users in all roles?
How many global admins are designated to the Office 365 Tenant?
Is self-service password reset enabled?
Is modern authentication enabled for Exchange Online, Sharepoint Applications and Microsoft Teams?
Are Office 365 Passwords set to expire ?

Are third-party integrated application registrations allowed in user settings?
Is calendar details sharing with external users enabled or disabled?
Is Advanced Threat Protection enabled for Office Applications?
Is Advanced Threat Protection for Sharepoint, OneDrive and Microsoft Teams Enabled or Disabled?

Is customer lock box feature enabled?
SharePoint Online data classification policies are set up and used?
external domains are not allowed in Skype or Teams?
DLP policies are enabled?
External users cannot share files, folders, and sites they do not own?
External file sharing in Teams is enabled for only approved cloud storage services?

Microsoft 365 audit log search is Enabled?
Mailbox auditing for all users is Enabled?
Azure AD ‘Risky sign-ins’ report is reviewed at least weekl?
Application Usage report is reviewed at least weekly?
Self-service password reset activity report is reviewed at least weekly?
User role group changes are reviewed at least weekly?
Mail forwarding rules are reviewed at least weekly?
Mailbox Access by Non-Owners Report is reviewed at least biweekly?
Malware Detection's report is reviewed at least weekly?
Account Provisioning Activity report is reviewed at least weekly?
Non-global administrator role group assignments are reviewed monthly?
Spoofed domains report is review weekly?
Microsoft 365 Cloud App Security is Enabled?
Report of users who have had their email privileges restricted due to spamming is reviewed?

Mobile device management polices are set to require advanced security configurations to protect from basic internet attacks?
Mobile device password reuse is prohibited?
Mobile devices are set to never expire password?
Users cannot connect from devices that are jail broken or rooted?
Mobile devices are set to wipe on multiple sign-in failures to prevent brute force compromise?
Settings are enabled to lock multiple devices after a period of inactivity to prevent unauthorised access?
Mobile device encryption is enabled to prevent unauthorised access to mobile data?
Mobile devices require complex passwords to prevent brute force attacks?
Devices connecting have AV and a local firewall enabled (Windows 10)?
Mobile device management policies are required for email profiles?
Mobile devices require the use of a password / passcode?