Section 1: Identity and Authentication

  CRITICAL 

□      ☐ MFA is ENFORCED (not just enabled) for all users via Conditional Access policy — confirm no users can bypass it.

□      ☐ Security defaults or Conditional Access policies are active — not both, not neither. Confirm which is in use.

□      ☐ Global Administrator accounts are dedicated cloud-only accounts, not used for daily email or work.

□      ☐ Legacy authentication protocols are blocked via Conditional Access (no Basic Auth exceptions without justification).

  HIGH PRIORITY 

□      ☐ All users have registered at least two MFA methods (in case primary method is unavailable).

□      ☐ Privileged roles are reviewed — how many users have Global Admin? Should be 2–3 maximum.

□      ☐ A break-glass emergency admin account exists, is excluded from Conditional Access, is secured with hardware key, and its credentials are stored offline.

□      ☐ Self-service password reset (SSPR) is enabled with MFA verification required.

□      ☐ Sign-in risk policies are configured to require MFA or block on medium/high risk sign-ins.

□      ☐ User risk policies are configured to require password change on high-risk users.

  STANDARD 

□      ☐ Named locations are defined (office IP ranges) and used in Conditional Access policies.

□      ☐ Conditional Access policy blocks or requires MFA for access from non-compliant devices.

□      ☐ Guest accounts are reviewed — are there external users with more access than needed?

□      ☐ Privileged Identity Management (PIM) configured for just-in-time admin access (requires Entra ID P2).

Section score: ___ / 14   Critical items completed: ___ / 4

Section 2: Email Security

  CRITICAL 

□      ☐ Anti-phishing policy is configured in Microsoft Defender for Office 365 with impersonation protection enabled.

□      ☐ Safe Links is enabled — links in emails are scanned at click time, not just at delivery.

□      ☐ Safe Attachments is enabled — attachments are detonated in sandbox before delivery.

□      ☐ DMARC record is configured for your domain in enforcement mode (p=quarantine or p=reject).

  HIGH PRIORITY 

□      ☐ SPF record is configured and includes all legitimate sending sources.

□      ☐ DKIM signing is enabled for your domain in Exchange Online.

□      ☐ External email warning banner is configured — emails from outside the org are labeled.

□      ☐ Anti-spam policies are configured with appropriate bulk mail thresholds.

□      ☐ Mail forwarding rules to external domains are blocked or require admin approval.

  STANDARD 

□      ☐ Audit of existing mail forwarding rules — no unexpected rules forwarding to external addresses.

□      ☐ Outbound spam policy is configured to notify admins of suspicious sending behavior.

□      ☐ Mailbox intelligence is enabled in anti-phishing policy.

□      ☐ Attack simulation training is configured and running quarterly phishing simulations.

Section score: ___ / 13   Critical items completed: ___ / 4

Section 3: Endpoint Security

  CRITICAL 

□      ☐ Microsoft Defender for Business (or Defender for Endpoint) is deployed on ALL company devices.

□      ☐ All devices are enrolled in Microsoft Intune (MDM).

□      ☐ Compliance policies are configured — non-compliant devices are blocked from accessing company resources.

□      ☐ BitLocker (Windows) or FileVault (Mac) encryption is enforced via Intune policy on all laptops.

  HIGH PRIORITY 

□      ☐ Intune compliance policy requires: OS currency, AV active, BitLocker enabled, screen lock configured.

□      ☐ App protection policies (MAM) are configured for mobile devices accessing company email and files.

□      ☐ Remote wipe capability is confirmed for all enrolled devices.

□      ☐ Windows Autopilot or Apple DEP is configured for zero-touch device provisioning.

□      ☐ Attack surface reduction (ASR) rules are enabled in Defender for Business.

  STANDARD 

□      ☐ Device inventory in Intune matches actual device count — no unknown or unmanaged devices.

□      ☐ Stale devices (not checked in for 90+ days) are reviewed and decommissioned.

□      ☐ Mobile device management covers both corporate-owned and BYOD devices with appropriate policies.

Section score: ___ / 12   Critical items completed: ___ / 4

Section 4: Data Protection and Sharing

  CRITICAL 

□      ☐ SharePoint external sharing is set to “New and existing guests” or more restrictive — NOT “Anyone.”

□      ☐ OneDrive external sharing matches SharePoint policy.

□      ☐ Audit logging is enabled in Microsoft Purview — verify in compliance portal.

  HIGH PRIORITY 

□      ☐ Expiration dates are set on external share links (30–90 days recommended).

□      ☐ Sensitivity labels are configured for at least basic classification (Confidential, Internal, Public).

□      ☐ Data Loss Prevention (DLP) policies are configured for sensitive data types (SSN, financial, health info).

□      ☐ Teams external access and guest access settings are reviewed and appropriate for your organization.

  STANDARD 

□      ☐ Information barriers are configured if required for your industry (legal, financial services).

□      ☐ Retention policies are configured for key data types per your compliance requirements.

□      ☐ Communication compliance policies are configured if required (financial services, healthcare).

□      ☐ eDiscovery is configured and tested — can you produce email records for a legal hold?

Section score: ___ / 11   Critical items completed: ___ / 3

Section 5: Monitoring and Alerting

  CRITICAL 

□      ☐ Unified audit log retention is set to at least 90 days (180+ for regulated industries).

□      ☐ Alert policies are configured for: new admin account created, MFA disabled for a user, mass file download, login from unusual country.

  HIGH PRIORITY 

□      ☐ Microsoft Secure Score is reviewed — current score is documented: ___  (target: 65%+).

□      ☐ Activity alerts notify admins of suspicious behavior — alerts are going to a monitored inbox.

□      ☐ Sign-in logs are reviewed at least monthly for unusual patterns.

□      ☐ Admin audit logs are reviewed for unexpected privileged actions.

  STANDARD 

□      ☐ Microsoft Sentinel or a third-party SIEM is ingesting M365 logs (for higher-risk environments).

□      ☐ Cloud App Security / Defender for Cloud Apps is configured for shadow IT discovery.

□      ☐ Secure Score improvement actions are reviewed monthly and assigned to owners.

Section score: ___ / 9   Critical items completed: ___ / 2

Section 6: Administrative Hygiene

  HIGH PRIORITY 

□      ☐ Service accounts and shared mailboxes are inventoried and have MFA configured or are excluded with compensating controls documented.

□      ☐ Stale user accounts (departed employees) are confirmed disabled or deleted — no active accounts for people no longer with the organization.

□      ☐ App registrations and enterprise applications are reviewed — no unknown apps with broad permissions.

□      ☐ OAuth app consent is restricted — users cannot grant broad permissions to third-party apps without admin approval.

□      ☐ Admin roles are reviewed annually — principle of least privilege applied to all admin assignments.

  STANDARD 

□      ☐ Emergency notification contact information is current in tenant settings.

□      ☐ Technical contact and security contact are configured in Microsoft 365 Admin Center.

□      ☐ Microsoft 365 message center is monitored for security-relevant service updates.

Section score: ___ / 8   High priority items completed: ___ / 4

Score Summary and Priority Action

AEGITz performs Microsoft 365 security assessments and hardening for Phoenix-area businesses. We’ll run this checklist against your tenant, show you exactly where you stand, and fix what needs fixing. Schedule an assessment at aegitz.com.