Do you want to know whether your Microsoft 365 is truly protected or merely “working”?
Many companies use Microsoft 365 every day for email, Teams, SharePoint, OneDrive, and critical documents. But the fact that everything works does not mean it is properly protected. The difference is usually in details that management does not see: accounts without MFA, administrators with permanent permissions, external users that are not reviewed, phishing emails that bypass filters, or sensitive data shared without control.
At MSAdvance, we help review Microsoft 365 security with a clear approach for leadership: what risks exist, what impact they have on the business, and which actions should be prioritized without bringing users to a halt.
- Microsoft 365 security assessment with evidence, not just opinions.
- Review of identity, MFA, Conditional Access, administrators, devices, and data.
- Improvement plan by priority: quick wins, maturity measures, and continuous governance.
Request a security review View Security & Compliance service
You may also be interested in: Microsoft 365 Modern Workplace · All services
A Microsoft 365 security checklist for managers should help you ask what matters without getting lost in technical details: whether all users have MFA, whether Conditional Access policies exist, whether administrators are controlled, whether email is protected against phishing, whether devices meet minimum requirements, whether sensitive data is classified, and whether there is an incident response plan. These 20 questions help evaluate whether your IT provider manages Microsoft 365 with a security, continuity, and business-focused mindset.
Quick summary: 20 Microsoft 365 security questions every manager should ask
- Do all users have MFA enabled? Without MFA, a stolen password can become direct access to the business.
- Do administrators have additional protection? Privileged accounts are the keys to the tenant.
- Do we use Conditional Access? Not all access should be treated the same: user, location, device, and risk matter.
- Do we have emergency accounts? They should exist, be protected, and be tested in a controlled way.
- Are administrator permissions reviewed? No one should keep elevated permissions “just in case”.
- Do we have visibility into Secure Score? The security score helps measure security posture and priorities.
- Is email protected against phishing? Email remains one of the most commonly used entry points.
- Are SPF, DKIM, and DMARC configured? They help protect domain identity and reduce spoofing.
- Are legacy protocols blocked? Legacy access can bypass modern controls.
- Are devices managed or controlled? Accessing from a corporate computer is not the same as accessing from any device.
- Is device compliance required? Encryption, antivirus, lock screen, and updates should be part of access.
- Do we control guests and shared links? Sharing is necessary; sharing without control is dangerous.
- Do we know which data is sensitive? You cannot properly protect what you do not identify.
- Do we have sensitivity labels? They help classify and protect documents and emails.
- Do we have DLP policies? They prevent sensitive information from leaving due to error or negligence.
- Do we have retention and auditing? When an incident occurs, you need to know what happened and preserve what is necessary.
- Are security alerts monitored? Alerts are useless if nobody reviews or responds to them.
- Is there an incident response plan? You do not improvise when email, files, or accounts are compromised.
- Do users receive practical training? Security also depends on daily decisions.
- Does the provider deliver reports that leadership can understand? Management needs risks, impact, and priorities—not just technical screenshots.
Why should management ask about Microsoft 365 security?
Because Microsoft 365 is no longer “just email”. In many companies, it is the center of work: Exchange Online for email, Teams for communication, SharePoint for documents, OneDrive for personal files, Entra ID for identity, Intune for devices, Defender for protection, and Purview for data and compliance.
If someone gains improper access to Microsoft 365, they can do much more than read emails. They can impersonate leadership, download documents, change mailbox rules, share files, invite external users, create malicious applications, or delete evidence. That is why Microsoft 365 security must be on the management agenda, even if IT handles day-to-day operations.
What leadership needs to understand
- You do not need to be technical to ask good questions.
- Not every risk is visible: a tenant can look normal and still be poorly configured.
- Security is not a product: it is a combination of configuration, review, response, and habits.
- The IT provider must provide evidence, not simply say “everything is under control”.
A company has Microsoft 365 running with no visible incidents. But when the tenant is reviewed, three old global administrators appear, along with users without MFA, external guests with no expiration, and forwarding rules in mailboxes. The company did not have “an email problem”: it had a security governance problem that had not yet exploded.
Introduction: Microsoft 365 is productivity, but it is also risk
The advantage of Microsoft 365 is clear: it enables people to work from anywhere, share documents, meet through Teams, and collaborate with clients or providers. The disadvantage appears when that flexibility is not governed: any user can become an entry point, any link can expose information, and any poorly protected administrator can compromise the entire environment.
This article is not written for administrators who want to configure every button. It is written for managers, CFOs, operations leaders, and executive teams who want to know whether their IT provider is protecting Microsoft 365 seriously.
The goal is for you to sit down with your provider and ask 20 specific questions. If the answers are clear and come with evidence, good. If the answers are vague, defensive, or overly technical, you probably need an external review.
1. How to use this checklist with your IT provider
In practice: do not look for perfect answers; look for evidence, owners, and an improvement plan.
This checklist is not intended to “catch anyone out”. It is designed to open a mature conversation between leadership and the IT provider. A good provider should not be bothered by these questions. On the contrary: they should appreciate that leadership wants to prioritize security and make decisions based on data.
How to frame the meeting
- Send the questions in advance so they can prepare evidence.
- Ask for answers in business language: risk, impact, priority, and approximate cost.
- Request screenshots or reports where appropriate: Secure Score, policies, administrator list, alerts, DLP configuration.
- Classify each item into three states: correct, needs improvement, critical.
- Close with a plan: actions, owners, timeline, and next review.
| Provider answer | What it means | What management should ask for |
|---|---|---|
| “It is enabled” | It may be true, but it is not enough | See scope: all users, exceptions, evidence |
| “We review it when incidents occur” | Reactive approach | Preventive plan and periodic review |
| “It is not necessary; nothing has ever happened” | Based on luck, not control | Risk assessment and prioritization |
| “That depends on licenses” | May be correct | Options: what can be done with current licenses and what requires an upgrade |
2. Identity and MFA: the first questions
In practice: if identity falls, everything else is exposed.
Question 1: Do all users have MFA enabled?
The first question is simple: do all users have multifactor authentication? Not “some”, not “the administrators”, not “when they access from outside”. Everyone, except for justified and documented exceptions.
For management, the ideal answer should include:
- Actual percentage of users covered by MFA.
- List of exceptions and the reason for each.
- Allowed methods (app, FIDO2 key, SMS if it is still used, etc.).
- Plan to remove unnecessary exceptions.
Question 2: Do we have strong and current authentication methods?
Enabling MFA is important, but not all methods are equally robust. It is worth asking whether the organization is moving toward more secure methods, such as Microsoft Authenticator, passkeys, or FIDO2 security keys, especially for administrators and sensitive users.
Question 3: Are legacy access methods or old protocols blocked?
Some old protocols do not fit well with modern identity controls. If they remain open, they can allow less protected access or make it harder to apply policies. The question for the provider is: “Have we blocked the legacy access we do not need?”
- Report of users with MFA enabled or covered by policies.
- List of exceptions.
- Policy that blocks legacy authentication or explains why it is still allowed.
3. Administrators and privileges: who has the keys
In practice: not all risks come from regular users. Many come from too many administrators with too much power.
Question 4: How many global administrators do we have, and who reviews them?
The global administrator role should be highly limited. Management does not need to know every technical detail, but it does need to know how many people have full control over Microsoft 365, whether those people are still with the company, and whether their accounts are protected with stricter measures.
Question 5: Do we use temporary privileges, or are all permissions permanent?
A mature provider should be able to explain whether they use Privileged Identity Management (PIM) or an equivalent mechanism so elevated permissions are activated only when needed, for a specific period of time, and with logging.
Management’s question is clear: “Do our administrators have permanent permissions, or do they elevate them only when necessary?”
Question 6: Do we have protected emergency accounts?
Emergency accounts, also known as break-glass accounts, are used to avoid getting locked out if something fails: a misapplied policy, an MFA issue, or an outage affecting an external provider.
But these accounts must be highly protected, documented, and tested. They should not be used for day-to-day work.
If the provider answers, “we have a generic admin account that everyone uses,” there is a problem. Shared accounts make it almost impossible to know who did what and increase the risk of abuse or error.
4. Conditional Access: security without blocking everyone
In practice: Conditional Access lets you decide when to require more security and when to let people work normally.
Question 7: Do we have Conditional Access policies?
Conditional Access in Microsoft 365 allows controls to be applied based on signals such as user, location, device, application, or risk level. It is one of the foundations of a Zero Trust approach: do not trust by default; verify every access request.
For management, the question is not “how many policies are there?”, but: “do we have policies that reduce risk without blocking work?”
Question 8: Do we differentiate normal access from risky access?
Accessing from a corporate laptop in a usual location is not the same as accessing from an unexpected country, with an unmanaged device, and to a sensitive application. Conditional Access allows different controls to be applied depending on context.
Examples of policies you should ask about
- MFA for all users.
- Blocking legacy authentication.
- Additional controls for administrators.
- Limited access from unmanaged devices.
- Restrictions for unexpected locations or countries.
- Specific policies for critical applications.
- List of Conditional Access policies.
- Simple explanation of what each policy protects.
- Excluded users or groups and the reason.
- History of testing before applying global changes.
5. Microsoft Secure Score: how to measure security posture
In practice: Secure Score is not a grade to show off; it is a compass for prioritizing improvements.
Question 9: What is our Microsoft Secure Score, and how has it evolved?
Microsoft Secure Score measures the environment’s security posture and recommends actions to improve it. You do not need to obsess over reaching a perfect score, but it is useful for detecting weak areas, comparing progress, and justifying investments.
What the provider should deliver
- Current score and trend.
- High-impact recommended actions.
- Which actions are not applied and why.
- Improvement plan prioritized by risk, cost, and effort.
| Situation | What it may indicate | What to ask |
|---|---|---|
| Low score and no plan | No security governance | Which critical actions will be corrected first? |
| Medium score, but stagnant | Initial improvements were made, but continuity is missing | What is blocking the next step forward? |
| High score with many exceptions | There may be a false sense of security | What exclusions exist, and who approved them? |
6. Email and phishing: protecting the entry point
In practice: many incidents begin with a convincing email and a rushed decision.
Question 10: Do we have advanced protection against phishing, malware, and dangerous links?
Email remains one of the main ways to deceive users, steal credentials, or launch malware. In Microsoft 365, protection can include anti-phishing filters, attachment analysis, link inspection, and specific policies for impersonation protection.
Question 11: Are SPF, DKIM, and DMARC properly configured?
These records help protect the domain against spoofing and improve trust in outgoing email. They do not eliminate all risk, but they are a foundation that any IT provider should review.
Question 12: Are suspicious forwarding rules and compromised mailboxes reviewed?
An attacker who gets into a mailbox can create forwarding rules, hide emails, or maintain persistence. The provider should have mechanisms to detect anomalous rules, suspicious sign-ins, and critical mailbox changes.
An attacker compromises an email account, observes conversations with providers, and waits for the right moment to change a bank account. They do not need to encrypt servers or make noise. They only need one account and patience.
7. Devices and Intune: access from secure endpoints
In practice: protecting the account is not enough if the device used for access is uncontrolled.
Question 13: Which devices can access Microsoft 365?
Leadership should know whether users can access email, Teams, and documents from any device or whether minimum rules exist: corporate computer, registered device, encryption, active antivirus, screen lock, and updates.
Question 14: Do we use Intune or another device management tool?
Microsoft Intune allows organizations to manage devices, apply compliance policies, and protect corporate data. Not every company needs the same level of control, but every company should make a conscious decision: what is allowed, what is blocked, and what is monitored.
Specific questions for the provider
- How many devices are registered or managed?
- Is disk encryption required?
- Is access blocked from compromised or non-compliant devices?
- What happens if a laptop is lost or an employee leaves the company?
- Are there different policies for personal mobile devices and corporate computers?
8. Teams, SharePoint, and OneDrive: sharing without losing control
In practice: Microsoft 365 makes sharing easy; security means ensuring that sharing does not become exposure.
Question 15: Do we control guests, links, and external sharing?
SharePoint, OneDrive, and Teams are powerful collaboration tools. But without rules, anonymous links accumulate, old guests remain, folders stay shared with providers who no longer work with the company, and critical documents fall outside control.
What should be defined
- Who can invite external users.
- Whether anonymous links are allowed or only authenticated users.
- Expiration of shared links.
- Periodic review of guests.
- Rules for sensitive sites: leadership, finance, legal, HR, customers.
Related reading: SharePoint document automation · Microsoft Teams and Modern Workplace · Microsoft 365 Modern Workplace.
9. Sensitive data, Purview, DLP, and retention
In practice: you cannot properly protect information if you do not know which documents are sensitive.
Question 16: Do we know where sensitive data is located?
Customer data, payroll, contracts, financial information, intellectual property, records, legal documentation: all of it can live in email, Teams, SharePoint, OneDrive, or devices. The provider should be able to explain how this data is identified and protected.
Question 17: Do we use sensitivity labels?
Microsoft Purview sensitivity labels allow information to be classified and protected. For example: “Public”, “Internal”, “Confidential”, or “Highly confidential”. The idea is not to overwhelm users with extra steps, but to help them handle each document according to its sensitivity.
Question 18: Do we have DLP and retention?
Data Loss Prevention (DLP) policies help prevent sensitive data from leaving by mistake. Retention policies allow information to be retained or deleted according to legal, operational, or compliance needs.
- Map of identified sensitive data types.
- Existing sensitivity labels.
- Active DLP policies and enforcement mode.
- Retention policies for email, Teams, SharePoint, and OneDrive.
10. Auditing, alerts, and incident response
In practice: when something happens, you need to know quickly, understand it, and respond without improvising.
Question 19: Do we have auditing, alerts, and a response plan?
Having security does not mean nothing will ever happen. It means that when something happens, the company can detect, contain, investigate, and recover. Auditing and alerts are key to understanding what occurred: who accessed, what they downloaded, what they shared, what they deleted, or what they changed.
The minimum you should ask for
- Auditing enabled and reviewed.
- Suspicious sign-in alerts.
- Administrator alerts or critical change alerts.
- Response procedure for compromised accounts.
- Incident owner and escalation channel.
- Internal communication template in case of breach or outage.
| Phase | Action | Question for the IT provider |
|---|---|---|
| Detection | Alerts and investigation start | How do we find out? |
| Containment | Block session, reset credentials, revoke tokens | How long does it take us to cut off access? |
| Investigation | Review activity, mailbox rules, files, and permissions | What evidence do we review? |
| Recovery | Restore configuration, strengthen policies, and communicate | What do we learn so it does not happen again? |
11. Training and culture: users also make security decisions
In practice: the best technical policy can fail if users do not understand the risk.
Question 20: Do users receive practical and measurable training?
Security training should not be a long course that nobody remembers. It must be practical: how to detect phishing, how to share files, what to do when receiving a suspicious request, how to report an incident, and what should not be sent by email.
Minimum training topics
- Phishing and identity impersonation.
- Correct use of MFA.
- Secure sharing in OneDrive, SharePoint, and Teams.
- Protection of sensitive data.
- What to do if a compromised account is suspected.
- Best practices for management and staff with access to critical information.
A short session with real examples from the business is often more effective than generic training. If users recognize situations similar to their day-to-day work, their behavior changes.
12. What you should require from your IT provider
In practice: a Microsoft 365 provider must translate security into business decisions.
A good IT provider does more than maintain licenses and resolve tickets. They must help you reduce risk, prioritize measures, and explain what each decision means for continuity, compliance, and productivity.
What they should deliver periodically
- Executive Microsoft 365 security report.
- Secure Score evolution and prioritized actions.
- Status of MFA and Conditional Access.
- Administrator list and privilege review.
- Summary of alerts and incidents.
- Review of guests and external sharing.
- Improvement plan with priority, effort, and license dependencies.
Signs of a mature provider
- Talks about risks, not just tools.
- Documents exceptions.
- Tests changes before applying them globally.
- Provides evidence.
- Recommends phased improvements, not everything at once.
- Trains users and business owners.
13. Summary table: 20 questions, evidence, and priority
In practice: use this table in the meeting with your IT provider and ask for clear answers.
| # | Question | Evidence you should request | Priority |
|---|---|---|---|
| 1 | Do all users have MFA? | Coverage and exceptions report | High |
| 2 | Are MFA methods robust? | Allowed methods and improvement plan | High |
| 3 | Do we block legacy authentication? | Applied policy and exclusions | High |
| 4 | How many global administrators are there? | Administrative role list | High |
| 5 | Are privileges temporary? | PIM or elevation process | High |
| 6 | Do we have emergency accounts? | Procedure and controlled test | High |
| 7 | Do we use Conditional Access? | Policy list | High |
| 8 | Do we differentiate risky access? | Policies by user, location, device, or risk | High |
| 9 | What is our Secure Score? | Secure Score report and plan | Medium |
| 10 | Do we have anti-phishing protection? | Defender / Exchange Online Protection policies | High |
| 11 | Are SPF, DKIM, and DMARC configured? | DNS records and validation | High |
| 12 | Do we detect suspicious forwarding rules? | Alerts and mailbox review | High |
| 13 | Which devices access the environment? | Device inventory | Medium |
| 14 | Do we use Intune or equivalent control? | Compliance policies | Medium |
| 15 | Do we control guests and external links? | External sharing report | High |
| 16 | Do we know where sensitive data is located? | Data classification / inventory | High |
| 17 | Do we use sensitivity labels? | Labels and scope | Medium |
| 18 | Do we have DLP and retention? | Active policies | High |
| 19 | Do we have auditing, alerts, and response? | Incident runbook | High |
| 20 | Is there practical training? | Training plan and metrics | Medium |
Do you want to turn this checklist into a real review of your Microsoft 365?
MSAdvance can perform a security assessment with evidence, prioritize risks, and deliver a clear plan for leadership: what to correct first, what depends on licenses, and what can be implemented without interrupting work.
14. Common management mistakes when delegating security
Mistake 1: assuming that “Microsoft already protects everything”
Microsoft provides very powerful tools, but many decisions depend on tenant configuration: MFA, permissions, sharing, devices, retention, DLP, alerts, and response.
Mistake 2: asking only about price, not security posture
A cheap provider can become expensive if they do not review identities, data, devices, and alerts. The right question is not only “how much does it cost?”, but “what risk does it reduce, and how do you prove it?”.
Mistake 3: not reviewing administrators
Elevated permissions must be reviewed periodically. Former administrators, shared accounts, or permanent permissions are very common risks.
Mistake 4: training only after an incident
Preventive training reduces errors. Waiting for fraud or a compromised account to occur is usually more expensive.
Mistake 5: not asking for executive reports
If leadership only receives technical information, it cannot prioritize. A good report should summarize risks, impact, and next steps.
15. Operational checklists for leadership
In practice: these checklists help turn security into a management routine.
Monthly checklist for management
- Review relevant incidents or alerts.
- Confirm changes in administrator users.
- Review onboarding and offboarding for critical users.
- Validate MFA or Conditional Access exceptions.
- Check whether unusual external sharing occurred.
Quarterly checklist with the IT provider
- Review Secure Score and pending actions.
- Review Conditional Access policies.
- Review external guests and shared links.
- Review DLP, labels, and retention.
- Run a simulation or incident response exercise.
Checklist when the business changes
- New sites, new countries, or new providers.
- Mergers, acquisitions, or domain changes.
- Implementation of new licenses or tools.
- External users joining or sensitive projects starting.
- Use of Copilot or other AI-based tools over corporate data.
16. Frequently asked questions (FAQ) about Microsoft 365 security for managers
What is a Microsoft 365 security checklist for managers?
It is a list of business questions to evaluate whether Microsoft 365 is properly protected: identity, MFA, administrators, email, devices, data, sharing, auditing, and incident response. It does not replace a technical audit, but it helps detect risks and require evidence.
What should a company review first in Microsoft 365?
The first area is usually identity: MFA for everyone, administrator protection, Conditional Access, blocking legacy authentication, and reviewing privileged permissions. Then it is advisable to review email, devices, external sharing, and sensitive data.
Is Microsoft Secure Score useful for leadership?
Yes, as long as it is interpreted correctly. Secure Score helps measure security posture and prioritize actions, but it should not be used as the only indicator. The important point is understanding which actions reduce the most business risk.
Is Microsoft 365 E5 mandatory to be secure?
Not always. Many basic improvements can be made with existing licenses or intermediate plans. However, some advanced security, compliance, auditing, or protection capabilities require specific licenses. The recommended approach is to review risk and decide in phases.
What is the difference between MFA and Conditional Access?
MFA adds an additional verification step during sign-in. Conditional Access lets you decide when to require MFA, when to block, when to allow, and under which conditions, using signals such as user, location, device, application, or risk.
Why are emergency accounts important?
They help prevent the organization from being locked out if a policy fails or an authentication method becomes unavailable. They must be highly protected, not used day to day, and reviewed in a controlled way.
How do I know whether my IT provider manages Microsoft 365 well?
They should be able to show evidence: MFA, Conditional Access, Secure Score, administrators, guests, email policies, auditing, alerts, and response plan. If they only answer “everything is fine” without reports or a plan, it is advisable to request a review.
Can MSAdvance review our Microsoft 365 even if we already have an IT provider?
Yes. MSAdvance can perform an independent assessment, detect gaps, prioritize actions, and collaborate with the internal team or current provider to improve security without interrupting service.
17. Official resources and external links
- Microsoft: Zero Trust deployment plan with Microsoft 365
- Microsoft Secure Score
- Microsoft Entra Conditional Access
- Microsoft Entra Privileged Identity Management (PIM)
- Emergency access accounts in Microsoft Entra ID
- Auditing in Microsoft Purview
- Sensitivity labels in Microsoft Purview
- Retention policies and retention labels
- Common identity and device access policies for Microsoft 365
Related MSAdvance services
18. Conclusion and next steps
Microsoft 365 security should not be a black box for management. You do not need to know every menu in the admin portal, but you do need to ask the right questions: who can get in, from where, with which permissions, what data they can see, what happens if something fails, and what evidence exists.
If your IT provider can answer these 20 questions clearly, with reports and an improvement plan, you have a good foundation. If the answers are vague, incomplete, or too reactive, it is advisable to perform an independent review.
Recommended next steps
- Send this checklist to your IT provider and request evidence.
- Classify each item as correct, needs improvement, or critical.
- Prioritize the actions that reduce the most risk: MFA, administrators, Conditional Access, email, and sensitive data.
- Plan a periodic review so security does not depend on a one-off audit.
Do you want a clear review of your Microsoft 365 security?
MSAdvance can analyze your environment, identify gaps, and deliver a prioritized plan to reduce risk without slowing down daily work.
Contact MSAdvance View Security & Compliance
· We can also help with Modern Workplace, licensing, and Microsoft 365 and Azure services.
