Microsoft 365 Enterprise Security Assessment Toolkit

A Playbook & Questionnaire for third-party security risk assessments of Microsoft 365 Enterprise deployments


Even if your enterprise is not operating on Microsoft 365, no doubt a large percentage of your vendors are. Correct security configuration and operation of Microsoft 365 by you and your third parties is critical to protecting your risk interests.

Benefits of the Microsoft 365 Enterprise Toolkit:

  • Get a step-by-step methodology for assessing the security configurations of any Microsoft 365 deployment
  • Understand the essential Microsoft 365 security assessment criteria
  • An assessment-ready questionnaire

Seven Essential Security Configurations for Microsoft 365

  1. Are users configured with multi-factor authentication?

    Multi-factor authentication is a critical security control that protects organizations from password attacks such as password guessing and credential theft. If a Microsoft 365 user account is compromised, an attacker may gain access to the user’s emails, files, chat history, and other sensitive data.

  2. If the organization’s on-prem Active Directory is synchronized with Azure Active Directory, are only necessary objects synchronized?

    If an organization is synchronizing their on-prem Active Directory with Azure Active Directory (Azure AD), it is a good indicator that the organization’s IT environment is complex enough to justify cloud authentication. Organizations will commonly synchronize their on-prem AD with Azure AD to allow users to authenticate via public cloud SaaS applications and to ease the administrative burden of managing users across a portfolio of cloud services. However, it is a best security practice to only sync those AD objects that require use within Azure AD (e.g. on-prem service accounts that only access on-prem resources should not be synchronized, whereas user accounts should be synchronized). As such, examine the objects within Azure AD to determine if the organization is synchronizing the appropriate objects.

  3. Is the number of users configured as administrators in Microsoft 365 appropriate for the size of the organization?

    Having more than one administrator in Microsoft 365 ensures that if one administrator is unavailable, another user can make changes to the tenant. However, users who do not have a valid justification to have administrative access to Microsoft 365 may expose the organization to risk. Microsoft recommends that in most cases there should be no more than five Global Admins.

  4. Are dedicated administrative accounts used?

    Given that it is the path of least resistance, attackers will target users with privileged access to the Microsoft 365 tenant. Using a privileged account for day-to-day use increases the likelihood that an attacker will gain privileged access to the environment if they are successfully exploited. As such, administrative personnel should use their privileged accounts only when it is required.

  5. Are tenant Global administrators configured with working email addresses?

    Microsoft 365 Global Admins receive a variety of important email notifications that include service status, security events, and other information. When an organization first signs up for Microsoft 365, users are provisioned with a default username and email address in the format. For example, a new Global Admin, Larry Washington, at RiskRecon might have the following username: Since Larry is a Global Admin, Larry receives administrative notifications at his email address. However, if the organization doesn’t use Microsoft 365 Outlook for email, Larry might not receive tenant administrative notification emails. Another scenario is Larry’s Microsoft 365 username is While this may be Larry’s username on Microsoft 365, that may not be a valid email address. As such, it is important that organizations ensure that global admins use an email address that is configured to a working address.

  6. Are Azure AD User Settings configured from non-default settings?

    By default, non-administrative users may access the Azure AD administrative portal and perform several different actions including:

    • Register custom-developed applications for use within Azure AD

    • Access the Azure AD administrative portal

    • Allow user to connect their Azure AD accounts with their LinkedIn account

    • Invite external guest users

    • Invited guest users can invite additional guest users

    Each of these settings may have a security impact, depending on how the organization. If the target organization has not configured these default settings to be more restrictive, it is a tell-tale sign that the organization lacks Microsoft 365 security maturity.

  7. Are users restricted from creating auto-forwarding rules within Outlook?

    When a user creates an auto-forwarding rule, emails sent to the account are automatically forwarded without user notification to an email box that the organization does not control. This may expose the organization to risk of loss of sensitive data.

Download the Toolkit