M365 Security Checklist for Small Businesses (2026)

Published May 5, 2026 · 11 min read

Microsoft 365 is the operating system of the modern small business — email, documents, teams, file storage, and now AI. That concentration of data and workflow in one platform is also why it's the #1 target for credential-based attacks on SMBs. The good news: 80% of successful M365 breaches exploit gaps that take less than a day to close.

This checklist covers every major risk area — with verification steps, not just vague advice.

Before You Start: Understand Your Baseline

Before running through the checklist manually, run a free IT Health Snapshot on your tenant. It checks all 17 items below automatically and gives you a prioritized score. If you've already done that, use the results to guide which sections to focus on first.

The checklist below is organized by severity: Critical items are breach vectors. High items are the next layer. Medium items reduce your attack surface and save money.

Critical: Identity & Authentication

☐ 1. Enable MFA for All Users

Why it matters: 99.9% of credential-based attacks fail against accounts with MFA enabled. Microsoft reports this is the single most effective security control available.

How to check: Microsoft Entra admin center → Users → Authentication methods → Per-user MFA status. Or use the MFA registration report under Identity → Monitoring & health → Authentication methods.

How to fix:

1. Enable Security Defaults (Entra ID → Properties → Manage security defaults) — covers most tenants immediately
2. Or create a Conditional Access policy requiring MFA for all users (requires Entra ID P1 license)
3. Require users to register via aka.ms/mfasetup
4. Target: 100% enrollment, with Microsoft Authenticator app as the primary method

Verify: Run the MFA registration report. Zero exceptions.

☐ 2. Audit Global Administrator Count

Why it matters: Every Global Admin account is a master key to your entire tenant. Ex-employees with lingering Global Admin access are one of the most common causes of unauthorized access incidents.

How to check: Entra ID → Roles & administrators → Global Administrator. Count the members.

Target: 2–3 maximum. Use role-specific admin roles (Exchange Admin, SharePoint Admin, Teams Admin) for everyone else.

How to fix:

1. Remove Global Admin from any inactive or departed employee accounts
2. Enable Privileged Identity Management (PIM) if on E5 — require justification + approval for Global Admin activation
3. Ensure no Global Admin account is used for day-to-day work; create separate cloud-only admin accounts

☐ 3. Block Legacy Authentication Protocols

Why it matters: Legacy protocols (POP3, IMAP, basic SMTP auth) cannot enforce MFA. Attackers use password spraying against these endpoints specifically because MFA doesn't protect them — even when MFA is "on."

How to check: Microsoft Entra sign-in logs → Filter by "Client app" → Look for "Exchange ActiveSync" and "Other clients" entries.

How to fix:

1. Verify Security Defaults are enabled (they block legacy auth by default)
2. If using Conditional Access: create a policy with Client apps condition set to "Exchange ActiveSync clients" + "Other clients" → Block access
3. Test before enforcing: run in report-only mode for 2 weeks to identify any apps that would break

High Priority: Compliance & Data Controls

☐ 4. Verify Unified Audit Logging Is On

Why it matters: Without audit logs, you can't reconstruct what happened during a breach. Insurance claims require it. Some regulations mandate it. And it's off by default in older M365 configurations.

How to check: Microsoft Purview compliance portal → Audit → Start recording user and admin activity (if shown, it's currently off).

How to fix: Enable it in the Purview compliance portal. Standard retention is 90 days. Extend to 1 year with the audit premium add-on or E5 license.

☐ 5. Lock Down External Sharing in SharePoint & OneDrive

Why it matters: "Anyone" links — the default in many M365 configurations — let any person with the URL access your files without signing in. One forwarded email = full data exposure.

How to check: SharePoint admin center → Policies → Sharing. Look at the external sharing setting for SharePoint and OneDrive.

How to fix:

1. Change SharePoint: "Anyone" → "New and existing guests" (requires sign-in)
2. Enable link expiration: set maximum to 30 days
3. Enable "Block download" for view-only external sharing
4. Require guests to sign in using the same account the invitation was sent to

☐ 6. Enable Data Loss Prevention Policies

Why it matters: DLP policies catch and block accidental (or intentional) sharing of sensitive data — SSNs, credit card numbers, health records — before it leaves your tenant.

How to check: Microsoft Purview → Data loss prevention → Policies. If blank, you have none.

How to fix:

1. Start with built-in templates: "U.S. Financial Data" and "U.S. Personally Identifiable Information"
2. Set to "Test mode with policy tips" for 2 weeks — you'll see what would have been blocked without disrupting work
3. After 2 weeks, review the report and switch to enforcement mode

Medium: Microsoft 365 Copilot Governance

If your organization has deployed Microsoft 365 Copilot, these controls are now essential. Copilot operates on your users' behalf — it can surface, summarize, and act on data your users have access to, and sometimes data they shouldn't have access to due to permissive SharePoint permissions.

☐ 7. Audit Copilot License Assignments

Why it matters: Copilot licenses run $30/user/month ($360/year). At 30–50% average adoption rates for newly deployed tenants, many organizations are paying for licenses that haven't been activated.

How to check: Microsoft 365 admin center → Billing → Licenses → Find Microsoft 365 Copilot. Compare prepaid vs. consumed.

How to fix: Remove licenses from users who have had them for 60+ days without activation. Reallocate to high-value users.

☐ 8. Review Copilot Studio Agent Inventory

Why it matters: AI agents deployed in Copilot Studio can access SharePoint, email, and other data sources on users' behalf. Agents built without governance oversight may have broader access than intended.

How to check: Power Platform admin center (admin.powerplatform.microsoft.com) → Copilot Studio → Environments → Agents.

How to fix:

1. Catalog every deployed agent: owner, purpose, data connectors, last modified date
2. Disable or archive any agent that hasn't been used in 90 days
3. Restrict SharePoint connectors to specific site collections rather than org-wide
4. Enable Copilot Studio DLP policies (Power Platform admin center → Policies → Data policies)

☐ 9. Enable Microsoft Purview Data Retention Policies

Why it matters: Without retention policies, deleted emails and files are permanently lost when the recycle bin empties. Many industries require 3–7 years of data preservation. And when AI is summarizing and referencing old content, retention policy gaps create unexpected exposure.

How to check: Microsoft Purview → Data lifecycle management → Retention policies.

How to fix:

1. Create a base policy: 1-year retention for Exchange, SharePoint, and OneDrive
2. For regulated industries (healthcare, finance, legal): create separate policies with 7-year retention for relevant data types
3. Use retention labels for high-value content that should be preserved beyond the base policy

License Optimization (Worth Doing Monthly)

☐ 10. Run a License Utilization Review

Most M365 tenants have 10–25% unused licenses at any given time due to employee turnover, role changes, and poor offboarding processes. At $22–$57/user/month for Business Premium or E3, this adds up fast.

Monthly task: Microsoft 365 admin center → Billing → Licenses → Review unused licenses by product. Remove or reallocate.

☐ 11. Identify and Remove Inactive User Accounts

Accounts that haven't signed in for 90+ days are both a security risk (unmonitored) and a cost waste (paying for unused licenses).

How to check: Entra ID → Users → Filter by "Last sign-in" older than 90 days.

How to fix: Disable the account, strip licenses, and flag for HR review before permanent deletion.

How to Stay Current Without Doing This Manually

Running through this checklist manually once is valuable. Running it monthly — which is when gaps actually appear, as users join, leave, and change roles — is impractical without automation.

NorthStack automates all of the checks above, runs them continuously against your M365 tenant, and surfaces a prioritized score with specific remediation steps. The free IT Health Snapshot covers all 17 checks in a single report.