About this program
Audit your M365 tenant for the controls that actually matter: identity, mail flow, sharing, audit logging and admin separation.
Risks addressed
- High External users invited without governance
- High Inbox rules created by attacker to silently exfiltrate
- High Audit logs not retained long enough for investigation
Controls (7)
-
MFA enforced on every user (incl. admins)
CriticalMFA enforced on every user (incl. admins)
How to test + evidence
Testing procedure: Pull MFA enrolment report; 100% of active users + 100% on Privileged Roles.
Evidence to collect: M365 MFA report.
-
Security defaults / CA baseline applied
HighSecurity defaults / CA baseline applied
How to test + evidence
Testing procedure: Either Security Defaults on, or CA baseline policies enforced.
Evidence to collect: CA / Security Defaults config.
-
External sharing scoped to known domains
HighExternal sharing scoped to known domains
How to test + evidence
Testing procedure: SharePoint / OneDrive sharing restricted to allowed domain list.
Evidence to collect: Sharing policy export.
-
Block legacy authentication
HighBlock legacy authentication
How to test + evidence
Testing procedure: Legacy auth protocols (POP/IMAP/SMTP basic) disabled tenant-wide.
Evidence to collect: CA policy export.
-
Mailbox auditing enabled
HighMailbox auditing enabled
How to test + evidence
Testing procedure: Mailbox audit logging on for all mailboxes; retention >= 90 days.
Evidence to collect: Audit log config.
-
Unified audit log enabled + streamed to SIEM
HighUnified audit log enabled + streamed to SIEM
How to test + evidence
Testing procedure: Tenant unified audit log on; logs forwarded to SIEM.
Evidence to collect: SIEM source + sample query.
-
Restrict who can register apps + consent to apps
MediumRestrict who can register apps + consent to apps
How to test + evidence
Testing procedure: Only admins (or named delegate) can register / consent. User consent disabled.
Evidence to collect: Tenant settings screenshot.