Skip to content

Microsoft 365 Security Assessment SOP

Sub-procedure for Operate pillar managed services - M365 security posture evaluation

Service Pillar: Operate Service Category: Microsoft 365 Security Parent SOP: Cloud Operations SOP Engagement Type: Assessment / Recurring Review

Overview

Comprehensive security assessment of Microsoft 365 environments to identify misconfigurations, policy gaps, and security vulnerabilities. This assessment evaluates tenant security settings, user configurations, data protection controls, and compliance posture against Microsoft security benchmarks and industry best practices.

Scope

Pillar: Operate (Managed Services) Service Area: Microsoft 365 Security Assessment

In Scope

  • Azure AD / Entra ID configuration review
  • Exchange Online security settings
  • SharePoint/OneDrive security controls
  • Teams collaboration security
  • Microsoft 365 Defender configuration
  • Conditional Access policies
  • Data Loss Prevention (DLP) policies
  • Secure Score evaluation

Out of Scope

  • Third-party application security (covered in vendor risk)
  • Custom application development
  • Endpoint device management (covered in EDR SOP)

Prerequisites

  • Microsoft 365 Global Admin or Security Reader access
  • Signed MSA/SOW with assessment scope defined
  • Client stakeholder availability for findings review
  • Access to current licensing documentation
  • Network diagram showing M365 integration points

Procedure

Step 1: Environment Discovery

Objective: Understand current M365 tenant configuration and licensing

Activities: 1. Document tenant information (tenant ID, domains, licensing) 2. Inventory enabled M365 services and features 3. Identify administrative accounts and roles 4. Map external collaborators and guest access 5. Review current security baseline documentation

Tools: - Microsoft 365 Admin Center - Azure AD Admin Center - Microsoft Graph PowerShell

Duration: 2-4 hours

Step 2: Secure Score Analysis

Objective: Benchmark current security posture against Microsoft recommendations

Activities: 1. Export current Secure Score and improvement actions 2. Prioritize recommendations by impact and effort 3. Identify quick wins (high impact, low effort) 4. Document score trajectory and historical trends 5. Compare against industry benchmarks

Tools: - Microsoft 365 Defender portal - Secure Score dashboard

Duration: 1-2 hours

Step 3: Identity & Access Review

Objective: Evaluate authentication and authorization controls

Activities: 1. Review MFA enrollment and enforcement policies 2. Assess Conditional Access policy coverage 3. Identify privileged accounts and PIM configuration 4. Evaluate legacy authentication status 5. Review password policies and self-service reset 6. Assess guest access policies and B2B settings

Assessment Criteria: | Control | Target State | Risk if Gap | |---------|-------------|-------------| | MFA Enforcement | 100% users | Critical | | Legacy Auth Blocked | Fully blocked | High | | Privileged Access | PIM-managed | High | | Conditional Access | Risk-based policies | Medium |

Duration: 3-4 hours

Step 4: Data Protection Assessment

Objective: Evaluate controls protecting sensitive data

Activities: 1. Review sensitivity labels and classification policies 2. Assess DLP policy coverage and effectiveness 3. Evaluate external sharing controls 4. Review retention policies and compliance 5. Assess eDiscovery and legal hold configurations 6. Check Azure Information Protection integration

Duration: 2-3 hours

Step 5: Threat Protection Review

Objective: Assess anti-malware and threat detection capabilities

Activities: 1. Review Microsoft Defender for Office 365 policies 2. Assess Safe Attachments and Safe Links configuration 3. Review anti-phishing policies and impersonation protection 4. Evaluate attack simulation training status 5. Review alert policies and incident response readiness 6. Assess Microsoft Defender for Cloud Apps integration

Duration: 2-3 hours

Step 6: Findings Documentation & Prioritization

Objective: Compile findings into actionable report

Activities: 1. Categorize findings by severity (Critical/High/Medium/Low) 2. Map findings to compliance frameworks (if applicable) 3. Develop remediation recommendations 4. Estimate remediation effort and timeline 5. Create executive summary with risk ratings

Severity Matrix: | Severity | Criteria | Remediation SLA | |----------|----------|-----------------| | Critical | Active exploitation risk, no compensating controls | 24-48 hours | | High | Significant risk, exploitable vulnerability | 1-2 weeks | | Medium | Moderate risk, defense-in-depth gap | 30 days | | Low | Best practice deviation, minimal risk | 90 days |

Duration: 4-6 hours

Deliverables

Deliverable Format Owner
M365 Security Assessment Report PDF/Word Lead Consultant
Secure Score Analysis Excel Technical Analyst
Remediation Roadmap Excel/Project Engagement Manager
Executive Summary PDF (2-page) Engagement Manager
Technical Findings Workbook Excel Technical Analyst

Quality Gates

  • All M365 services in scope have been assessed
  • Secure Score baseline documented with improvement targets
  • Findings validated with technical evidence (screenshots/exports)
  • Remediation recommendations include effort estimates
  • Report reviewed by senior consultant before delivery
  • Executive summary accessible to non-technical stakeholders
  • Client stakeholder walkthrough scheduled

Last Updated: February 2026