Microsoft 365 Security Checklist 2026

Q: Does Senserva cover every item on this checklist?

Yes. Every item maps to one or more of Senserva's 650+ automated checks across identity, privileged access, applications, devices, patch, email, logging, and data. A single read-only scan evaluates the whole list and ranks findings by Severity.

Identity and access

The highest-impact, lowest-effort wins. Start here.

Require phishing-resistant MFA for all users (authenticator number matching, FIDO2, or Windows Hello), not just admins
Senserva checks this Define authentication strength policies so sensitive apps require the strongest methods
Senserva checks this Block legacy authentication tenant-wide with Conditional Access
Senserva checks this Build a Conditional Access baseline with no coverage gaps and nothing stuck in report-only
Senserva checks this Review Conditional Access exclusion groups and remove members who no longer need exceptions
Senserva checks this Enable Identity Protection risk policies for risky users and risky sign-ins
Senserva checks this Configure two or more monitored break-glass accounts excluded from MFA policies
Senserva checks this Enable Entra Password Protection and self-service password reset with strong verification
Senserva checks this

Privileged access

Limit the blast radius of a compromised account.

Minimize Global Administrators to a small, named set
Senserva checks this Make privileged roles eligible (just-in-time) with PIM, not permanently active
Senserva checks this Require MFA and approval on PIM activation and cap activation duration
Senserva checks this Review Azure RBAC: audit subscription Owner and Contributor assignments
Senserva checks this

Applications and consent

The most overlooked attack surface in Microsoft 365.

Restrict user app consent; require admin consent beyond low-risk scopes
Senserva checks this Audit OAuth grants and application permissions for over-broad scopes
Senserva checks this Find and rotate long-lived or expiring app secrets and certificates
Senserva checks this Review risky service principals, especially high-privilege ones with recent credential changes
Senserva checks this

Devices and endpoints (Intune and Defender)

Where hardening most often drifts. One of the largest check areas.

Define device compliance policies and tie them to Conditional Access
Senserva checks this Enforce a hardened configuration baseline via Intune configuration profiles
Senserva checks this Confirm Defender Antivirus (real-time and cloud-delivered) and host firewall are on
Senserva checks this Require BitLocker disk encryption and escrow recovery keys
Senserva checks this Enable high-value Attack Surface Reduction (ASR) rules in enforce mode, not audit
Senserva checks this Keep update rings current so patches actually land on devices
Senserva checks this

Patch and vulnerabilities

Prioritize by real-world exploitation, not raw counts.

Track missing patches and prioritize by CISA KEV and EPSS, not CVSS alone
Senserva checks this Confirm no actively exploited CVE is left unpatched on a managed device
Senserva checks this

Email and collaboration

The front door for phishing, and where data leaves.

Enable anti-phishing with impersonation and spoof protection
Senserva checks this Enable anti-malware and anti-spam policies with sensible actions
Senserva checks this Turn on Safe Links and Safe Attachments across email, Teams, and Office
Senserva checks this Constrain external sharing in SharePoint and OneDrive; review Teams guest access
Senserva checks this

Logging and detection

You cannot investigate what you did not log.

Confirm the unified audit log is enabled and healthy
Senserva checks this Retain sign-in and audit logs beyond the 14-day default in a SIEM such as Microsoft Sentinel
Senserva checks this Confirm provisioning logs and security alert pipelines are flowing
Senserva checks this

Data protection (Purview)

Control where sensitive data goes.

Define a usable sensitivity label taxonomy and apply it to sensitive data
Senserva checks this Apply retention policies and confirm DLP covers your regulated data types
Senserva checks this

Frameworks and drift

Make hardening provable, and keep it from decaying.

Map every control to CISA SCuBA and the Microsoft Cloud Security Benchmark (MCSB)
Senserva checks this Monitor continuously for configuration drift and alert on meaningful change
Senserva checks this Remediate findings with validated fixes you approve before they ship
Senserva checks this

Check all of this in one scan

Senserva runs every item on this checklist as part of its 650+ checks, maps each to a framework, and proposes a validated fix. No agents, no cloud pipeline.

Scan your tenant free See all 650+ checks

Frequently asked questions

Does Senserva cover every item on this checklist?

Yes. Every item here maps to one or more of Senserva's 650+ automated checks across identity, privileged access, applications, devices, patch, email, logging, and data. A single read-only scan evaluates the whole list and ranks findings by Severity. See the full checks catalog.

Is this checklist free to use?

Yes. The checklist is free and your progress is saved locally in your browser, nothing is sent to us. Running an automated scan of your own tenant is also free after a quick registration.

How is this different from Microsoft Secure Score?

Secure Score is a single number. This checklist is concrete, ordered actions, and Senserva turns each into a finding-by-finding result mapped to CISA SCuBA and MCSB with a validated remediation, including device posture, patch coverage, and log health that Secure Score is light on.

How often should I run through it?

Hardening decays as tenants change, so treat it as continuous rather than one-time. Re-check after any significant change, and use drift monitoring to catch the slow slide between reviews.

A practical, interactive checklist for securing a Microsoft 365 tenant across identity, devices, applications, email, logging, patch, and data. Check items off as you go, your progress is saved in your browser.