Microsoft 365 Resource

How to Prepare for a Basic Microsoft 365 Security Assessment

A Microsoft 365 security assessment does not need to be overwhelming. The goal is to understand what accounts exist, who has access, what protections are enabled, and which settings need cleanup.

Start here

Why this matters

Many small businesses wait until an email account is compromised or an employee leaves before reviewing Microsoft 365. Preparing early gives you a clearer view of your risk.

Use this resource when

  • You are preparing for an IT review.
  • Your business recently added or removed employees.
  • You have not reviewed Microsoft 365 in the last few months.
  • You want a plain-English summary of what needs attention.

What to review

  • Active and inactive user accounts.
  • Administrator roles and privileged access.
  • Multi-Factor Authentication (MFA) status.
  • Mailbox forwarding and email rules.
  • Shared mailboxes and group membership.
  • License usage and unused subscriptions.
  • Security alerts and risky sign-ins.
Step by step

Practical checklist

  1. Gather a list of active employees and approved vendors.
  2. Compare that list to Microsoft 365 user accounts.
  3. Review administrator roles and document why each person has access.
  4. Confirm Multi-Factor Authentication (MFA) is enabled.
  5. Check mailboxes for forwarding rules and unusual settings.
  6. Create a cleanup list with priority, owner, and due date.
Avoid these issues

Common mistakes

  • Reviewing only active email accounts and ignoring shared mailboxes.
  • Assuming Multi-Factor Authentication (MFA) is enabled for everyone.
  • Not checking external forwarding.
  • Not documenting who approved administrator access.
  • Waiting until after a security issue to perform the review.

Need help turning this into a working process?

J3 Systems Group can perform a practical Microsoft 365 security review and provide a clear list of recommended fixes.

Schedule a consultation

Related resources