Start here Why this matters Many small businesses wait until an email account is compromised or an employee leaves before reviewing Microsoft 365. Preparing early gives you a clearer view of your risk. Use this resource when You are preparing for an IT review. Your business recently added or removed employees. You have not reviewed Microsoft 365 in the last few months. You want a plain-English summary of what needs attention. What to review Active and inactive user accounts. Administrator roles and privileged access. Multi-Factor Authentication (MFA) status. Mailbox forwarding and email rules. Shared mailboxes and group membership. License usage and unused subscriptions. Security alerts and risky sign-ins.
Step by step Practical checklist Gather a list of active employees and approved vendors. Compare that list to Microsoft 365 user accounts. Review administrator roles and document why each person has access. Confirm Multi-Factor Authentication (MFA) is enabled. Check mailboxes for forwarding rules and unusual settings. Create a cleanup list with priority, owner, and due date.
Avoid these issues Common mistakes Reviewing only active email accounts and ignoring shared mailboxes. Assuming Multi-Factor Authentication (MFA) is enabled for everyone. Not checking external forwarding. Not documenting who approved administrator access. Waiting until after a security issue to perform the review.
Microsoft 365 Security Checklist for Small Businesses Use this checklist to review the Microsoft 365 settings that most small businesses depend on every day. It is designed for business owners and office managers who need a practical way to reduce account, email, and access risk.
Password and Multi-Factor Authentication Best Practices for Small Businesses Passwords are still one of the most common weak points in a small business. Multi-Factor Authentication (MFA) adds a second layer of protection when a password is guessed, reused, or stolen.
Phishing Readiness Checklist for Small Businesses Phishing emails try to trick employees into sharing passwords, opening malicious links, sending payments, or changing account information.