Start here Why this matters Microsoft 365 often grows quickly. Employees are added, licenses change, shared mailboxes appear, and administrator access can become unclear. A basic security review helps confirm that the right people have the right access. Use this resource when You are not sure who has administrator access. Employees use Microsoft 365 for email, files, and Teams. Multi-Factor Authentication is not fully enforced. You want a basic security review before something breaks. What to review Confirm every active user account belongs to a current employee or approved vendor. Review global administrator and privileged administrator roles. Turn on Multi-Factor Authentication (MFA) for every account. Review shared mailboxes, distribution lists, and external forwarding. Check license assignments and remove unused licenses. Review sign-in activity for unusual locations or inactive accounts.
Step by step Practical checklist Export or review your active user list. Mark each user as current employee, vendor, shared account, or former employee. Review administrator roles and remove access that is no longer needed. Confirm Multi-Factor Authentication (MFA) is enabled and working. Review shared mailboxes and external forwarding rules. Document anything that needs cleanup and assign an owner.
Avoid these issues Common mistakes Leaving old employee accounts active. Giving too many people administrator access. Using shared accounts instead of named accounts. Forgetting to review mailbox forwarding. Keeping unused licenses because no one checks them.
How to Prepare for a Basic Microsoft 365 Security Assessment A Microsoft 365 security assessment does not need to be overwhelming. The goal is to understand what accounts exist, who has access, what protections are enabled, and which settings need cleanup.
Password and Multi-Factor Authentication Best Practices for Small Businesses Passwords are still one of the most common weak points in a small business. Multi-Factor Authentication (MFA) adds a second layer of protection when a password is guessed, reused, or stolen.
Phishing Readiness Checklist for Small Businesses Phishing emails try to trick employees into sharing passwords, opening malicious links, sending payments, or changing account information.