What Is a Microsoft 365 Security Audit?
A Microsoft 365 security audit reviews your tenant's configuration against best-practice security standards, identifies misconfigurations and gaps, and produces a prioritised remediation plan. Most M365 tenants have exploitable weaknesses that were introduced at setup or have drifted over time.
Direct Answer
A Microsoft 365 security audit is a structured review of your M365 tenant covering identity and MFA settings, Conditional Access policies, email security configuration (DMARC, safe attachments, anti-phishing), Intune device compliance, SharePoint permissions, and audit logging. Most tenants have exploitable misconfigurations introduced at setup. AMVIA conducts M365 security audits for UK SMEs and implements remediation as part of the same engagement.
What an M365 Security Audit Reviews
A thorough audit covers six areas of the Microsoft 365 environment most commonly associated with security gaps.
Identity and MFA
Checks whether MFA is enforced for all users, whether legacy authentication is blocked, and whether admin accounts have appropriate protection including Privileged Identity Management.
Conditional Access Policies
Reviews existing Conditional Access rules for completeness — covering all users, applications, and risk conditions — and identifies gaps in the policy set.
Email Security Configuration
Checks anti-phishing, anti-spam, and safe attachments policies in Defender for Office 365, and validates SPF, DKIM, and DMARC DNS records.
Device Compliance (Intune)
Reviews Intune enrolment coverage, compliance policies, and whether non-compliant devices are blocked from accessing corporate resources.
Data and SharePoint Permissions
Identifies overly permissive sharing settings, public-facing SharePoint sites, and data that may be accessible to unintended users inside or outside the organisation.
Audit Logging and Alerting
Confirms unified audit logging is enabled, that alert policies are configured, and that there is a process for reviewing security events.
Typical M365 Audit Findings: Before vs After
The most common misconfigurations found in M365 tenants during a security audit, and the remediated state.
| Feature | Common Starting StateTypical M365 misconfiguration | Post-Audit StateRemediated configurationRecommended |
|---|---|---|
| MFA enforced for all users | Partial (self-enrolled) | Enforced via Conditional Access |
| Legacy authentication blocked | ||
| DMARC policy configured | None or p=none | p=quarantine or p=reject |
| Safe attachments active for all users | ||
| External sharing restricted | Anyone with link | Specific people only |
| Admin accounts MFA-protected | ||
| Unified audit log enabled |
These are illustrative findings based on common audit outcomes. Results vary by organisation.
Frequently Asked Questions
Organisations with Cyber Essentials certification are 92% less likely to make a claim on their cyber insurance. Certification is mandatory for UK government contracts involving sensitive data. Only 3% of UK businesses are currently certified, giving certified businesses a competitive advantage.
MFA requires two or more verification methods to access an account. Microsoft reports that over 99.9% of compromised accounts did not have MFA enabled. Only 40% of UK businesses have two-factor authentication enabled (DSIT 2025). MFA can prevent more than 99.9% of account compromise attempts.
43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, according to the DSIT Cyber Security Breaches Survey 2025. For medium-sized businesses, this figure rises to 67%. Phishing remains the most common attack type, affecting 85% of businesses that reported a breach.
Ransomware is malicious software that encrypts your data and demands payment for its return. Approximately 19,000 UK businesses were hit by ransomware in 2025. The median UK ransom demand has doubled to $5.37 million, and average recovery costs reach $2.58 million excluding the ransom itself.
The first hour after detection is considered the golden hour that determines outcome severity. Organisations that detect breaches internally save an average of $900,000 in costs. Only 22% of UK businesses have a formal cybersecurity incident management plan in place.
Find and Fix Your Microsoft 365 Security Gaps
AMVIA's M365 security audit identifies misconfigurations across your tenant and includes a remediation implementation option. Most audits complete within one week.
Related Questions
Microsoft 365 Security
AMVIA's managed M365 security service — ongoing configuration management and monitoring of your tenant.
What Is Multi-Factor Authentication?
MFA is typically the first and most impactful finding in any M365 security audit.
Cybersecurity Guide for UK SMEs
How Microsoft 365 security fits within a broader managed cybersecurity programme.