Microsoft 365 Security Cleanup Guide

Most Microsoft 365 cleanup work is not about adding new products. It is about removing drift.

Old admins stay privileged. Mail forwarding gets left in place. Sharing defaults are more open than anyone remembers approving. Audit data is either off, too thin, or nobody knows where to look. Then a customer asks for evidence and the whole thing gets awkward.

If you want fast risk reduction, start with the items that give attackers or the wrong insiders a simple route in or out.

1. Reset ownership of the important controls

If nobody owns the control, nobody notices the drift.

• Assign one accountable owner and one backup for identity, email, endpoint, collaboration and audit.
• Write down the review cadence for the highest-risk controls.
• Keep exceptions with an expiry date instead of letting them float forever.

That is admin hygiene, yes, but it matters because every other check becomes easier once ownership is obvious.

2. Clean up high-risk identity and admin debt

• Remove shared admin accounts.
• Review Global Administrator and other privileged roles.
• Enforce MFA through Security Defaults or Conditional Access.
• Block legacy authentication if it is still hanging around.
• Check break-glass accounts and make sure they are monitored, not forgotten.

This is rarely where tenants look exciting, but it is often where they look fragile.

3. Review mail routes that quietly leak data

External forwarding deserves suspicion by default. Microsoft explicitly warns that automatic forwarding to external recipients makes organisations vulnerable to takeover attacks.

• Review mailbox forwarding and justify every external destination.
• Check transport rules that move or copy mail externally.
• Review inbox rules after any compromise or suspicious activity.
• Confirm anti-phishing, Safe Links and Safe Attachments are in a sane state if licensed.

Mail is still one of the easiest ways for bad decisions to stay invisible.

4. Narrow collaboration and guest exposure

• Review SharePoint and OneDrive external sharing defaults.
• Check whether "Anyone" links are still allowed where they should not be.
• Remove stale guests from high-risk Teams and sites.
• Confirm sensitive workspaces have a named owner and tighter settings.

Most data leaks in smaller tenants are not very cinematic. They are usually some version of "that old guest still had access" or "that link should not have stayed live".

5. Make sure audit evidence actually exists

Audit is the control that people assume is there until they need it.

Microsoft's current guidance says auditing is on by default for Microsoft 365 organisations, but not by default for SMB licenses such as Business Basic, Business Standard and Business Premium. That means smaller tenants should check, not assume.

• Verify unified audit logging status.
• Verify mailbox auditing on by default.
• Confirm who can search the logs.
• Export a small baseline evidence pack with dates and owners.

6. Leave the next admin something useful

Security cleanup sticks when the next person can understand it quickly.

• Export a baseline snapshot.
• Keep a log of exceptions and why they exist.
• Schedule the first follow-up review before the project ends.

The test I like is simple: if another competent admin opened the tenant tomorrow, would they understand the current state without a guided tour? If the answer is no, there is still work left.

References

• Microsoft Secure Score
• Microsoft Entra Conditional Access overview
• Block legacy authentication with Conditional Access
• Configure email forwarding for a mailbox in Exchange Online
• Turn auditing on or off
• Manage mailbox auditing