Microsoft 365 Security Cleanup Checklist for UK SMEs

Most Microsoft 365 security problems in smaller tenants are not exotic. They are old privileges, weak enforcement, unmanaged devices, forgotten forwarding rules, overshared files and audit evidence nobody checked until someone asked for it.

That is the cleanup job.

Not "turn on every Microsoft feature". Not "make Secure Score look pretty". The useful version is simpler: find the controls that decide access, data movement and evidence, then remove the drift.

Quick answer

Start with the controls that give an attacker access or let data leave quietly. A useful cleanup removes old privilege, proves MFA and Conditional Access coverage, checks mail routes, validates device trust, tightens collaboration exposure and leaves dated evidence.

Who this affects

This affects UK SMEs running Microsoft 365 where admin access, user devices, SharePoint, Teams, Exchange Online and Defender have grown over time without regular control review.

It is especially relevant before Cyber Essentials Plus, customer due diligence, insurance renewal, incident response, Copilot rollout or a board-level security review.

What usually goes wrong

Area	First check	Why it matters
Admin access	Global Admins, privileged roles and shared admin accounts	Privilege sprawl turns one compromised account into a tenant-wide problem
MFA and Conditional Access	Real enforcement, exclusions and legacy authentication	Registration does not equal protection
Mail	Forwarding, inbox rules, transport rules and phishing controls	Mail is still a common route for compromise and quiet exfiltration
Devices	Intune enrolment, Defender onboarding and compliance	Conditional Access is weak if device trust is fake
Collaboration	SharePoint, OneDrive, Teams guests and anonymous links	Oversharing usually comes from defaults and forgotten access
Audit evidence	Unified audit logging, mailbox audit and exportable reports	If you cannot prove the control, the control is hard to defend

What to check first

Start with ownership, then privileged access, then enforcement, then data movement.

Control area	Owner to name	Backup to name	Evidence to keep
Identity	Entra ID / Microsoft 365 admin owner	Backup admin	Role export, Conditional Access list
Mail security	Exchange / Defender owner	Backup admin	Forwarding review, Defender policy screenshots
Endpoint	Intune / device owner	Backup admin	Device compliance and Defender coverage reports
Collaboration	SharePoint / Teams owner	Backup admin	Sharing settings, guest review
Audit	Security / compliance owner	Backup admin	Audit status, export process, retention notes

Without named ownership, the cleanup will decay. Someone has to own exceptions, review dates and proof.

1. Remove privileged access drift

Start with access because every other control depends on it.

Check:

• Global Administrator count.
• Privileged roles assigned permanently.
• Shared admin accounts.
• Admins without phishing-resistant or strong MFA.
• Emergency accounts with no monitoring.
• Old partner or supplier admin access.
• Privileged users excluded from Conditional Access.

Good cleanup result:

• No shared daily admin account.
• No unexplained Global Admin.
• Break-glass accounts exist but are monitored.
• Privileged access has named owners.
• Exceptions have expiry dates.

The test is blunt: if one admin account is compromised, how much of the tenant falls?

2. Prove MFA enforcement, not just MFA registration

MFA registration reports are not enough. A user can be registered and still not be forced through MFA for the access path that matters.

Check	Where to look	Bad sign
Baseline MFA policy	Conditional Access or Security Defaults	Policy excludes large groups
Admin MFA	Conditional Access targeting admin roles/admin portals	Admin portals not explicitly covered
Exclusions	CA policy exclusions and named groups	"Temporary" exclusions with no owner
Legacy authentication	Sign-in logs and CA controls	Basic auth still visible
Guest behaviour	Cross-tenant and guest access settings	Nobody knows what guests are required to do

Good cleanup result: you can explain who gets MFA, when it is enforced, what is excluded, and why each exclusion still exists.

3. Audit mail routes that leak data quietly

External forwarding and inbox rules need direct review. Do not assume Defender or Exchange defaults caught everything.

Check:

• Mailbox forwarding to external recipients.
• Transport rules that redirect, copy or blind-copy mail externally.
• Inbox rules created around compromise dates.
• Delegates and mailbox permissions for finance and leadership.
• Anti-phishing, Safe Links and Safe Attachments coverage if licensed.
• User submissions and phishing reporting process.

Good cleanup result: every external forwarding path is either blocked, justified or removed.

4. Check endpoint trust before relying on it

Conditional Access often says "require compliant device" before the business has proven device compliance is reliable.

Check	Useful evidence
Intune enrolled device count	Intune device report
Compliance policy result	Compliance report with failure reasons
Defender for Endpoint onboarding	Defender device inventory
Local admin exposure	Local admin / EPM review
Unsupported operating systems	Device inventory and remediation list
Patch evidence	Update compliance or management report

Good cleanup result: the tenant knows which devices are managed, which are trusted, and which are still exceptions.

5. Tighten SharePoint, OneDrive and Teams exposure

Most collaboration risk comes from settings that were convenient once and then forgotten.

Check:

• Tenant-level SharePoint and OneDrive sharing settings.
• Whether "Anyone" links are allowed.
• Site-level sharing on sensitive sites.
• Guest users in Teams and SharePoint.
• Stale guests and old supplier access.
• Sensitivity labels or container labels for high-risk workspaces.

Good cleanup result: sensitive workspaces have named owners, external access is intentional, and old guests are removed.

Evidence to collect

Do not wait for Cyber Essentials Plus, a customer security review, an insurer, or an incident to ask for proof.

Evidence	What it should show
Admin roles	Current privileged users and review date
Conditional Access	Policies, scope, exclusions and grant controls
MFA	Enforcement design, not just registration
Mail forwarding	Review result and exceptions
Endpoint coverage	Intune and Defender device coverage
Sharing	SharePoint/OneDrive/Teams exposure
Audit	Audit availability and who can search/export logs

Good cleanup result: another competent admin can understand the tenant without a guided tour.

Fix path

1. Name the owner.
2. Record the current state.
3. Remove obvious drift.
4. Document justified exceptions.
5. Export evidence.
6. Set the next review date.

If the review date is missing, the same mess comes back.

Common mistakes

The common failure is treating cleanup as a settings sprint.

That produces screenshots but not control. The better approach keeps ownership, exceptions and evidence together, so the tenant state can be explained later without relying on memory.

When to get help

Get outside help when the tenant has business pressure attached: Cyber Essentials Plus, customer security questionnaires, insurer requirements, incident response, board reporting or an incoming Microsoft 365 change such as Copilot.

Related route

For the matching service path, use Microsoft 365 security clean-up.

References

• Microsoft Secure Score
• Microsoft Entra Conditional Access overview
• Block legacy authentication with Conditional Access
• Configure email forwarding for a mailbox in Exchange Online
• Turn auditing on or off
• Manage mailbox auditing