The formal exercise
A formal security audit of your Microsoft 365 tenant
A Microsoft 365 security audit is the point-in-time, evidence-referenced version of our tenant review: every control examined, scored against the CIS benchmark and documented so the result stands up to your board, your insurer or your customer's due diligence questionnaire.
Why now
The audit someone has asked you for
Most Office 365 security audits are commissioned because someone outside IT asked a question nobody could evidence: an insurer wanting proof of MFA coverage, an enterprise customer's supplier questionnaire, a board member reading about a breach, or an auditor asking how long your logs are kept. The audit exists to answer those questions with evidence rather than assurances.
Because every finding is referenced to the CIS Microsoft 365 Foundations Benchmark and to Microsoft's own baselines, the answers carry weight: not "we think it is configured well" but "here is the control, the evidence and the score".
You receive
- A scored, evidence-referenced finding for every audited control
- CIS Microsoft 365 Foundations Benchmark mapping for each item
- A prioritised remediation register your team can work through
- A board summary: risk position, comparison to peers, cost to close
- A debrief session where every finding can be challenged
Audit scope
What the Microsoft 365 audit examines
Six control areas, audited with evidence. The same scope bands as the assessment apply, priced identically.
Identity and access
Every admin role assignment, guest account and authentication policy, with evidence of when each was last reviewed and why it exists.
Conditional Access
Policy-by-policy examination against the CIS benchmark: coverage gaps, exclusions that have outlived their reason, and legacy protocols still allowed through.
Exchange Online
Transport rules, auto-forwarding, delegated permissions and the anti-phishing stack, audited against the patterns from real compromise cases.
Collaboration workloads
SharePoint, Teams and OneDrive external sharing, anonymous links and guest lifecycle, scoped to where your sensitive data actually lives.
Audit log configuration
Whether unified audit logging is on, what it captures, how long retention actually runs and whether mailbox auditing covers the accounts that matter. The setting most tenants get wrong.
Defender and alerting
Threat policies, safe links and attachments, alert routing and who genuinely receives them, because an alert nobody reads is a log entry.
Quick answers
Security audit questions, answered
What is the difference between a security audit and a security assessment?
In practice the words are used interchangeably; the meaningful difference is formality. We use audit for the point-in-time, evidence-referenced exercise that supports compliance and insurance answers, and assessment for the same technical review positioned around improvement. Same method, same benchmark, same consultants.
Does the audit cover our Microsoft 365 audit logs?
Yes, as a scoped item: whether unified audit logging is enabled, what it captures, retention, and mailbox audit coverage. If you arrived here looking for help reading the logs day to day, that is an administration task rather than an audit; our monitoring page covers the ongoing version.
How often should we audit the tenant?
A formal audit annually, with lighter reviews at each significant change: a licence uplift, a migration, a merger, or after any incident. Configuration drifts constantly; an audit is a snapshot, not a vaccination.
Will the audit disrupt our users or change anything?
No. The audit runs on read-only access. Nothing is modified, nothing is installed, and the only people who know it is happening are the ones you tell.
Evidence beats assurances
Scope your Microsoft 365 security audit
A free 45 minute call establishes which workloads need auditing, what it costs at the published rate and when you can have the report.