Microsoft 365 Security and Backup Checklist
Microsoft 365 is powerful, but it still needs proper security, cleanup, access control and backup planning. This checklist helps leadership review common gaps in email, SharePoint, OneDrive, Teams, users, groups and recovery.
Review Microsoft 365 Before a Security or Recovery Problem
Microsoft provides the platform. The business still needs clear configuration, monitoring, access cleanup, backup strategy and ownership.
Review Account Access
Check MFA, admin rights, former employees, shared mailboxes and risky sign-ins.
Protect Email and Files
Review email security, phishing protection, SharePoint, OneDrive and Teams sharing.
Confirm Backup Reality
Understand what Microsoft does and does not protect by default.
Microsoft 365 Is Not Set It and Forget It
Many businesses assume Microsoft 365 automatically handles security, backup and governance. In reality, Microsoft provides the platform, but businesses still need to configure access, monitor risk, manage users and protect important data.
User and Access Control Checklist
Access control is the first place to look because compromised accounts often create the widest business impact.
- MFA enabled for all users
- Admin accounts separated from daily-use accounts
- Former employees removed
- Shared mailboxes reviewed
- Guest users reviewed
- Conditional access reviewed where applicable
- Sign-in logs monitored
- Risky users investigated
- Password policies reviewed
- Legacy authentication disabled where appropriate
Email Security Checklist
Email is one of the highest-risk business systems. Review authentication, filtering, forwarding and compromise risk.
Authentication
- SPF configured
- DKIM configured
- DMARC configured
Protection
- Anti-phishing protection reviewed
- Suspicious login alerts monitored
- External sender warnings considered
Permissions and Rules
- Mail forwarding rules reviewed
- Shared mailbox permissions reviewed
- Business email compromise risk reviewed
SharePoint, OneDrive and Teams Checklist
File security depends on permissions, sharing settings, ownership and cleanup habits.
- External sharing settings reviewed
- Anonymous sharing links restricted where appropriate
- Sensitive libraries identified
- Teams ownership documented
- Old groups reviewed
- File permissions cleaned up
- Personal OneDrive business data reviewed
- Retention settings reviewed
- Access for former employees removed
Backup and Recovery Checklist
Retention is not the same thing as a recovery plan. Confirm what data must be restorable and who owns the process.
- Microsoft 365 backup solution reviewed
- Email backup confirmed
- SharePoint backup confirmed
- OneDrive backup confirmed
- Teams data backup reviewed
- Restore testing performed
- Retention expectations documented
- Ransomware recovery process reviewed
- Deleted-user data handling documented
Common Microsoft 365 Risk Areas
These are common signs that Microsoft 365 needs cleanup before the next growth stage, audit, renewal or incident.
Too Many Global Admins
Privileged access is wider than needed.
Former Employees Active
Departed users still have access.
No Third-Party Backup
Recovery expectations are not matched by tooling.
External Sharing Too Open
Files can leave the organization too easily.
No DMARC Policy
Email domain protection is incomplete.
Unmonitored Forwarding Rules
Email may be silently leaving mailboxes.
Shared Accounts
Accountability and MFA controls are weakened.
Unknown Guest Users
External access has no clear owner.
No Restore Testing
Backups are assumed instead of proven.
Groups and Teams Sprawl
Old workspaces create permission confusion.
Leadership Questions to Ask
Use these questions to assign ownership instead of letting Microsoft 365 drift.
Who owns Microsoft 365 administration?
Who reviews users and licenses?
Who monitors risky sign-ins?
Who confirms backups are working?
Who handles employee offboarding?
Who approves external sharing?
Who reports Microsoft 365 risk to leadership?
Make Microsoft 365 a Quarterly Review Item
Use this checklist during security reviews, cyber insurance preparation, staff changes and technology planning meetings.
Start With Users
Review users, admins, former employees, guests and shared mailboxes first.
Review Sharing
Check email, SharePoint, OneDrive and Teams access before data spreads further.
Test Recovery
Confirm backup coverage and restore testing before a deleted file or ransomware event.
Improve Microsoft 365 Security and Recovery
Use This With Other Planning Guides
Microsoft 365 Security and Backup FAQs
Does Microsoft 365 automatically back up all my data?
Microsoft 365 includes retention and recovery features, but many businesses still need a dedicated backup strategy for email, SharePoint, OneDrive and Teams.
What is the biggest Microsoft 365 security risk?
Weak account security, too many admin accounts, missing MFA, former employees left active and risky sharing settings are common problems.
Do small businesses need Microsoft 365 backup?
Many do. The need depends on business risk, data importance, recovery expectations and regulatory or insurance requirements.
How often should Microsoft 365 users be reviewed?
At minimum, review users, admins, shared mailboxes and licenses quarterly. High-risk businesses should review more often.
Need help reviewing Microsoft 365 risk?
Nevada IT Support can help review Microsoft 365 security, users, sharing, backups, email protection and recovery expectations.