The Microsoft 365 Security Risk Assessment Guide Every IT Team Needs

📋 Table of Contents

• Understanding the Shared Responsibility Model
• Microsoft 365 Security Risk Assessment Dashboard
• Risk Area 1: Identity & Access Management
• Risk Area 2: Data Protection & Governance
• Risk Area 3: Email Security
• Risk Area 4: Application & Integration Security
• Risk Area 5: Microsoft 365 Copilot & AI Risks
• Risk Area 6: Compliance & Data Lifecycle
• Microsoft 365 Security Risk Assessment Process Framework
• Recommended Tooling
• Key Security Metrics to Track
• Executive Recommendations

Gartner research consistently estimates that through 2025, at least 99% of cloud security failures will be the customer’s fault — primarily through misconfiguration and inadequate governance. The technology is rarely the weak point. The configuration is.

Key risks

Missing or incomplete MFA: Accounts without multi-factor authentication are dramatically more vulnerable to credential stuffing, phishing, and password spray attacks. Microsoft reports that MFA blocks over 99.9% of automated account compromise attempts. Despite this, many tenants still have MFA gaps — particularly for service accounts and external partners.

Excessive Global Administrators: The Global Administrator role in Entra ID grants unrestricted access to every service in the tenant, including the ability to reset any user’s password and read all mailboxes. Many organisations assign this role far too broadly. Microsoft recommends maintaining fewer than five Global Admins, with emergency “break-glass” accounts as the only permanently active holders of the role.

Unmonitored risky sign-ins: Entra ID Identity Protection detects risky sign-in events including impossible travel, anonymous IP addresses, malware-linked IPs, and leaked credential alerts from Microsoft’s threat intelligence feeds. Many organisations have Identity Protection licences included in their E3 or E5 plan but have never configured alert policies or investigated the detections.

Mitigation controls

Enforce MFA for all users using Conditional Access policies. For administrators, enforce phishing-resistant MFA methods — FIDO2 security keys or Windows Hello for Business — rather than SMS OTP, which is vulnerable to SIM-swapping. Microsoft Security Defaults provide a baseline for smaller organisations, but named Conditional Access policies offer more granular control.

Implement Privileged Identity Management (PIM) to enforce Just-in-Time (JIT) access for all privileged roles. With PIM, no one holds a sensitive role permanently — they request activation for a defined time window, with approval workflows and audit logs for every elevation. This dramatically reduces the blast radius of a compromised admin account.

Configure Conditional Access policies to enforce compliant device requirements, block legacy authentication protocols (which bypass MFA entirely), restrict access from high-risk locations, and require step-up authentication for sensitive applications. Legacy auth protocols — IMAP, POP3, SMTP AUTH, and basic auth — should be blocked tenant-wide via an Authentication Policy.

Enable and act on Identity Protection risk detections. Configure risk-based Conditional Access policies that automatically require MFA step-up for medium-risk sign-ins and block access for high-risk sign-ins pending investigation. Integrate detections with Microsoft Sentinel or your SIEM for automated triage.

Key risks

Anonymous “Anyone” sharing links: SharePoint and OneDrive support “Anyone with the link” sharing, which generates a publicly accessible URL with no authentication requirement. These links have no expiry by default, can be forwarded to anyone on the internet, and are frequently created by users who do not understand what they are enabling.

Absence of sensitivity labels and DLP policies: Without Microsoft Purview Sensitivity Labels, there is no systematic way to classify data, apply encryption, restrict access, or prevent content from being shared outside the organisation. Without Data Loss Prevention policies, there is no automated mechanism to detect and block the exfiltration of regulated data — credit card numbers, national insurance numbers, patient records — through email, Teams messages, or file sharing.

No retention or deletion policies: Many organisations accumulate years of unmanaged data in SharePoint and Teams with no defined retention periods. This creates legal and compliance risk — data that should have been deleted is retained indefinitely and therefore discoverable — and increases the attack surface available to a threat actor who achieves access.

Mitigation controls

Restrict external sharing at the tenant and site level. Disable “Anyone” links by default at the tenant level in the SharePoint Admin Centre. Where external sharing is genuinely required, enforce expiry dates on sharing links (30 days maximum is a reasonable default) and require password protection on externally shared content.

Deploy Microsoft Purview Sensitivity Labels across the label taxonomy: Public, Internal, Confidential, and Highly Confidential as a minimum baseline. Apply auto-labelling policies to detect and label content containing regulated data patterns. Extend labels to Teams, SharePoint sites, and Microsoft 365 Groups to enforce container-level access controls — private vs public channel settings, guest access, and external sharing at the site level.

Configure DLP policies in Microsoft Purview to detect sensitive information types — including financial data, health records, and personally identifiable information — across Exchange Online, SharePoint, OneDrive, Teams chat, and Power Platform. Use policy tips to educate users in the moment rather than relying solely on block actions.

Implement retention and records management policies using Microsoft Purview Retention Policies and Retention Labels. Define minimum retention periods for regulated content types — seven years for financial records under many jurisdictions, for example — and deletion policies for transient content such as Teams chat messages and general correspondence.

Column mapping for Sensitivity Labels — recommended baseline

A practical four-tier label taxonomy for most organisations:

Public Internal Confidential Highly Confidential

Key risks and mitigation controls

Phishing and BEC: Enable Microsoft Defender for Office 365 Plan 1 at minimum (included in M365 Business Premium and E3 with the Defender add-on). Configure Anti-Phishing policies with impersonation protection for key executives and domains, spoof intelligence, and mailbox intelligence. Enable Safe Links to rewrite and scan URLs at time-of-click, not just at delivery.

Malware attachments: Enable Safe Attachments with Dynamic Delivery, which detonates attachments in a sandbox and replaces them with a placeholder while scanning is in progress — preserving user productivity without sacrificing security. Apply Safe Attachments policies to SharePoint, OneDrive, and Teams in addition to email.

External mail forwarding: Block or strictly limit automatic forwarding of email to external addresses using outbound spam filter policies. Attackers who compromise a mailbox frequently create forwarding rules to exfiltrate email silently. Monitor the Unified Audit Log for new inbox rules and forwarding rule creation as a detection control.

Email authentication (SPF, DKIM, DMARC): Ensure your sending domain has a valid SPF record listing Exchange Online as an authorised sender. Enable DKIM signing for your domain in the Microsoft 365 Defender portal. Publish a DMARC record with at minimum a p=quarantine policy, progressing to p=reject once you are confident in your sending infrastructure. These three controls together prevent spoofing of your domain by external attackers.

Defender for Office 365 — feature coverage summary

Safe Links Safe Attachments Anti-Phishing Spoof Intelligence Attack Simulation Training Threat Explorer

Key risks and mitigation controls

Unrestricted user consent: By default in many tenants, users can consent to any app requesting low-risk permissions without administrator approval. Restrict user consent to apps from verified publishers only, or disable user consent entirely and require all app consent to flow through the Admin Consent Workflow — a structured process where users request access and administrators review and approve or deny.

Overprivileged applications: Regularly review Enterprise Applications in the Entra ID portal. Audit the permissions granted to each app — particularly those with broad delegated permissions such as Mail.Read, Files.ReadWrite.All, or Directory.ReadWrite.All. Remove any application that has not been used in 90 days or that has no documented business justification for its level of access.

Stale service principals and app registrations: App registrations and service principals accumulate over time — many created for one-off integrations, PoC projects, or departed vendors. Each one represents a persistent credential (client secret or certificate) that can be used to authenticate to your tenant if compromised. Establish a quarterly review cadence for all app registrations and implement certificate/secret rotation policies.

Key risks

Over-shared content surfaced at scale: A user asking Copilot “summarise everything we know about Project Alpha” will receive results from any document they have access to — including files shared via “Anyone” links, content in Teams channels they joined years ago, and documents in SharePoint sites with broad access grants. If that user should not reasonably have seen some of that content, Copilot has effectively caused a data exposure event.

Absence of AI governance and acceptable use policies: Many organisations deploy Copilot without defining what it may and may not be used for, without training users on prompt engineering risks, and without monitoring Copilot interaction logs for sensitive data patterns. This is not a technology gap — it is a governance gap.

Mitigation controls

Remediate permission sprawl before deploying Copilot. Use the SharePoint Advanced Management (SAM) data access governance reports to identify sites with overly broad access, “Everyone except external users” sharing, and stale guest access. Run Microsoft Purview’s Data Estate Insights to understand where your sensitive data actually lives and who can access it.

Apply Sensitivity Labels before enabling Copilot. Labels set on files and containers are respected by Copilot — a user without access to a Highly Confidential site will not receive Copilot results sourced from that site. Labels are the most direct and scalable mechanism for ensuring Copilot operates within appropriate boundaries.

Define and publish AI usage policies that specify permitted use cases, prohibited content types, and data handling requirements for Copilot outputs. Enable Copilot interaction logging in the Microsoft Purview Audit logs and configure Communication Compliance policies to monitor for sensitive data patterns in Copilot conversations.

Mitigation controls

Implement retention policies across Exchange Online, SharePoint, OneDrive, Teams chat, and Teams channel messages. Distinguish between retention for compliance purposes (keeping content that must be retained) and deletion for hygiene purposes (removing content that should not be kept beyond its useful life). Both are important and both require active policy configuration.

Govern inactive Teams and SharePoint sites. Use Microsoft 365 Group Expiration Policies to automatically request re-confirmation of active Teams and Groups after a defined period (90 or 180 days). Sites with no activity after the expiration period are archived or deleted with owner approval. This prevents the accumulation of abandoned collaboration spaces that contain sensitive content and are not actively governed.

Use Microsoft Purview Compliance Manager to assess your posture against specific regulatory frameworks. Compliance Manager provides improvement actions mapped to each control, with ownership assignment and evidence tracking built in. This transforms compliance from a periodic manual exercise into a continuously managed programme.

1. Adopt Zero Trust Architecture

Zero Trust replaces the assumption that anything inside the corporate network is safe with explicit verification of every access request — regardless of location, device, or user. In practice for M365, this means Conditional Access policies that evaluate device compliance, user risk, and application sensitivity on every authentication event, combined with least-privilege access enforced through PIM and Entra ID role assignments.

2. Eliminate standing privileged access

No administrator should hold a privileged role permanently. Implement PIM for all roles above User Administrator level. Require justification and approval for Global Administrator activation. Create two break-glass accounts with permanent Global Admin access, exclude them from all Conditional Access policies, and monitor them with high-severity alerts — but use them only in genuine emergencies.

3. Govern data before deploying Copilot

Microsoft 365 Copilot is ready to deploy on day one from a technical perspective. The question is whether your data is ready. Organisations that deploy Copilot into environments with poor permission hygiene, no sensitivity labels, and no DLP policies will expose sensitive content at unprecedented scale. The data governance work should precede the Copilot rollout by at least one quarter.

4. Implement continuous compliance monitoring

Compliance is not a point-in-time assessment — it is an ongoing state. Use Purview Compliance Manager to continuously track your posture against applicable regulatory frameworks. Feed Unified Audit Log data into Microsoft Sentinel for real-time alerting on policy violations. Automate evidence collection for annual audits rather than scrambling to gather documentation retrospectively.

5. Establish a Power Platform & M365 Centre of Excellence

As Power Apps, Power Automate, and Copilot Studio proliferate across the organisation, ungoverned citizen development creates shadow IT at scale — flows with broad connector permissions, apps storing sensitive data in personal OneDrive accounts, and custom connectors reaching external services without security review. A Centre of Excellence (CoE) with defined governance guardrails, DLP connector policies, environment strategy, and a maker community provides the structure to scale innovation without scaling risk.

Identity is the primary attack vector. Every credential-based attack — phishing, password spray, BEC — ultimately targets an identity. MFA, Conditional Access, and PIM are not optional enhancements; they are foundational controls.

Data exposure is mostly caused by over-sharing, not hacking. Sensitive files are not stolen from secured environments — they are shared via “Anyone” links, left in public Teams channels, and emailed to personal addresses. Governance controls prevent far more data loss than detection and response controls.

AI amplifies existing risks rather than creating new ones. Microsoft 365 Copilot inherits every permission flaw and data governance gap in your environment. It is an accelerant, not a new attack surface. Good governance before Copilot is good governance for its own sake — Copilot just makes the urgency visible.

Security is continuous governance, not a one-time setup. Microsoft 365 evolves every month. Configurations drift, new features ship with permissive defaults, and the threat landscape changes. A security programme that is reviewed quarterly and monitored continuously will always outperform one that was configured correctly at launch and then left to drift.