Skip to main content

Practical checklist

M365 MDR Readiness Checklist

Use this before a posture review, insurance renewal, or monitoring conversation. A checked box should mean the control exists, has an owner, and can be evidenced.

01

Identity and administration

  • MFA is enforced for every administrator
  • Legacy authentication is disabled
  • Privileged roles are limited and reviewed
  • Risky sign-ins have a named investigation owner

02

Email and applications

  • External forwarding rules are reviewed
  • Suspicious mailbox rules can be investigated
  • Third-party OAuth app permissions are reviewed
  • Phishing and BEC escalation is documented

03

Sharing and data

  • External SharePoint and OneDrive sharing is reviewed
  • Guest accounts have owners and expiry rules
  • Sensitive client data locations are known
  • AI tools have clear data-handling boundaries

04

Monitoring and response

  • Endpoint, identity, email, and SaaS alerts have owners
  • Coverage exists outside business hours
  • Containment authority is documented
  • Leadership receives understandable security reporting