Practical checklist
M365 MDR Readiness Checklist
Use this before a posture review, insurance renewal, or monitoring conversation. A checked box should mean the control exists, has an owner, and can be evidenced.
01
Identity and administration
- MFA is enforced for every administrator
- Legacy authentication is disabled
- Privileged roles are limited and reviewed
- Risky sign-ins have a named investigation owner
02
Email and applications
- External forwarding rules are reviewed
- Suspicious mailbox rules can be investigated
- Third-party OAuth app permissions are reviewed
- Phishing and BEC escalation is documented
03
Sharing and data
- External SharePoint and OneDrive sharing is reviewed
- Guest accounts have owners and expiry rules
- Sensitive client data locations are known
- AI tools have clear data-handling boundaries
04
Monitoring and response
- Endpoint, identity, email, and SaaS alerts have owners
- Coverage exists outside business hours
- Containment authority is documented
- Leadership receives understandable security reporting