A Real Audit Of Your Microsoft 365 Tenant Not A Glorified Secure Score Screenshot

Microsoft 365 handles more business email and document workflow than any other platform. That concentration is a gift to defenders and a target to attackers. Ninety plus percent of the business email compromise incidents we respond to begin with a Microsoft 365 authentication event, usually a phishing attack that harvests a session token, an MFA fatigue attempt, or a credential stuffing hit on an account with weak authentication. The attacker lands inside a mailbox, sets up an inbox rule that hides vendor correspondence, sends a few carefully timed invoice change emails, and walks away with hundreds of thousands of dollars.

What most organizations think of as Microsoft 365 security is a shallow veneer. Multi factor authentication turned on for most users. A conditional access rule or two. A default anti phishing policy. A Secure Score somewhere in the middling sixties, reviewed once when the tenant was set up and never again. That is not a security posture. That is a starting point.

A real Microsoft 365 security audit looks at how identity, access, data, email, collaboration, and device controls actually work together. It surfaces the exception users who were added to an MFA bypass group in 2021 and forgotten. The SharePoint site sharing data externally with a defunct contractor's Gmail address. The OAuth app that was approved for a pilot two years ago and still has mailbox read access. The guest users who have never signed in and have tenant wide privileges. The legacy authentication protocols still enabled for one line of business application. These are the findings that matter, and they are not visible in Secure Score.

Most mid market audits run two to four weeks end to end. We operate with Global Reader or Security Reader permissions throughout the assessment, never with elevated rights, so your tenant is never at risk during collection. The deliverable is a written report plus live read out session, not a PDF dropped in your inbox.

Exception users without MFA. Executives, service accounts, or a developer who asked for an exclusion once. Attackers target these accounts first because the data on MFA enforcement is public information if you know where to look.

Legacy authentication still partially enabled. One protocol, for one workload, that should have been turned off years ago. Legacy auth bypasses conditional access and MFA by design.

Guest users with broad tenant access. External identities invited years ago and never deactivated. Some with privileges that exceed what any internal employee has.

OAuth application consent sprawl. Dozens to hundreds of third party applications that users self consented to, some of which have mailbox or SharePoint read access and are no longer used.

Auto forwarding rules that hide vendor emails. A sign of a prior or active compromise, or just poor hygiene. Either way worth investigating.

External sharing defaults set to Anyone. Including at the SharePoint site level, where the admin did not realize it was inheriting.

Audit log retention at the default. Ninety days is not enough for a real investigation. Most compliance frameworks expect one year minimum.

No Defender for Office 365 policies, or default policies with no tuning. Anti phishing thresholds wide open, safe links not applied to email, safe attachments never enabled.

No DMARC on the primary sending domain. Or DMARC at p=none with no monitoring, which is effectively no DMARC.

Global admins with standing access and no MFA hardening. Privileged identity management exists in Entra ID P2 and solves this problem, but is rarely configured.

Most tenants we audit hit six or more of these. Fixing them is not expensive. Finding them is the hard part.

Executive summary. A one to two page view for the board or leadership. Risk themes, overall posture rating, top recommended actions, and estimated effort. Written in English, not compliance jargon.

Detailed findings report. Every issue, categorized by severity, with evidence, a plain language description of the risk, a prioritized recommended action, and a compliance framework cross reference where applicable. This document is audit worthy for HIPAA, CMMC, and SOC 2 engagements.

Prioritized remediation roadmap. Phase one (highest impact, lowest effort) through phase three (longer term posture improvements). Includes estimated effort per item and dependencies.

Compliance mapping. For clients pursuing CMMC 2.0 Level 2, HIPAA, NIST 800-171, or SOC 2, every finding is mapped to the applicable control so the report plugs directly into the compliance program.

Optional remediation support. Clients can engage Petronella Technology Group to implement the remediation plan, or hand the roadmap to their internal team or managed service provider. We are equally happy to deliver either way.

Baseline for future audits. The evidence and posture captured at the end of an audit becomes the starting point for the next one. Organizations that run an audit annually see measurable posture improvement year over year.

Microsoft 365 licensing is tiered and the security features available vary significantly. Business Basic and Business Standard offer the foundation but omit many advanced controls. Business Premium adds Conditional Access, Intune, Defender for Office 365 Plan 1, and Defender for Business, which is usually the right tier for serious small and mid market posture. Enterprise E3 adds more identity and information protection. Enterprise E5 or the Enterprise Mobility + Security E5 add on unlock Privileged Identity Management, Defender for Identity, Defender for Cloud Apps, Insider Risk Management, Communication Compliance, and advanced Entra ID identity governance.

We do not upsell licenses. We flag where a license gap is material to your risk profile and what the cost delta would be at renewal, so your procurement team can make an informed decision. Many clients find that a Business Premium upgrade from Business Standard pays for itself in reduced risk within a year. Others find that E5 features are not yet worth the cost given the current posture, and we are honest about that.

We also flag where third party tools overlap with Microsoft native controls. A standalone MDR service that duplicates Defender for Endpoint telemetry is sometimes worth keeping, sometimes worth retiring. That is a judgment call that depends on your team's appetite for in house versus outsourced operations.

Microsoft ships new security features, deprecates old behaviors, and updates defaults at a faster cadence than most internal IT teams can track. Every quarter there is a new authentication method, a new conditional access capability, a deprecated protocol, or a change in default behavior that shifts posture either up or down. Organizations that set up their tenant once and never revisit it drift toward insecurity as new features go unadopted and old settings no longer reflect best practice.

Our ongoing Microsoft 365 managed security service covers monthly posture delta reviews, proactive application of new features that align with your compliance framework, quarterly tabletop exercises on realistic incident scenarios, continuous Conditional Access tuning as user travel and work patterns evolve, and integration of your tenant telemetry into our managed detection and response service for twenty four seven monitoring. Most clients who start with an audit convert to ongoing managed security within a quarter or two, once they see the pace of change.

Smaller organizations that do not want a full managed relationship can subscribe to a quarterly check in model, where the audit is refreshed every three to six months and a shorter session walks through new findings. This is a middle ground between one off audits and fully managed operations, and it fits a lot of small defense contractors and medical practices well.

For clients who are running their own security operations and just want a neutral outside view, we also offer a light touch annual audit plus an on call arrangement where our team is available as a sounding board for architecture decisions without ongoing monthly fees. Flexibility is the point. We shape the engagement to what your organization actually needs.

Our team has run Microsoft 365 incident response cases regularly since 2018, which means we know what failed configurations actually look like when they are exploited, not just what Microsoft documents say they should look like. That translates directly into better audit findings.

We hold CMMC Registered Practitioner credentials across the team and are registered as CMMC-AB RPO #1449. For defense contractor clients, the audit can double as the control evidence base for CMMC 2.0 Level 2 readiness.

Our engagements are done by the same senior team members who do our compliance and incident response work. Junior analysts do not run these audits. You get the benefit of two decades of field experience on each engagement.

We use both Microsoft native tooling (Microsoft Graph, PowerShell modules, Security and Compliance Center exports, Entra ID governance queries) and our own in house analysis scripts built from case experience. The combination catches issues that automated tools alone miss.

We deliver the findings in an honest, actionable format. No pages of boilerplate. No padded low severity items. No false sense of urgency. Just the things we found, how risky they are, and what to do about them in order.

A single business email compromise incident at a mid market organization, including lost funds, incident response fees, carrier deductible, customer notification costs, and time spent by your leadership team, routinely lands in the hundreds of thousands of dollars of total impact. Several of the incidents Petronella Technology Group has responded to have crossed seven figures. The controls that would have prevented most of those incidents are free (forwarding rule alerting, conditional access to block legacy auth, MFA on every account) or cheap (a license tier that enables Privileged Identity Management).

A Microsoft 365 audit that costs a few thousand dollars and surfaces ten to twenty fixable issues that would have enabled or amplified an incident is extraordinary leverage. We have not yet run an audit where we found nothing material. The question is not whether you have issues. The question is how quickly you find them relative to how quickly an attacker does.

Cyber insurance carriers are increasingly pricing this into their underwriting. Renewals that include a recent third party Microsoft 365 security audit with a documented remediation plan now draw better pricing in many markets. The audit pays itself back through premium improvement in a single renewal cycle for many mid market clients.

For defense contractors pursuing CMMC, the audit is not optional. The CMMC 2.0 Level 2 assessment process inspects the exact surface the audit covers. Organizations that have not run an independent audit tend to fail their pre assessment and then scramble in a compressed timeline. Organizations that have run an audit six to twelve months in advance usually pass on the first attempt. The delta is measured in weeks of leadership time and tens of thousands of dollars of assessor fees.

Pull your current license inventory. Know what you are paying for and who has what license assigned. Many audits turn up users with expensive licenses they do not use, and users doing privileged work on inadequate licenses. A current license map is a fifteen minute task that pays dividends.

List your compliance frameworks and key contractual obligations. CMMC, HIPAA, SOC 2, PCI DSS, DFARS, state breach law. Also any customer facing SOC 2 commitments, DPA terms, or business associate agreements. Compliance mapping is only useful if we know what you have committed to.

Identify your power users and service accounts. The audit is far more useful when we know which mailboxes handle customer payments, which accounts run integrations and automation, and which users have administrative privileges. A quick org chart and a list of service account owners is ideal.

Share recent incident context if any. If you had a phishing event, a suspicious login, a failed login spike, or a past compromise, tell us. That history shapes where we dig. Audits that start with a list of "things that made us nervous last year" often land higher impact findings.

Assign an internal point of contact. Someone who can answer questions about business workflows, integrations, and prior security decisions. Usually a senior IT person or a CISO equivalent. Does not need to be full time on the engagement, but needs to be reachable.

None of these are hard requirements. We can run an audit without them. But the findings are more targeted and the remediation roadmap more useful when we start with this context.