
This is for you if...
- You run Microsoft 365 but have never had a formal security review of the tenant
- You're not confident your Secure Score, MFA coverage or Conditional Access setup actually holds up
- You need a straight answer on your real exposure, not a generic best-practice list
Microsoft 365 ships secure defaults, but almost nobody runs them by default: MFA gaps, stale guest access, unmonitored admin roles and unlabelled sensitive data build up quietly until an incident forces the audit. It's cheaper to find these gaps yourself, on your own schedule.
What's inside
- A scored posture check across identity, data protection, device management and threat protection
- The specific settings and policies that separate a real posture from a paper one
- A clear low/medium/high read on where you actually stand today
- Priority order for what to fix first, based on real risk, not a generic checklist
Microsoft 365 ships with secure defaults, but almost nobody runs them by default. This self-assessment scores your real posture across four areas, honestly rate yourself low, medium or high against each, and you'll have a clear read on where you actually stand today.
Work through this with whoever manages your tenant, whether that's an internal team or an outsourced provider. The goal isn't a perfect score, it's an honest one you can act on.
1. Identity & Access
- Low: MFA is optional or inconsistently enforced, and admin accounts aren't treated any differently from everyday ones.
- Medium: MFA is enforced for most users, but Conditional Access is minimal and privileged roles aren't reviewed regularly.
- High: MFA is enforced everywhere, Conditional Access governs risky sign-ins and locations, and privileged roles are reviewed on a schedule.
2. Data Protection
- Low: No sensitivity labelling, no data loss prevention policies, and sharing links default to "anyone with the link."
- Medium: Some sensitivity labels exist, but they aren't applied consistently, and DLP policies cover only the obvious cases.
- High: Sensitivity labels are applied consistently, DLP policies are tuned to your actual data, and external sharing defaults are locked down.
3. Device Management
- Low: Devices access company data with no compliance check, encryption isn't enforced, and lost devices can't be wiped remotely.
- Medium: Some devices are enrolled and managed, but coverage is inconsistent and policy isn't enforced for everyone.
- High: All devices are enrolled, compliance policies are enforced before access is granted, and remote wipe is available for every device.
4. Threat Protection & Monitoring
- Low: Default anti-phishing and malware settings only, with nobody actively reviewing alerts.
- Medium: Defender policies have been tuned, but alert review is ad hoc rather than a standing responsibility.
- High: Defender policies are tuned to your risk profile, alerts are actively monitored, and there's a documented response process when something fires.
Where this leaves you
Most tenants score medium on paper and low in practice, the settings exist, but nobody checked whether they're actually configured correctly or still doing their job six months on. That gap is exactly what attackers rely on, not a sophisticated exploit, just an MFA setting nobody finished turning on. Systech's Microsoft 365 Security service runs this same review against your live tenant, then closes what it finds in priority order.
