The Microsoft 365 Tenant Audit Checklist for Small Businesses

If you've been using Microsoft 365 for more than a year without a structured review, there's a good chance things have drifted. Users come and go, licenses accumulate, permissions get handed out loosely, and nobody remembers why half the settings are the way they are. That's normal — but it's also fixable.

This Microsoft 365 tenant audit checklist walks through the five core areas every small business should review at least once a year. Whether you're doing it yourself or bringing in outside help, this is the framework we use at Abyss Tech when we take on a new client.

1. Identity & Access Management

Your identity layer is the front door to everything in Microsoft 365. It's also the most commonly misconfigured area in small business tenants.

What to check:

• Are all active user accounts tied to real, current employees?
• Are there any shared mailboxes or service accounts with full user licenses assigned?
• Is Multi-Factor Authentication (MFA) enforced for all users — not just admins?
• Are legacy authentication protocols (Basic Auth) disabled? These are a top attack vector.
• Do your admin accounts have dedicated admin-only accounts, separate from daily-use accounts?
• Are there any guest accounts in Azure AD that are no longer needed?

A single orphaned admin account from a former employee or contractor is all it takes for a serious breach. This section alone is worth auditing quarterly.

2. Licensing & Cost Rationalization

Microsoft 365 licensing is one of the easiest places for small businesses to overspend — and one of the easiest to fix once you look at it clearly.

What to check:

• Run the Microsoft 365 Admin Center license report. How many assigned licenses are tied to inactive or deleted users?
• Are you on the right plan? Many small teams are paying for E3 or Business Premium when Business Basic would cover their actual usage.
• Are you paying for add-ons (like advanced compliance or audio conferencing) that nobody is actively using?
• Do any users have duplicate licenses from a migration or trial that was never cleaned up?

We've seen small teams cut their M365 spend by 25–35% in a single audit pass. The savings often cover the cost of the engagement entirely.

3. Security Baselines

Microsoft 365 ships with security defaults that are better than nothing — but they're not a complete security posture. For small businesses without a dedicated security team, there's a practical middle ground.

What to check:

• Are Microsoft's Security Defaults enabled, or has your tenant been configured with Conditional Access policies instead?
• Is the Secure Score in the Microsoft Defender portal above 50%? Below that is a red flag.
• Are users able to consent to third-party apps connecting to their M365 accounts without admin approval?
• Is external sharing in SharePoint and OneDrive scoped appropriately — or is it set to "Anyone with a link"?
• Are audit logs enabled and retained? (Required for any incident investigation.)
• Is there a baseline Data Loss Prevention (DLP) policy in place, even a simple one?

You don't need enterprise-level security tooling. You do need the basics configured correctly.

4. SharePoint & Teams Structure

SharePoint and Teams are where most of the day-to-day chaos lives in small business M365 tenants. Without governance, they sprawl quickly.

What to check:

• How many Teams exist in your tenant? Are any abandoned or duplicated?
• Is there a clear, consistent folder structure in SharePoint, or has everyone created their own?
• Are files still living in personal OneDrives that should be in shared SharePoint libraries?
• Are external users (guests) in any Teams channels? Do you know who they are and why?
• Are old project sites or team channels archived or just abandoned?
• Is there a naming convention for Teams and SharePoint sites — or has everyone just made things up as they went?

A messy SharePoint is a productivity tax your team pays every single day. It's also a security risk when nobody knows what's shared with whom.

5. Apps, Integrations & Connectors

Over time, small business M365 tenants accumulate app connections — some intentional, many forgotten.

What to check:

• What third-party apps have been granted OAuth access to your Microsoft 365 tenant?
• Are any Power Automate flows running under a user account that has since left the company?
• Are there any Entra ID (Azure AD) app registrations that are unused or unrecognized?
• Are API keys or service accounts used in integrations still active and scoped to minimum permissions?
• Are any deprecated connectors or Power Apps still running that nobody maintains?

Every forgotten app connection is a potential attack surface. A clean-up pass here often surfaces surprises.

Running the Audit: What Comes Next

Once you've gone through this checklist, you'll likely have a list of findings across three categories:

• Fix immediately: Security gaps, orphaned admin accounts, legacy auth still enabled
• Optimize within 30 days: Unused licenses, SharePoint cleanup, guest account review
• Establish going forward: Governance policies, naming conventions, regular review schedule

If this is your first structured audit, expect to find issues in most or all of these areas. That's not a failure — it's the natural result of a growing team using a complex platform without dedicated oversight.

Need Help Running an M365 Audit?

This is exactly the kind of work we do at Abyss Tech Solutions. We come in, assess your tenant against each of these areas, and deliver a clear report with prioritized findings and a remediation plan. No ticket queues. No long-term commitment. Just defined outcomes.

Book a 15-minute intro call to talk through what an audit engagement would look like for your team.