Fifteen M365 controls we check in almost every tenant
Legacy auth, sharing, logging, mail hardening, and admin sprawl: fifteen checks in one script.
Fifteen M365 misconfigurations we find in almost every tenant. Here is a free script to check yours.
Legacy authentication is still enabled in most M365 tenants we audit. The setting sits deep in Entra ID. Many teams assume Conditional Access covers it. It does not.
Legacy auth bypasses MFA. An attacker with a valid password can use older protocols, and CA may never fire. We see it in long-running tenants, including those with dedicated IT teams.
That is one finding. Here is where the other fourteen come from.
Authentication gaps
MFA is rarely universal. Exceptions pile up: shared mailboxes, service accounts, pressure from leadership. CA exists but leaves legacy protocols open, or break-glass accounts sit outside compensating controls. Per-user MFA plus CA together still creates audit confusion.
External sharing
SharePoint and OneDrive defaults often allow "anyone with the link." Teams disable it at the root and assume inheritance. Existing site collections can still allow anonymous links on sensitive libraries.
Audit logging
Unified audit logging is off in a large minority of older tenants. Without it you cannot answer who touched what. Mailbox auditing is separate. Both need to be on.
Mail security
Defender for Office 365 policies often do not cover everyone. DKIM and DMARC are frequently missing or set to report-only. Spoofing your domain stays easy until those are fixed.
Admin hygiene
Too many permanent Global Administrators. PIM unused. Admin access without time bounds or approvals.
These five themes cover fifteen discrete checks. Each is verifiable without proprietary tools.
Sentinel Scout
We publish a free PowerShell script that scores all fifteen in under ten minutes, read-only via Graph and Exchange Online. No data leaves your tenant.
- GitHub: Westgate-Sentinel-Consulting-Ltd/sentinel-scout
- Tool page: westgatesentinel.co.uk/tools/sentinel-scout
Scores below 70 usually mean material exposure. A full M365 Health Check extends this baseline with more checks, remediation priorities, and board-ready reporting. Book via westgatesentinel.co.uk.
Richard Stainforth, Westgate Sentinel Consulting Ltd. CISM.