Start with identity and admin roles
Review who has administrative access, whether MFA is enforced everywhere that matters, and whether break-glass access is documented and controlled.
•
Remove stale admin accounts
•
Require MFA for every admin role
•
Review conditional-access gaps tied to legacy protocols
Tighten collaboration defaults
External sharing settings, forwarding rules, and guest access tend to drift over time. Start by checking what is allowed by default and who can override it.
•
Limit anonymous sharing where it is not required
•
Review mailbox forwarding and suspicious inbox rules
•
Document the approved collaboration baseline
Connect the checklist to a remediation plan
A checklist is only useful if it leads to a scoped action sequence. Use the findings to decide what can be fixed internally and what needs specialist support.