Microsoft 365 tenant health checklist

Microsoft 365 tenants drift. Admins leave, apps get registered, licenses pile up, and Conditional Access policies accumulate exceptions. Most teams only discover problems during an audit, after a breach, or when an integration silently breaks.

A structured health check gives you a baseline: what is misconfigured, what is wasting money, and what will break next. You do not need to review hundreds of settings manually — focus on the categories that matter most.

Identity is the front door. These checks catch the gaps auditors and attackers look for first.

• Confirm MFA is enforced for all admins and ideally all users
• Review Conditional Access policies for risky exclusions (legacy auth, trusted locations that are too broad)
• Count Global Administrators — aim for two to four with break-glass accounts documented
• Audit app registrations with high-privilege Graph permissions
• Review guest accounts and external sharing defaults

License waste is invisible until finance asks — or until you reconcile SKUs during renewal.

• Find licenses assigned to disabled or never-signed-in users
• Identify oversized SKUs (E5 where E3 or Business Premium would suffice)
• Look for duplicate license assignments on the same user
• Quantify monthly reclaimable spend and assign owners to act

These items fail quietly until something stops working on a Friday afternoon.

• Inventory app registration secrets and certificates with expiry dates
• Check custom domain and DNS health before renewal windows
• Monitor mailboxes approaching storage limits
• Note integrations that depend on expiring credentials

Clutter makes every future change harder. Cleaning up early keeps the directory manageable.

• Remove or archive empty groups and orphaned Teams
• Disable or remove long-inactive enabled accounts
• Review unmanaged or duplicate Intune-enrolled devices
• Tighten SharePoint and OneDrive sharing defaults if they have drifted

Run a full pass quarterly at minimum, or monthly if you are preparing for an audit or managing rapid growth. After major changes — mergers, admin turnover, large app deployments — run an ad-hoc check within a week.

Tenant Hawk automates this checklist read-only across your tenant and rolls results into one health score with prioritized fixes. A free scan takes under five minutes.