How to prepare your M365 tenant for an audit

Whether the audit is SOC 2, ISO 27001, cyber insurance, or a customer security questionnaire, reviewers want evidence that you control identity, data access, and change over time. Microsoft 365 is usually in scope because it holds email, files, identity, and admin actions.

They rarely care that you use Microsoft — they care that you know who has access, how it is enforced, and that you can show logs.

Prepare exports and screenshots before the auditor asks.

• Conditional Access policy list with enforcement status
• MFA registration coverage report for all users and admins
• Privileged role assignments with PIM activation logs if used
• Guest user inventory with sponsor and last sign-in date

These findings show up repeatedly across tenants of every size.

• Legacy authentication still enabled
• Excessive Global Administrators without MFA
• No documented break-glass procedure
• Over-permissioned third-party applications
• Licenses assigned to terminated employees
• Missing or incomplete audit log retention configuration

Policies matter as much as settings. Align your written standards with what is actually configured — auditors notice gaps between policy and practice.

• Access control and offboarding procedures
• Guest and external collaboration policy
• Admin account management standard
• Incident response contacts and escalation path

Eight weeks out: run a full tenant health scan and assign owners to critical findings. Four weeks out: close MFA and legacy auth gaps. Two weeks out: reconcile admin roster and guest list. One week out: export evidence pack and verify audit logging retention meets your framework.

Running Tenant Hawk before an audit gives you a prioritized gap list with remediation steps — so you fix the highest-risk items first instead of guessing.