Why Most M365 Tenants Are Under-Secured
Microsoft 365 provides over 300 security and compliance controls. The average enterprise has configured fewer than 40% of them. This gap exists because M365 security is not a single product — it spans Azure AD/Entra ID, Exchange Online Protection, Microsoft Defender for Office 365, Microsoft Purview, Intune, SharePoint admin center, Teams admin center, and Power Platform admin center. No single administrator owns all of these consoles, and security configurations drift over time as features are added and organizational needs change.
The result is predictable: enterprises pass initial compliance audits but develop security gaps over 12-24 months as configurations drift, new features go unconfigured, and organizational changes create permission sprawl. A security health check resets the baseline and identifies the highest-impact remediations.
Health Check Assessment Areas
Microsoft Secure Score Optimization
Secure Score is the starting point because it provides a quantified baseline. The health check analyzes your current score across all four categories, identifies improvement actions ranked by point value and implementation effort, flags quick wins (controls that can be enabled immediately with no user impact), and maps score improvements to specific compliance control requirements. Common high-value improvements include enabling Conditional Access policies for all users (not just admins), configuring anti-phishing policies in Defender for Office 365, enabling unified audit logging with extended retention, deploying sensitivity labels for automatic data classification, and implementing privileged identity management (PIM) for just-in-time admin access.
Permission Audit and Remediation
Permission sprawl is the single largest security risk in most M365 environments. The health check audits SharePoint site collection permissions and inheritance chains, OneDrive sharing links (internal and external), Microsoft Teams membership and guest access, Exchange Online mailbox delegation and shared mailboxes, Azure AD group membership and dynamic group rules, and Power Platform environment permissions and data connectors.
The most dangerous finding is typically "everyone except external users" sharing links in SharePoint — a single misconfigured sharing link can expose sensitive documents to the entire organization. In healthcare environments, this often means PHI is accessible to users outside the care team, violating HIPAA minimum necessary requirements.
Microsoft Purview Compliance Configuration
Purview compliance center controls data governance across M365. The health check evaluates retention policies (are they configured to meet regulatory record-keeping requirements), sensitivity labels (are they deployed and adopted by users), DLP policies (are they effective or generating excessive false positives), communication compliance (is it monitoring for regulatory violations in Teams and email), information barriers (are they configured where required, such as between departments with conflicts of interest), and insider risk management (is it configured to detect high-risk data exfiltration patterns).
Data Loss Prevention (DLP) Effectiveness
Many organizations have DLP policies that are either too restrictive (blocking legitimate business activity and generating alert fatigue) or too permissive (not catching actual data loss events). The health check evaluates DLP policy coverage across Exchange, SharePoint, OneDrive, Teams, and endpoints, analyzes false positive and false negative rates from policy match logs, reviews policy exceptions and overrides for appropriateness, and tests policies against realistic data loss scenarios. Effective DLP requires tuning, not just deployment. EPC Group uses a data-driven approach to DLP optimization that reduces false positives by 60-80% while improving detection of actual data loss events.
Common Findings by Industry
| Finding | Healthcare (HIPAA) | Finance (SOC 2) | Government (FedRAMP) |
|---|---|---|---|
| Average Secure Score | 48% | 52% | 61% |
| Permission Sprawl | PHI exposed beyond care team | Financial data overshared | CUI accessible to non-cleared staff |
| DLP Gap | No PHI detection in Teams | PCI data not monitored | CUI marking not enforced |
| Audit Retention | 180 days (need 6 years) | 180 days (need 7 years) | 90 days (need 3 years) |
| Incident Response | No breach notification plan | Plan exists but untested | Plan exists, tested annually |
EPC Group vs. Competitors: M365 Security Health Check
| Capability | EPC Group | MSSPs | General IT Consultancies |
|---|---|---|---|
| Assessment Depth | 300+ controls across 8 admin centers | Focus on Defender/Sentinel only | Secure Score review only |
| Compliance Mapping | Pre-built for HIPAA, SOC 2, FedRAMP | Security-focused, not compliance | Basic mapping |
| Permission Audit Depth | Full inheritance chain analysis | Admin-level only | Spot-check approach |
| DLP Optimization | Data-driven tuning, 60-80% FP reduction | Policy deployment only | Template-based policies |
| Remediation | Assessment + implementation (Better/Best) | Report only, separate SOW for fixes | Report only |
| Cost | $20K-$40K fixed price | $50K-$150K+ T&M | $15K-$30K (shallow scope) |
Pricing Tiers: M365 Security Health Check
Microsoft 365 Security and Compliance Health Check
Last updated: 2026 · Read time: ~6 min
A Microsoft 365 security and compliance health check audits Secure Score, permission structures, Purview compliance controls, DLP policies, and incident response readiness. EPC Group delivers this as a fixed-fee engagement for HIPAA, SOC 2, and FedRAMP environments. Most enterprises surface 15–30 critical gaps in their first audit.
Key facts
- Health check covers: Secure Score gap analysis, permission audit, Purview compliance controls, DLP effectiveness, and incident response readiness.
- Most common improvements found: Conditional Access gaps for non-admin users, missing anti-phishing policies, audit logging gaps, sensitivity label coverage below 30%.
- Compliance check covers six surfaces: SharePoint, OneDrive, Teams, Exchange, Azure AD groups, and Power Platform.
- E5 ($57/user/month) adds Defender Plan 2, Defender for Cloud Apps, Insider Risk, Communication Compliance, Audit Premium, and more vs. E3 ($36/user/month).
- EPC Group has delivered security health checks for Fortune 500 healthcare, financial services, and government clients.
- Contact: (888) 381-9725 · contact@epcgroup.net
What the health check covers
Secure Score optimization
Microsoft Secure Score is the primary health metric for M365 security. A well-configured enterprise tenant should score above 75%. Most unmanaged tenants score 40–55%.
The health check identifies your top 10 Secure Score improvement actions by impact and implementation complexity. Common high-value items:
- Enable Conditional Access policies for all users — not just admins.
- Configure anti-phishing policies in Defender for Office 365.
- Enable unified audit logging with extended retention.
- Deploy sensitivity labels for automatic data classification.
- Implement Privileged Identity Management (PIM) for just-in-time admin access.
Permission audit
Permissions are the most common source of data exposure — and the most common pre-condition for Copilot data leaks. The health check audits all six permission surfaces:
- SharePoint — site collection permissions, inheritance chains, "Everyone except external users" links.
- OneDrive — internal and external sharing links, stale shares.
- Teams — membership, guest access, external federation settings.
- Exchange Online — mailbox delegation, shared mailboxes, send-as rights.
- Azure AD — group membership, dynamic group rules, stale accounts.
- Power Platform — environment permissions, data connector access.
Purview compliance controls
The compliance section evaluates six Purview capabilities. Each is checked for configuration completeness and policy effectiveness:
- Retention policies — configured to meet regulatory record-keeping requirements for your industry.
- Sensitivity labels — deployed and adopted by users, not just configured in the admin portal.
- DLP policies — effective without generating excessive false positives that cause users to bypass them.
- Communication compliance — monitoring for regulatory violations in Teams and email.
- Information barriers — configured where required (e.g., between departments with conflicts of interest).
- Insider risk management — configured to detect high-risk data exfiltration patterns.
Incident response readiness
Most enterprises have no documented incident response runbook for M365-specific breaches. The health check validates:
- Documented runbooks for mailbox compromise, bulk file download, and ransomware events.
- Microsoft Sentinel analytics rules tuned to your environment.
- Alert routing to on-call security personnel.
- Contact information for Microsoft escalation paths (CSS, DART).
E3 vs E5 licensing gap analysis
Part of every health check is a licensing gap analysis. E5 adds significant security capabilities beyond E3.
- E3 — $36/user/month: Core M365 apps, Defender for Office 365 Plan 1, Entra ID P1, Intune, Audit Standard.
- E5 — $57/user/month: Adds Defender for Endpoint Plan 2, Defender for Cloud Apps, Insider Risk Management, Communication Compliance, Audit Premium (6-year retention), Customer Lockbox, Microsoft Sentinel ingestion.
For regulated industries, E5 is typically more cost-effective than purchasing equivalent third-party tools separately.
Frequently asked questions
What is a Microsoft 365 security health check?
It is a structured audit of your M365 tenant's security and compliance posture. It covers Secure Score optimization, permission structures, Purview compliance controls, DLP policy effectiveness, and incident response readiness. Most organizations find 15–30 critical gaps in their first audit.
How long does the health check take?
A standard health check takes 2–3 weeks. Week 1 covers data collection and automated scanning. Week 2 covers manual review and analysis. Week 3 covers findings documentation and remediation roadmap delivery.
What are the most common gaps found?
Conditional Access not enforced for non-admin users, anti-phishing policies not configured, audit logging with insufficient retention, sensitivity label coverage below 30%, and Privileged Identity Management not deployed for admin accounts.
Do you provide a remediation roadmap?
Yes. Every health check delivers a prioritized remediation roadmap with effort estimates, licensing implications, and recommended implementation sequence. EPC Group can also deliver remediation as a follow-on engagement.
Does the health check cover Copilot readiness?
Yes. Copilot readiness is a core component. It checks Restricted SharePoint Search configuration, sensitivity label coverage, oversharing exposure, Purview AI Hub setup, and Microsoft Sentinel Copilot analytics rules.
Schedule a health check
Talk to an EPC Group security architect about your M365 security posture. Call (888) 381-9725 or request a discovery call.
Why EPC Group for M365 Security
EPC Group has been a Microsoft Gold Partner for 29 years with over 10,000 implementations across the most security-sensitive industries. Our founder, Errin O'Connor, is a 4x Microsoft Press bestselling author and former NASA Lead Architect who designed security architectures for mission-critical systems.
- G2 Leader with NPS 100 — consistently the highest-rated Microsoft security consulting firm
- 25-40 point Secure Score improvement is our average first-engagement result
- Pre-built compliance control mappings for HIPAA, SOC 2, and FedRAMP eliminate weeks of manual mapping
- Assessment plus remediation in a single engagement (Better and Best tiers), not separate SOWs
- Non-disruptive methodology using read-only access during assessment phase
Get Your M365 Security Health Check
Schedule a 30-minute call to discuss your M365 security posture, compliance requirements, and Secure Score. We will recommend the right assessment tier and timeline.
Schedule Security AssessmentOr call us directly: (888) 381-9725