Frontrow Technology
← All insights & guides
Guide

Managed Services

The Microsoft 365 health check Frontrow runs every quarter (full checklist)

A quarterly M365 health check is the single most valuable managed service deliverable most clients never ask for. This is the exact checklist Frontrow works through.

Graeme Lodge · 2 May 2026 · 12 min read

Tenants drift. Conditional Access policies get exceptions added and never reviewed. Guest accounts accumulate. Licences are added during onboarding and forgotten when staff leave. After 12 months without a structured review, the gap between a tenant's configured state and its intended state is usually significant enough to matter in a breach, an audit, or a regulator inquiry.

Frontrow runs a structured health check every quarter for managed service clients. What follows is the complete checklist, the same one the team works through. Each section maps to a service tier and flags the items most commonly found in drift during the review.

Identity and access (30 minutes)

Identity is the layer everything else depends on. A compromised admin account undoes every other control in the tenant. This section takes roughly 30 minutes and surfaces most of the critical findings.

  1. 1Confirm MFA enforcement, all users, no legacy authentication exceptions without documented sign-off
  2. 2Review Conditional Access policies, check for stale named locations, outdated trusted IP ranges, and any disabled policies that were 'temporarily' disabled
  3. 3Audit Global Administrator accounts, should be two to five accounts maximum; verify each is a named human, not a service account
  4. 4Check Privileged Identity Management (PIM) activation logs, look for standing privileged assignments that should be time-bounded
  5. 5Review guest accounts, export the full guest list, confirm each has a known sponsor, remove any with last sign-in over 90 days if not actively needed
  6. 6Verify break-glass account procedure, confirm the two break-glass accounts exist, that passwords are rotated, and that the sealed-envelope process is current

Device and endpoint posture (20 minutes)

Microsoft Intune compliance policies are easy to set up and easy to forget. The quarterly check confirms the fleet is still in the intended state, not just enrolled.

  1. 1Review Intune compliance policy results, flag any devices marked non-compliant and confirm whether they're under active remediation or stale
  2. 2Check Autopatch status, confirm Windows patch compliance percentages; anything below 90% in the 'deployed' ring warrants investigation
  3. 3Review Defender for Endpoint alert backlog, confirm there are no open high-severity alerts older than seven days without a case note
  4. 4Audit device enrolment gaps, identify any corporate-owned devices not enrolled in Intune and log them for remediation
  5. 5Confirm BYOD policy boundaries, check whether personal devices accessing M365 are subject to app protection policies (Intune MAM) as intended

Licence and cost review (20 minutes)

Licence optimisation is the review item that pays for itself most visibly. A 200-seat tenant with 15% unused licences represents $15,000 to $25,000 in annual spend that can be reclaimed at renewal. The pattern is predictable: licences assigned during onboarding, staff turnover not fully processed, and SKU mix not reviewed since the original purchase.

  1. 1Pull licence assignment report, identify accounts with zero sign-in activity in the last 30 days
  2. 2Review disabled accounts, confirm all disabled accounts are either deprovisioned or in a documented hold state (legal, HR, handover)
  3. 3Check SKU mix, confirm the current Business Premium / E3 / E5 split still matches the security and compliance requirements documented at last renewal
  4. 4Review add-on licences, audit any add-on SKUs (Defender for Business, Intune Plan 2, Teams Phone, Copilot) for utilisation vs assignment
  5. 5Flag renewal timeline, if renewal is within 90 days, initiate the licence right-sizing conversation now, not at renewal

Try it

Run an M365 licence utilisation check

This tool gives an initial read on licence assignment versus active use before a full health review conversation with Frontrow.

Step 1 of 4

How big is your organisation?

We'll use this to estimate your total spend and scale the recommendations. Change the seat count if you know it exactly.

Data and governance (25 minutes)

SharePoint permissions drift is the governance finding most commonly surfaced in audits and in post-Copilot-deployment reviews. The quarterly check doesn't need to be exhaustive, it needs to catch the worst offenders.

  1. 1Run SharePoint sharing report, identify any sites shared with 'Everyone except external users' or large unscoped Entra groups
  2. 2Check external sharing links, export any active anonymous sharing links and confirm each is either still needed or should be revoked
  3. 3Review Teams channel membership, flag channels with external guest members who are no longer active in the project
  4. 4Confirm sensitivity label deployment, verify the label taxonomy is still current and that the top-sensitivity label has encryption enforced
  5. 5Check Purview audit log retention, confirm logs are being retained to the period required by the organisation's data retention policy
  6. 6Review Teams meeting recording destinations, confirm recordings are landing in the intended SharePoint location, not in personal OneDrive

Security alerts and M365 Secure Score (15 minutes)

The Microsoft 365 Secure Score is an imperfect benchmark, but it's a useful drift indicator. A score that drops between quarters without a documented reason is the starting point for a conversation. Most tenants in the 65-80 range have 10 to 15 actionable improvement points that don't require significant change management.

  1. 1Record current Secure Score and compare to prior quarter, document the delta and any reasons for movement
  2. 2Review the top five recommended actions by score impact, confirm whether each is actioned, deferred with a reason, or accepted as a risk
  3. 3Check Microsoft Defender XDR incidents queue, confirm there are no unresolved medium or high severity incidents
  4. 4Review email authentication posture, confirm DMARC, DKIM and SPF records are current, especially if any new email services have been added
  5. 5Confirm backup coverage, verify third-party backup (if in scope) completed without error for the prior period

Platform roadmap and upcoming changes (15 minutes)

Microsoft's Message Centre publishes planned changes, deprecations and new feature rollouts. A quarterly review should include a sweep of anything logged since the last check that affects the client's configuration. Missing a deprecation notice is how tenants end up with broken workflows and urgent remediation projects.

  1. 1Review Message Centre items, flag any 'prevent or fix issues' or 'plan for change' items from the past 90 days
  2. 2Confirm any Copilot or AI rollout milestones, note any new capabilities enabled by Microsoft and whether they require internal policy review
  3. 3Check Teams policy changes, Microsoft updates default Teams policies frequently; confirm no unexpected defaults have overridden your tenant configuration
  4. 4Document open items, record anything found during the health check as a named action with an owner and a target date

Want us to run this with your team?

30 minutes. No deck. We'll walk through your tenant, your priorities, and the next sensible move.

Book a chatEmail Frontrow1300 012 466