Our team was recently tasked with developing an audit plan for Microsoft Office 365. While there are plenty of tools available to assist organizations with performing ongoing audits of user privileges and object permissions in Microsoft Office 365, we were hard pressed to find any solid thought leadership on auditing Office 365 beyond user and object permissions.

It almost appears that because Office 365 is a cloud solution, many organization assume much of the risk surrounding the platform is transferred to Microsoft. After digging into the product with a few of our clients and assessing how the product integrates into their business operations, our risk assessment identified a few areas of concern where the Internal IT Audit department can add great value to the organization.

Identifying Control Objectives for an Office 365 Internal IT Audit Plan

Control Objective 1:

In regards to Office 365 and the business needs it addresses in the organization, what is the first thing we should care about?  For starters,

  • We care that the platform was set up correctly in the first place!
  • We care that are not going to/did not lose any data during the migration process.
  • We care that data was not corrupted, lost or stolen during the migration (integrity and confidentiality).
  • We care that proper oversight was given to the entire process.
  • We care that people are properly trained and aware of any changes to security or operating procedures in relation to the new system.

This resulted in our first Control Objective sounding something like the following:

CO1: The Office 365 Migration was appropriately planned, managed, and controlled to ensure data integrity, data confidentiality, and availability of services.

Control Objective 2:

Now that we have thought through risks surrounding the implementation of Office 365, what do we care about next? We think Logical Access is a logical next Control Objective.

In regards to Logical Access surrounding management of the system,

  • We care about the process of granting and approving users access and provisioning new users in O365.
  • We care about the process of making sure terminated user procedures remove user access in O365 in a timely fashion (did you know there is a sizable time lag between when you deactivate a user in on premises AD and when that update propagates to O365?).
  • We care about the automation processes and infrastructure in place to assure that the on-premises AD and Azure AD instances are properly syncing.
  • We care about the level of admin rights an Admin has in O365 (due to the varied nature of admin functions in O365, admin rights need to be properly delegated based on need).

Our second control objective reads like this:

CO2: Logical Access: Controls provide assurance that access to Office 365 resources are appropriate.

Control Objective 3:

Next, our risk assessment revealed that there are a lot of things that go wrong when running on-premises AD and Exchange Server in conjunction with Office 365. Misconfiguration of the sync tools can cause availability and licensing issues, poor management of user objects in the on-premises AD can find their way into the Azure AD instance and more.

Some of the things we care about include:

  • We care about proper user object attribution and following Microsoft best practices to ensure proper replication to Azure AD.
  • We care about the proper configuration of AD Federated Services.
  • We care about the proper configuration of Azure AD Connect/DirSync
  • We care about proper management of user objects in the on-premises AD to ensure proper replication to Azure AD.
  • We care about proper vaulting/remote journaling/retention of user data both during and after employment.

Our third Control Objective reads like this:

CO3: Controls provide assurance that Office 365 is properly configured to ensure appropriate and efficient management of Office 365 licenses, availability of data and continuation of service.

Control Objective 4:

Finally, we decided that we care a lot about assessing the implementation of any Office 365 security and confidentiality tools and making sure these are implemented in accordance with company policy, but also try to gain assurance the tools are operating effectively.

Some things we care about in this Control Objective include:

  • Assessment of company policy to identify company requirements for securing data and verify controls are in place to address the policy requirements.
  • Assessment of the configuration settings for Office 365 data security and encryption tools such as S/MIME, Office 365 Message Encryption, AD Rights Management Server and the built in Anti-Malware and Data Loss Prevention tools.

Our fourth Control Objective reads like this:

CO4: Data Encryption and Security controls provide assurance that data within Office 365 Exchange is controlled in accordance with the organization’s data classification policy.


We have had a ton of positive reception while developing this program! As we continue to see more environments and learn more about Office 365 and the concerns on executive’s minds, we will continue to build out our program.

If your organization needs help assessing your Office 365 environment or you have some wisdom to share that might help us improve our program, please send us a message on our Contact Page or in the comments below.