Free Microsoft 365 Security Self-Check · No signup required
How secure is your Microsoft 365 setup? Find out in 3 minutes.
Most small businesses run their entire company on Microsoft 365 and have no idea how protected they actually are. The free Microsoft 365 security self-check from Wolferdawg IT Consulting scores your setup against the Microsoft and CIS security baseline so you know exactly where you stand.
What is the Microsoft 365 Security Self-Check?
The Microsoft 365 Security Self-Check is a free 15-question self-assessment that scores your Microsoft 365 setup against the security baseline Microsoft and the Center for Internet Security recommend for small and mid-size businesses. You answer in plain English. The tool does the math. You get a real Microsoft 365 security score, a letter grade, and a prioritized list of what to fix.
Example of what you will see at the end
Question loads here
YOUR SCORE
B
73 out of 100
Summary loads here.
Get the full report by email
We will email a detailed report with your score, every finding, and the recommended fix steps. Useful for sharing with leadership, your insurance carrier, or your IT team.
Want a real human to review this with you?
Wolferdawg IT Consulting works with small and mid-size businesses across Lawton, Duncan, Altus, and Southwest Oklahoma. Book a free 30-minute review and we will walk through your results together.
Book a free 30-minute reviewWhat does the Microsoft 365 security self-check cover?
The Microsoft 365 security self-check is a self-assessment, not a tenant scan. You answer questions about how your Microsoft 365 environment is set up, and the tool compares your answers against the security baseline that Microsoft and the Center for Internet Security recommend for small and mid-size businesses.
The 15 questions cover five areas of Microsoft 365 security. How people sign in. How email threats are blocked. How files and data are shared. How devices and laptops are protected. And how you would know if something went wrong, plus how you would recover.
What is a good Microsoft 365 security score for a small business?
Most security professionals recommend a Microsoft 365 security score of 80 percent or higher as a baseline. The average small business lands somewhere between 30 and 50 percent, which leaves real gaps that attackers actively look for. Businesses that work through their findings in priority order usually reach 80 to 90 percent within a few months. The point is not the number itself. The point is closing the doors that are currently wide open.
How is the Microsoft 365 security self-check different from Microsoft Secure Score?
Microsoft Secure Score is a built-in metric that lives inside the Microsoft Defender admin portal. To see Microsoft Secure Score, you need an admin account and you have to know where to look. It also only measures what Microsoft tracks automatically.
The Wolferdawg Microsoft 365 security self-check is different in two ways. First, you do not need admin access or any technical login to take it. You answer questions in plain English. Second, this check covers things Microsoft cannot see from inside the tenant, like whether your incident response plan exists on paper, whether someone actually reviews security alerts when they fire, and whether your backups have ever been tested. Those are the gaps that show up when something goes wrong.
How often should I run a Microsoft 365 security self-check?
Quarterly is a good cadence for most small businesses to run a Microsoft 365 security self-check. Microsoft adds new recommendations all the time, your team and your tools change, and security defaults drift over time as people are added and removed. A 3-minute self-check every three months is a low-cost way to catch problems before they catch you.
What if my Microsoft 365 security score is low?
A low Microsoft 365 security score is not a verdict, it is a starting point. Most of the gaps that show up on this self-check can be closed without buying anything new. Microsoft 365 Business Premium already includes the controls most small businesses need. The work is in turning those controls on, configuring them properly, and testing that they actually do what they are supposed to do. If you want help with that, Wolferdawg IT Consulting does this work for clients across Southwest Oklahoma every day. Book a free review and we will walk through your results together.
What are the most common Microsoft 365 security gaps for small businesses?
The most common Microsoft 365 security gaps small businesses leave open are missing or incomplete multi-factor authentication, unconfigured email authentication records (SPF, DKIM, and DMARC), no third-party backup of Microsoft 365 data, unmanaged devices accessing company data, and security alerts that nobody actually reviews. Most of these gaps can be closed without buying anything new because the controls are already included in your Microsoft 365 plan.
How do I improve my Microsoft 365 security score?
To improve your Microsoft 365 security score, work through your findings in priority order. Start with the critical gaps the self-check identifies, then move to the items marked needs attention. The three highest-impact actions for most small businesses are enforcing multi-factor authentication for every user including admins, configuring SPF, DKIM, and DMARC for your email domain, and adding a third-party Microsoft 365 backup product. These three changes alone often move a score from the 30 to 50 range up into the 70 to 85 range.
Frequently asked questions
Is the Microsoft 365 security self-check really free?
Yes. The Microsoft 365 security self-check is completely free. There is no signup required to take the self-check or see your score. The full report is also free. We send it to the email you provide.
Do you store my answers from the Microsoft 365 security self-check?
Your answers are processed in your browser. When you request the Microsoft 365 security self-check report, we pass your email and a summary of your results to our team so we can send the report and follow up if you want a review call.
I am not the IT person at my company. Can I still take the Microsoft 365 security self-check?
Yes, and you should. The Microsoft 365 security self-check questions are written for business owners and managers, not for IT staff. If you do not know the answer to a question, pick "I am not sure" and the tool will flag it as a gap. Not knowing is itself a finding worth surfacing.
Will the Microsoft 365 security self-check work for any Microsoft 365 plan?
The Microsoft 365 security self-check questions apply to any business plan from Business Basic up through Business Premium and the enterprise E3 and E5 plans. Some recommended fixes require Business Premium or higher because they depend on Conditional Access and Intune, which are not included in the cheaper plans. The self-check tells you when this matters.
More about Microsoft 365 security for small businesses
Common questions about Microsoft 365 security, the controls every small business should know about, and how to think about protecting a Microsoft 365 environment that runs your entire company.
Is Microsoft 365 secure by default?
Microsoft 365 is not fully secure by default. Microsoft provides Security Defaults, which give every tenant a basic security baseline including required multi-factor authentication and blocked legacy authentication. However, Security Defaults are turned off in many tenants, especially older ones provisioned before 2019, and they do not cover the more advanced controls that small businesses actually need.
Out of the box, a typical Microsoft 365 tenant ships with anonymous file sharing enabled, audit logging set to a short retention window, no email authentication beyond the bare minimum, and no managed device requirements. Closing these gaps is on you, not on Microsoft. The Microsoft 365 security self-check shows you which of these defaults are still working against you.
What are the biggest Microsoft 365 security risks for small businesses?
The biggest Microsoft 365 security risks for small businesses are account compromise from missing multi-factor authentication, business email compromise enabled by missing SPF, DKIM, and DMARC records, ransomware reaching SharePoint and OneDrive through unmanaged devices, and data loss because nobody has a real third-party backup of Microsoft 365 data.
A secondary risk most small businesses underestimate is undetected breach. Microsoft 365 generates real-time security alerts, but in most small business tenants nobody actually reviews them. The average breach takes more than 200 days to detect across the industry, which is plenty of time for an attacker who is already inside your tenant to do real damage.
How do I audit my Microsoft 365 security?
You can audit your Microsoft 365 security in three ways. First, take this Microsoft 365 security self-check to get a 0 to 100 score and a prioritized list of gaps without needing admin access. Second, log into the Microsoft Defender admin portal and review your Microsoft Secure Score, which measures the controls Microsoft tracks automatically. Third, hire an external assessor for a formal review of your tenant configuration against a recognized framework like CIS or the Microsoft Zero Trust model.
For most small businesses the self-check plus a review of Microsoft Secure Score covers the practical baseline. A formal external audit makes sense when an insurance carrier, a regulator, or a contract requires it.
What is the Microsoft 365 security checklist for small business?
A practical Microsoft 365 security checklist for small business covers five areas. Identity and sign-in: enforce multi-factor authentication for every user, limit global admins to between two and four, and block legacy authentication. Email protection: configure SPF, DKIM, and DMARC, turn on Safe Links and Safe Attachments, and tag external email visually. Sharing and data: turn off anonymous sharing links, enable data loss prevention policies, and extend audit log retention to one year.
Devices and endpoints: enroll work devices in Intune, run managed endpoint protection, and enable remote wipe. Recovery and visibility: add a third-party Microsoft 365 backup product, review security alerts daily, and write a one-page incident response plan. The 15-question self-check on this page maps directly to all five areas.
Does Microsoft 365 Business Premium include security?
Yes, Microsoft 365 Business Premium includes a meaningful security stack. It bundles Microsoft Defender for Office 365 Plan 1 (Safe Links and Safe Attachments), Microsoft Defender for Endpoint, Microsoft Intune for device management, Conditional Access through Entra ID Premium P1, and Microsoft Purview data loss prevention. For most small businesses with up to 300 users, Business Premium is the right plan because it includes nearly everything you need to close the major Microsoft 365 security gaps.
The catch is that Business Premium gives you the controls but not the configuration. The features have to be turned on, configured properly, and tested. Buying the plan is step one, not the finish line.
What should I check first in Microsoft 365 security?
Check three things first in Microsoft 365 security. One, confirm that every user, including the owner and IT, has multi-factor authentication enforced. MFA blocks more than 99 percent of automated account compromise attempts and is the single highest-impact control. Two, verify that SPF, DKIM, and DMARC are configured for your email domain and that DMARC is in quarantine or reject mode rather than monitor mode.
Three, confirm that your Microsoft 365 data is backed up to a separate system that is not Microsoft. Microsoft does not back up your data the way a real backup product does. If a ransomware event or malicious deletion takes down your tenant, you cannot recover from Microsoft retention alone. These three checks catch the most common and most damaging gaps in a typical small business tenant.
How long does it take to secure Microsoft 365?
Securing Microsoft 365 to the small business baseline of 80 percent or higher typically takes between 30 and 90 days of focused work. The fastest wins, like turning on Security Defaults, configuring SPF, DKIM, and DMARC, and enabling external email tagging, can happen in a single afternoon. The medium-effort items, like rolling out managed devices through Intune and configuring data loss prevention policies, take a few weeks.
The longest-running items are usually backup product selection and rollout, incident response plan documentation, and getting alert review built into a real operational routine. None of this is technically hard. Most small businesses delay it because it is not on fire yet, which is exactly when the work is cheapest to do.
What are Microsoft 365 security best practices for small business?
Microsoft 365 security best practices for small business fall into seven habits. Enforce multi-factor authentication for every user without exception. Keep global admin accounts limited to between two and four with a cloud-only break-glass account. Configure SPF, DKIM, and DMARC for every domain you send mail from, and progress DMARC from monitor to quarantine to reject.
- Turn on Safe Links and Safe Attachments for all users
- Disable anonymous sharing links in SharePoint and OneDrive
- Enroll work devices in Intune with managed endpoint protection
- Add a third-party Microsoft 365 backup product and test a restore quarterly
The seventh practice is the easiest to skip and the most important: actually review your security alerts. Microsoft 365 surfaces real-time signals about risky sign-ins, suspicious admin changes, and impossible travel. None of it matters if nobody is looking. Daily review by either an internal owner or a managed security service is the right cadence.