Microsoft 365 Configuration and Risk Assessment
See what you’re working with. Know what to do next.
Why visibility matters
Microsoft 365 is powerful, but it’s also complex. Over time, misconfigurations, legacy access and inconsistent policy settings quietly accumulate. Many organisations don’t realise how exposed they are until something goes wrong – a failed audit, a data breach or a major disruption.
Microsoft Purview is often introduced without a clear understanding of the existing Microsoft 365 environment. In some cases, features like retention policies, DLP or sensitivity labels are enabled in isolation, creating confusion and inconsistent outcomes. Other times, Purview is deployed reactively – in response to an audit, policy change or data breach – which leads to rushed configurations that are difficult to manage over time.
We also see organisations transitioning from legacy tools without addressing configuration conflicts or overlapping controls. Without a clear baseline or governance plan, these approaches can result in policy sprawl, poor adoption and long-term governance debt.
DOWNLOAD OUR WHITEPAPER HERE
Why risk matters
Misconfigurations in Microsoft 365 may not be visible, but the risks are very real. We regularly uncover:
- Dormant admin accounts with full control privilege
- External users with long-standing access to internal content
- Legacy protocols bypassing multi-factor authentication
- Missing retention on sensitive content
- Misaligned or duplicated compliance policies
- Inadequate detection of phishing, spoofing and mailflow threats
These issues introduce security, compliance and operational risks — often without being noticed until they cause reputational, financial or regulatory damage. The Microsoft 365 Configuration and Risk Assessment helps surface these risks early, so they can be resolved before they become incidents.
What the assessment delivers
The Affinity Data Microsoft 365 Configuration and Risk Assessment is more than a technical review – it’s a strategic diagnostic. This expert-led engagement is designed to uncover hidden risks, provide clarity on your current posture, and guide decision-making across governance, security and compliance.
Whether you’re looking to strengthen your Microsoft 365 governance, reduce risk, or prepare for future capabilities like Microsoft Purview, the assessment delivers structured, actionable insights that support real-world outcomes.
More than just a Purview readiness check
While many clients use this assessment as a starting point for deploying Microsoft Purview, its value extends much further. From identity and threat protection to external access and policy hygiene, the assessment provides a full-spectrum view of your Microsoft 365 governance and risk posture – whether or not Purview is in scope.
A closer look at what’s included
Identity and access controls
Review of privileged roles, dormant accounts, MFA coverage and legacy authentication usage. Highlights global admin sprawl, risky sign-ins and conditional access gaps.
Device and endpoint security
Assessment of Intune and Entra ID-registered devices, including inactive endpoints, unmanaged BYOD and non-compliant devices. Includes recommendations for encryption, patching and device trust enforcement.
External collaboration and oversharing
Visibility into guest access, anonymous links and ungoverned external sharing across SharePoint, Teams and OneDrive. Identifies external users with excessive access and lack of expiry or review controls.
Data protection and information governance
Evaluation of retention policies, sensitivity labels, classification and DLP coverage. Surfaces unprotected sensitive content and gaps in records management alignment with standards such as ISO 15489.
Threat protection and monitoring
Review of Microsoft Defender configurations, phishing protection, alerting and Secure Score. Identifies missing coverage, weak policies and underused monitoring capabilities.
License alignment and optimisation
Analysis of assigned licences against actual usage patterns, highlighting underutilised or unnecessary entitlements. Supports strategic reallocation and forward planning.
Framework benchmarking and compliance mapping
Visual maturity mapping and scorecards aligned to the Essential Eight, NIST CSF, CIS Controls and APRA CPS 234. Supports internal assurance, board reporting and external audit engagement.
Tailored remediation roadmap
A prioritised, actionable roadmap that separates immediate fixes from longer-term improvements. Designed to reduce risk quickly while building a foundation for structured Microsoft 365 governance.
Outputs that support real decisions
Our Microsoft 365 risk assessment is designed to support a wide range of stakeholders – from executive teams to system administrators. Reports are structured to enable effective communication, planning and decision-making across the organisation.
Executive dashboards that highlight key risk indicators and governance gaps
Technical detail to guide secure configuration, policy remediation and platform improvements
Visual summaries including risk maps, maturity models and framework heatmaps
Why Affinity Data?
We specialise in governance, security and compliance for Microsoft 365 and Microsoft Purview. Our work is grounded in real-world experience across Australian government, education and regulated industries, and informed by both policy expertise and technical depth.
We don’t just deliver findings. We help you understand what they mean, what to do next, and how to move forward with confidence.
Whether you’re building a roadmap or validating your current state, the Affinity Data Microsoft 365 Configuration and Risk Assessment is the best place to start.
Contact us to request a sample report, book a discovery call or schedule your assessment.
