How to Create a Data Breach Checklist for Microsoft 365

Written by: Abigail Ivy
Published on:

A Microsoft 365 data breach can spread across email, files, identities, and devices faster than most teams expect.

This guide explains how to create a data breach checklist for Microsoft 365 so your response is organized, evidence is preserved, and critical actions happen in the right order.

Why a Microsoft 365 breach checklist matters

Microsoft 365 sits at the center of modern work: Exchange Online, SharePoint, OneDrive, Teams, Entra ID, and endpoint access often connect to the same users and data.

When a compromise occurs, attackers may use stolen credentials, malicious OAuth apps, forwarding rules, or admin privilege abuse to move quickly across the environment.

A checklist turns a chaotic incident into a repeatable process.

It helps security, IT, legal, compliance, and leadership act with clear priorities instead of reacting from memory under pressure.

What a good breach checklist should cover

An effective checklist should be specific enough for daily use, but broad enough to handle phishing, business email compromise, ransomware, insider threats, and account takeover.

It should include both technical actions and business decisions.

  • Detection and validation steps
  • Containment actions for accounts, devices, and apps
  • Evidence collection and logging
  • Communication and escalation paths
  • Regulatory, legal, and customer notification checkpoints
  • Recovery, monitoring, and post-incident review

Step 1: Define your Microsoft 365 incident scope

Before writing the checklist, identify what belongs in scope.

Microsoft 365 incidents often involve more than one service, so the checklist should reflect your environment and business dependencies.

Inventory the core services

  • Exchange Online for email compromise, mailbox rules, and impersonation
  • SharePoint Online and OneDrive for file exfiltration
  • Microsoft Teams for chat-based phishing, malicious links, and data leakage
  • Entra ID for identity, sign-in risk, conditional access, and privileged accounts
  • Microsoft Defender for Office 365, Endpoint, and Cloud Apps for alerts and investigation data

Identify sensitive data and high-risk users

List executives, finance staff, HR users, administrators, and anyone with access to regulated data such as health records, payment details, intellectual property, or customer information.

These accounts should receive priority in containment and review steps.

Step 2: Build your detection and triage section

Your checklist should start with instructions for confirming whether an alert is a real incident.

This is where teams determine if the event is a phishing attempt, a false positive, or a confirmed breach.

  • Record the alert source, timestamp, and affected user or device
  • Capture the initial indicators of compromise, such as suspicious login locations or impossible travel
  • Review recent sign-ins, consent grants, mailbox forwarding rules, and unusual file activity
  • Check whether the account used legacy authentication, external app access, or repeated MFA failures
  • Assign severity based on data sensitivity, privilege level, and scope of exposure

Include clear triage rules so analysts know when to escalate immediately.

For example, privileged account compromise, confirmed external sharing of sensitive files, or suspicious administrator changes should trigger urgent escalation.

Step 3: Add containment actions for accounts and sessions

Containment is usually the most time-sensitive phase.

Your checklist should describe the exact actions to stop ongoing access while avoiding unnecessary disruption.

  • Disable the affected user account if compromise is confirmed
  • Revoke active sessions and refresh tokens
  • Reset the password and require MFA re-registration when appropriate
  • Review and remove unauthorized inbox rules, forwarding, and delegate access
  • Disable suspicious OAuth applications and consented integrations
  • Block malicious sign-in patterns using Conditional Access or security controls

If a privileged account is involved, the checklist should require a broader review of admin roles, privileged access groups, and any recent directory changes in Entra ID.

Step 4: Include evidence preservation and logging

A breach checklist should preserve evidence before cleanup begins.

Without logs and screenshots, it can be difficult to reconstruct what happened, prove impact, or satisfy auditors and counsel.

What to capture

  • Audit logs from Microsoft 365 and Entra ID
  • Email headers, phishing messages, and sender details
  • Mailbox rules, forwarding settings, and deleted items activity
  • SharePoint and OneDrive access logs
  • Teams message history and file-sharing records
  • Conditional Access, device compliance, and sign-in risk reports

Assign responsibility for evidence handling so the process remains consistent.

If legal holds, eDiscovery, or regulatory reporting may apply, involve legal counsel early and follow retention requirements.

Step 5: Document communication and escalation paths

During a breach, people need to know who to contact, what to say, and how fast to respond.

The checklist should include named roles rather than generic departments whenever possible.

  • Incident commander
  • Microsoft 365 administrator
  • Security operations lead
  • Legal counsel
  • Privacy or compliance officer
  • Executive sponsor
  • Public relations or communications lead

Define when to notify leadership, when to engage outside forensics, and when to coordinate with cyber insurance providers.

Include a short internal communication template so staff can report suspicious activity without creating confusion or panic.

Step 6: Add regulatory and legal decision points

Not every breach requires the same response, but many organizations must assess notification obligations quickly.

The checklist should prompt decision-makers to determine whether data exposure involves regulated or contract-sensitive information.

  • Assess whether personal data was accessed, copied, or shared
  • Determine whether email content, attachments, or cloud files were exposed
  • Check whether customer, employee, or financial data is involved
  • Record the jurisdictions and contractual obligations that may apply
  • Escalate to legal review before external statements are made

This section is especially important for organizations subject to GDPR, HIPAA, SEC reporting expectations, state privacy laws, or industry-specific contractual requirements.

Step 7: Plan recovery and post-incident monitoring

Recovery should be more than resetting passwords.

The checklist should ensure the environment is secured, the attacker’s path is closed, and monitoring is intensified after containment.

  • Validate that forwarding rules, app consents, and rogue admins are removed
  • Review other accounts for similar indicators of compromise
  • Strengthen MFA, Conditional Access, and admin protections
  • Scan endpoints for malware or persistence mechanisms
  • Monitor for repeated login attempts, data downloads, and suspicious sharing
  • Confirm backups, retention settings, and recovery points are intact

Set a follow-up review window for 24 hours, 72 hours, and 30 days so the team can verify there is no recurring access or delayed exfiltration.

How to create a data breach checklist for Microsoft 365 that actually works

The best checklists are short enough to use in a real incident and detailed enough to prevent guesswork.

When learning how to create a data breach checklist for Microsoft 365, focus on role-based tasks, specific Microsoft 365 artifacts, and clear escalation criteria.

Checklist design tips

  • Keep the first page focused on the first hour of response
  • Use checkboxes, owners, timestamps, and status fields
  • Separate urgent containment tasks from later investigative work
  • Tailor the checklist to your tenant architecture and security tools
  • Review and test it with tabletop exercises at least twice a year

As Microsoft 365 environments change, update the checklist for new apps, identity protections, retention policies, and compliance rules.

A breach checklist should be a living document tied to your incident response plan, not a static file stored in a folder no one uses.