Cloud Security Checklist for Microsoft 365 and Google Workspace

Overview

If you use Microsoft 365 or Google Workspace, your security posture is not defined by one switch. It is the result of dozens of admin decisions that shape how people sign in, share files, use mobile devices, recover accounts, and respond to suspicious activity. The goal of this cloud security checklist for small business teams is not to chase every advanced feature. It is to establish a reliable baseline that reduces common risks without creating so much friction that staff work around it.

Use this article as a repeatable review framework. Some settings are named differently across Microsoft 365 and Google Workspace, and some features depend on your license tier, but the core principles are stable:

• Protect identities first.
• Lock down admin access.
• Reduce phishing and account takeover risk.
• Control file sharing and data exposure.
• Make logs, alerts, backup plans, and recovery steps usable.
• Review regularly as staff, devices, and workflows change.

A useful way to approach this is to separate must-have controls from nice-to-have tuning. For most SMBs, the highest-value baseline includes multi-factor authentication, secure admin roles, sensible sharing restrictions, mailbox and file retention awareness, device management for company data, and alerting for risky sign-ins or unusual account changes.

If your team is building broader access rules, pair this checklist with an access control checklist for small businesses. If compliance is part of the project, your cloud setup should also align with your retention, privacy, and incident response processes.

Checklist by scenario

Start with the scenario that matches your current stage. Many teams will need more than one.

Scenario 1: New tenant or first serious security setup

If your business is newly adopting Microsoft 365 or Google Workspace, begin with the baseline controls below before you migrate more data or invite every employee.

• Turn on MFA for all users, starting with admins immediately. Do not leave administrator accounts protected by password alone. Require MFA for finance, HR, leadership, and anyone with access to sensitive files.
• Create dedicated admin accounts. Staff who administer the platform should have a separate admin identity and use it only for administrative work. Avoid using daily email accounts as permanent full admins.
• Reduce the number of global or super admins. Keep the count small and documented. Most admins do not need the highest level of privilege.
• Review authentication recovery options. Make sure recovery email addresses, backup methods, and emergency contacts are current and controlled by the business, not a departed employee.
• Set password standards that fit your environment. If you allow passwords alone for any accounts, require strong unique passwords and support them with a business password manager.
• Disable legacy or outdated sign-in methods where possible. Older protocols can bypass modern protections and are often overlooked during setup.
• Confirm domain ownership and email authentication. Review SPF, DKIM, and DMARC support for your email domains so your outbound mail is better protected and easier to trust.
• Set default file-sharing rules conservatively. Internal-only sharing is a safer default than open links. Allow external sharing only where the business actually needs it.
• Review app integrations and third-party access. Limit who can approve external apps and watch for OAuth connections that request broad mailbox, drive, or contacts access.
• Enable audit logging and alerting. You need enough visibility to investigate login anomalies, permission changes, forwarding rules, and suspicious sharing activity.

At this stage, do not focus only on account security. Also decide where sensitive documents should live, how they should be shared, and who can create public links. If document workflows matter, see secure file sharing for business and secure e-signature tools for business for adjacent controls.

Scenario 2: Small business hardening for an existing Microsoft 365 environment

For Microsoft 365 security checklist reviews, focus on the places SMBs commonly inherit risk: broad admin permissions, weak MFA coverage, mailbox abuse, and oversharing through Teams, SharePoint, and OneDrive.

• Review Entra ID sign-in protection settings. Check MFA enforcement, conditional access where available, and how risky sign-ins are handled.
• Audit admin roles. Verify who has global admin, Exchange admin, SharePoint admin, Teams admin, billing admin, and password reset authority. Remove stale or unnecessary assignments.
• Inspect guest access settings. Confirm whether outside users can be invited into Teams or shared content, who can invite them, and whether guest access is still needed.
• Check external sharing in SharePoint and OneDrive. Review anonymous links, expiration settings, default link types, and whether sharing is limited to approved domains where appropriate.
• Review Exchange anti-phishing and anti-spam protections. Make sure impersonation protection, malware filtering, and suspicious forwarding controls are configured for your business risk level.
• Look for suspicious mailbox forwarding rules. Attackers often create hidden rules or forwarding settings to monitor invoices, legal notices, or password resets.
• Confirm safe handling of shared mailboxes. Shared inboxes for support, payroll, or finance should have named owners and limited access.
• Check mobile device and app access controls. If staff use personal devices, verify how corporate email and files are protected and what happens when a user leaves.
• Review Teams settings. Verify meeting defaults, guest permissions, app permissions, recording access, and whether sensitive channels are governed appropriately.
• Test account recovery and break-glass planning. You need a documented recovery path if MFA devices are lost or an admin is locked out.

For many SMBs, M365 hardening for SMB use cases is less about advanced tools and more about cleaning up years of drift. A quarterly permissions review can remove a surprising amount of exposure.

Scenario 3: Small business hardening for an existing Google Workspace environment

For a Google Workspace security checklist review, pay close attention to admin delegation, account recovery, Drive sharing, and third-party app access. These are common weak spots in fast-moving teams.

• Require 2-Step Verification for all users, especially admins. Start with privileged users and high-risk departments if you need a phased rollout, but move toward full coverage.
• Review super admin accounts and delegated admin roles. Keep super admins to a minimum and assign narrower roles for routine tasks.
• Check account recovery controls. Verify backup contact details, admin recovery procedures, and whether old phone numbers or personal emails are still attached to business accounts.
• Audit Google Drive sharing settings. Review whether users can share publicly, share outside the domain, or publish documents too broadly by default.
• Inspect shared drives and ownership practices. Important business files should not depend on one employee's personal My Drive ownership.
• Review app access control. Restrict third-party OAuth apps and investigate those with broad access to Gmail, Drive, or Calendar.
• Check Gmail protections. Review phishing and malware protections, spoofing safeguards, attachment handling, and external image or link settings as appropriate.
• Confirm mobile management settings. If business data is accessed on phones or tablets, verify the level of control you have over screen lock, account wipe, and compliance requirements.
• Review login alerts and audit events. Make sure suspicious login behavior, admin changes, and unusual sharing patterns are visible to someone who will actually respond.
• Test departing user workflows. Confirm how mailbox access, Drive content transfer, and device sign-out are handled when someone leaves.

Google Workspace admin security is often strongest when businesses simplify decisions: fewer super admins, fewer exceptions, fewer open sharing defaults, and a clearer owner for every shared resource.

Scenario 4: Onboarding a new employee or contractor

Many cloud incidents start with rushed onboarding. Use a short, repeatable checklist every time a person joins.

• Assign the least privilege needed for the role.
• Place the user in the correct group before granting direct access.
• Require MFA at first sign-in.
• Issue or register approved devices if your policy requires it.
• Train the user on phishing reporting, secure sharing, and acceptable use.
• Give access to shared drives or shared mailboxes instead of handing over someone else's credentials.
• Document who approved access and when it should be reviewed.

This is where cloud security overlaps with privacy compliance for small business teams. If the new hire will handle customer or employee data, access should match your retention and privacy practices rather than informal convenience.

Scenario 5: Offboarding or role change

Offboarding failures are one of the most preventable cloud security gaps.

• Disable sign-in promptly.
• Revoke active sessions and app tokens.
• Reset or transfer ownership of critical accounts, shared drives, calendars, and mailboxes.
• Remove the user from groups, mailing lists, and external collaborations.
• Review forwarding rules, delegated access, and recovery options.
• Preserve data according to business, legal, and retention needs.
• Document what was removed and who verified it.

If your business has compliance obligations, offboarding should align with your retention policy. A practical next step is to review how to create a data retention policy for a small business.

Scenario 6: Remote work and mobile-heavy teams

Cloud-first teams often assume the suite itself solves remote work risk. It does not. You still need supporting controls.

• Set standards for approved browsers, operating systems, and device lock screens.
• Decide whether unmanaged devices can access email only, email plus files, or nothing sensitive.
• Use MFA consistently across VPN, SSO, email, and admin tools.
• Review session timeout and reauthentication settings for risky actions.
• Limit local syncing of sensitive files where practical.
• Document how lost devices are reported and what can be remotely signed out or wiped.
• Check whether remote staff need a business VPN for other systems beyond Microsoft 365 or Google Workspace. If so, compare options in this guide to the best VPNs for small business remote teams.

What to double-check

These are the areas that deserve a second look because they are easy to misunderstand or leave partially configured.

• MFA coverage versus MFA availability. It is not enough that MFA exists. Verify which users are actually enrolled and whether exceptions still make sense.
• Admin role sprawl. Temporary access has a way of becoming permanent. Revalidate every privileged role.
• External sharing defaults. One open setting can quietly expose far more than intended, especially if link sharing is easy and staff move fast.
• Forwarding and delegation. Mailbox forwarding, inbox rules, delegated access, and calendar sharing are common blind spots.
• Third-party app permissions. OAuth grants can survive even when staff forget they approved them. Review broad access regularly.
• Orphaned data. Files and drives tied to former employees can create operational risk and access confusion.
• Alert routing. An alert no one reads is not a control. Make sure notifications go to monitored inboxes or named owners.
• Backup and recovery assumptions. Understand what your suite keeps, what it recovers easily, and what your business still needs to preserve separately.

This is also a good point to review phishing response steps. Email remains the gateway to many cloud account compromises. For recurring threat patterns, see business phishing scam trends to watch.

Common mistakes

Most SMB cloud security problems are not caused by obscure technical flaws. They come from avoidable operational mistakes.

• Relying on one owner-admin. If one person controls everything, their compromise or departure becomes a business continuity issue.
• Keeping default sharing too open. Teams often prioritize convenience at setup and forget to tighten it later.
• Using personal accounts in business workflows. This creates poor visibility, weak offboarding, and ownership disputes.
• Giving full admin rights to solve short-term tasks. Broad privileges are often granted faster than they are removed.
• Skipping offboarding cleanup. A disabled account alone may not remove app tokens, delegated access, shared links, or forwarded mail.
• Assuming secure email means secure document handling. Files can still be overshared, downloaded, or retained longer than intended.
• Not aligning cloud settings with privacy obligations. Retention, deletion, and access expectations should support your compliance efforts, including state privacy requirements or international handling obligations where relevant.
• Failing to test incident response. If an account is hijacked, you need to know who will disable access, review logs, notify stakeholders, and restore operations.

For teams tightening broader resilience, it helps to pair this checklist with a business continuity checklist for cyber incidents and SaaS outages and a review of likely cyber insurance requirements.

When to revisit

The best cloud security checklist small business teams can use is one they revisit on a schedule, not just after a scare. Put these review points on the calendar:

• Quarterly: admin roles, MFA enrollment, external sharing settings, suspicious forwarding rules, third-party app access, and high-risk inactive accounts.
• Before seasonal planning cycles: review licenses, new features, policy changes, and whether your controls still match current workflows.
• When tools or workflows change: mergers, new remote work patterns, new departments, CRM integrations, e-signature platforms, or file-sharing processes should trigger a permissions and data flow review.
• After staffing changes: repeat onboarding and offboarding checks, especially around finance, HR, and executive support roles.
• Before compliance or insurance reviews: validate access control, logging, incident handling, and retention practices against your internal policies.
• After any suspicious event: a phishing incident, login alert, lost device, or accidental overshare should lead to a targeted recheck of related controls.

To make this actionable, assign one owner for the checklist, one backup reviewer, and one short evidence trail for each review. That evidence can be as simple as a dated internal checklist showing what was checked, what changed, and what still needs follow-up. If your business handles regulated personal data, map this review to your privacy obligations as well, including resources such as the CCPA compliance checklist or GDPR for small business checklist.

In practice, a strong review routine looks like this: confirm who has access, confirm how they sign in, confirm what they can share, confirm what is logged, and confirm how you would recover if something goes wrong. That rhythm will keep your Microsoft 365 security checklist or Google Workspace security checklist useful long after the first setup is finished.