It a common requirement in cloud projects to create a Microsoft 365 health assessment report in order to evaluate the health status of an existing Microsoft 365 (Office 365) organization.
In order to compile a Microsoft 365 health assessment report, you first need to determine at high level the scope of the assessment and the components which comprise the target Microsoft 365 organization. Each Microsoft 365 organization can consist of one or more M365 tenants. Each tenant can have one or more M365 license subscriptions. You should first identify the active M365 tenants and structure your assessment procedure based on these tenants. Each tenant corresponds to a separate Azure AD tenant which is declared by a unique default DNS domain in the format [tenantname].onmicrosoft.com.
Microsoft 365 encompasses a large number of services the most common and important of which are Exchange Online, Sharepoint Online and Teams. Remember that you can carry out all M365 health checks by using the following M365 management tools:
- Microsoft 365 management portal
- Azure Lighthouse for Microsoft 365
- Office 365 management APIs
- Microsoft 365 Powershell modules
- Microsoft 365 CLI
Follow the procedure below to collect assessment information and compile your Microsoft 365 health assessment report.
Step group 1
- Identify and document the structure of all M365 tenants and subscriptions under the M365 organization.
- Check overall M365 service health at: https://admin.microsoft.com/Adminportal/Home#/servicehealth.
- Run the M365 network connectivity status at https://admin.microsoft.com/Adminportal/Home#/networkperformance, after checking the pre-requisites.
- Identify any on-premises locations with supported Active Directory / Windows Server versions running a supported version of Azure AD Connect. Remember that Azure AD Connect must be upgraded to the latest version because Microsoft has released an Azure AD Connect supported versions roadmap at https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history#retiring-azure-ad-connect-2x-versions. Refer to my other KB article, if needed, about how to resolve any potential issues when upgrading an Azure AD Connect client.
- Perform a local Office 365 application installation health by using the Microsoft Support and Recovery Assistant tool (SARA) and Office 365 firewall port and IP address range check. OneDrive for Business has its own OneDrive URL and port requirements.
- Perform an Office 365 license management report.
- From the M365 management portal, perform a M365 service health dashboard and service status dashboard, audit log and event log check.
- Perform an overall Azure Active Directory configuration check.
- Perform a M365 users and security groups audit. Check all configured user roles and permissions as per Microsoft best practices and organizational requirements.
- Document M365 distribution groups, shared mailboxes and unified groups (Microsoft 365 groups).
- Review the following configuration aspects of the M365 organization:
- Exchange Online mailboxes and online archives
- Sharepoint Online site collections and sites
- OneDrive for Business configuration
- Teams configuration check
- Intune Mobile Device Management and Enterprise Security and Mobility (EMS) configuration checks
- Identify and access management (IAM)
- Password management
- Data loss prevention (DLP) policies
- Data retention policies
- Content search and ediscovery search checks
- Threat management checks
- Information governance checks
- Microsoft secure score
- Compliance score
- Check the M365 security center and M365 compliance center.
Following the technical assessment, you should create a gap analysis and action item report. Upon customer approval, you should then proceed with implementation of the action items in the action item report to ensure the Microsoft 365 platform is optimized according to Microsoft best practices.
Optionally, provide training to both IT administrators and end users in the customer organization. This will increase technical and business awareness of the Microsoft 365 platform and will result in higher productivity and improved collaboration.
Last but not least, it would be good to provide some sort of operations document to your customer(s) which would include operational procedures about the following aspects of their Microsoft 365 infrastructure:
- Microsoft 365 tenant data residency
- Troubleshooting and reporting
- Proactive monitoring
- Permissions delegation and security/privacy configuration
- Backup procedures and data resiliency. A third party backup tool may need to be recommended, depending on the customer data usage and recovery requirements.
- Microsoft 365 external/guest user security policies
It would be beneficial to document the customer business benefits from the M365 health assessment report, including the following benefits:
- Compliance management. Comply with data and privacy specifications such as GDPR.
- Cost optimization and license management
- Higher adoption rates of the Microsoft 365 services by administrators and end users.
- The Office 365 environment will be optimized as per best practices
- Increased productivity due to more efficient usage of the Microsoft 365 platform.
- Establish higher levels of security and antimalware protection