Click here to download your FREE security report!
Login Demo & Trial

What Should MSPs Actually Monitor in Microsoft 365?

If you manage Microsoft 365 tenants for clients, you’ve probably faced this dilemma:

  • There are hundreds of settings, logs, and alerts available.
  • But you can’t monitor everything without drowning in noise.

That’s why MSPs often ask:

“What should we actually be monitoring in Microsoft 365?”

The answer: focus on high-signal, actionable events. The things that both protect clients and provide clear evidence of your value.

  1. MFA Adoption

Why it matters: Multi-Factor Authentication (MFA) is the single most effective security control in Microsoft 365. Without it, accounts are highly vulnerable.

What to track:

  • Percentage of users with MFA enabled
  • Who still doesn’t have it
  • Trends quarter to quarter
  1. Risky Sign-Ins

Why it matters: Risky sign-ins highlight suspicious activity — impossible travel, repeated failures, or sign-ins from unusual locations.

What to track:

  • Number of risky sign-ins blocked
  • Which accounts triggered them
  • Whether follow-up action was taken
  1. Mailbox Forwarding Rules

Why it matters: Hidden auto-forwarding rules are a classic way attackers exfiltrate data.

What to track:

  • New forwarding rules created
  • Who created them
  • Whether they were approved or removed
  1. Conditional Access & Security Policies

Why it matters: These policies enforce your baseline security posture (blocking legacy auth, requiring MFA, restricting risky locations). If they’re changed, your client’s risk profile changes instantly.

What to track:

  • New or modified conditional access rules
  • Baseline security posture drift (vs. agreed standard)
  1. Defender Alerts

Why it matters: Microsoft Defender provides tenant-level security insights. But without central monitoring, you risk missing incidents.

What to track:

  • Malware detections
  • Phishing attempts
  • Endpoint protection status
  1. Inactive Accounts & Licensing

Why it matters: Inactive accounts are a security and cost risk. Clients shouldn’t be paying for licenses that aren’t used.

What to track:

  • Accounts with no activity for 30/60/90 days
  • Licenses assigned but unused

How to Avoid Alert Fatigue

The danger isn’t missing things — it’s getting buried in too many signals. That’s why it’s critical to:

  • Define a baseline once, and detect drift from it
  • Focus only on alerts that require action
  • Roll everything up into one clear dashboard

Bringing It Together

For MSPs, the goal isn’t “monitor everything.” It’s monitor the right things, across every tenant, without drowning your helpdesk in noise.

By focusing on MFA adoption, risky sign-ins, mailbox forwarding, baseline drift, Defender alerts, and inactive accounts, you can protect clients and prove your value with clear reports.

👉 Want to see how this works in practice? Start your Free 14-Day Trial of the full system and get cross-tenant visibility with actionable alerts built-in.

Get FREE 14 day trial
clear, no-nonsense, totally unlimited

[email protected]

UK: 01782 470313
International: +441782 470313

Office hours are 9am - 5pm
Monday to Friday (UK time zone)

Copyright © 2025 MSP Easy Tools.

Website by Web Optic