Skip to main content

Validation Guide - Microsoft 365

ivan@ivancarlos.com.br
Updated

How to validate users, groups, and access in the organization's Microsoft 365 environment:

1. Tab Users

Description: Complete list of all users registered in Microsoft 365.

How to validate:

  • Verify if all users should exist in the environment based on their email (main email column) or username (User Principal Name column).
  • Users who have been terminated should only be present in the list if the account status column is marked as "Disabled" (accountEnabled = false), indicating that the user is blocked.
  • Important: Users who do not belong to a natural person (such as generic users, service accounts, or non-nominal accounts) should not be kept, unless there is documented technical justification.
  • Check for duplicate or long-inactive users who can be removed.

Main fields to check:

  • Email (mail)
  • Display Name (displayName)
  • User Principal Name (userPrincipalName)
  • Account Status (accountEnabled)

2. Tab SharedMailbox (Shared Mailboxes)

Description: List of shared mailboxes configured in the environment.

How to validate:

  • Verify if all listed shared mailboxes are necessary and actively used.
  • Confirm that the purpose of each shared mailbox is clear and justified.
  • Validate who has access to each shared mailbox (check the permissions or related members tab).

Main fields to check:

  • Display Name (displayName)
  • Email (mail)
  • Purpose (userPurpose = "shared")

3. Tab Guests (Guest/External Users)

Description: List of guest users (external to the organization) who have access to the environment.

How to validate:

  • Verify if all listed guest users should still have access to the environment.
  • Validate the account creation date and, if available, the last access date.
  • Remove guests who are no longer needed or whose projects/partnerships have ended.

Main fields to check:

  • Display Name (displayName)
  • Email (mail)
  • User Principal Name (userPrincipalName)
  • Creation Date (createdDateTime)

4. Tab Licenses (Licenses)

Description: List of Microsoft 365 licenses assigned to each user.

How to validate:

  • Verify if each user has the appropriate licenses for their roles and needs.
  • Identify unused licenses or those assigned to inactive users.
  • Review duplicate or unnecessary licenses that can be redistributed or removed to optimize costs.

Main fields to check:

  • User Email (userMail)
  • License Type (skuPartNumber)

5. Tab SharePointSites (SharePoint Sites)

Description: List of all SharePoint sites in the environment.

How to validate:

  • Verify if all listed SharePoint sites should exist based on their name or URL.
  • Confirm that each site has a clear purpose and is actively used.
  • Identify duplicate, abandoned, or useless sites that can be archived or removed.

Main fields to check:

  • Site Name (displayName)
  • URL (webUrl)
  • Creation Date (createdDateTime)

6. Tab Teams (Microsoft Teams Teams)

Description: List of all teams created in Microsoft Teams.

How to validate:

  • Verify if all listed teams are necessary and actively used.
  • Confirm that each team has a clear description and well-defined purpose.
  • Identify duplicate teams or those no longer in use.

Main fields to check:

  • Team Name (displayName)
  • Email (mail)
  • Description (description)

7. Tab TeamsMembers (Teams Members)

Description: List of all users who are members of Microsoft Teams teams. Each user with access to a team is listed on a new line.

How to validate:

  • Verify if each listed user should actually have access to the team indicated on the same line.
  • Validate if the permission level of each user is appropriate for their role:
    • Owner: Administrator permission, has full control over the team.
    • Member: Can participate and collaborate but cannot manage the team.

Main fields to check:

  • Team Name (teamName)
  • User Name (userName)
  • User Email (userMail)
  • Role/Permission (role)

8. Tab TeamsChannels (Teams Channels)

Description: List of all channels within Microsoft Teams teams.

How to validate:

  • Verify if all listed channels are necessary for the corresponding teams.
  • Confirm that each channel has a clear purpose.
  • Identify duplicate or unused channels that can be removed.

Main fields to check:

  • Team Name (teamName)
  • Channel Name (channelName)
  • Channel Type (membershipType: standard, private, shared)

9. Tab TeamsSharedPrivateChannels (Private/Shared Channels)

Description: List of private or shared channels in Teams teams.

How to validate:

  • Verify if these restricted channels are really necessary.
  • Validate who has access to each private/shared channel.

Main fields to check:

  • Channel Name
  • Membership Type (membershipType)

10. Tab TeamsPrivateChannelsMembers (Private Channels Members)

Description: List of users with access to private channels within teams.

How to validate:

  • Verify if each listed user should have access to the indicated private channel.
  • Validate each user's permissions.

Main fields to check:

  • Private Channel Name
  • User Name
  • User Email
  • Role/Permission

11. Tab DistributonLists (Distribution Lists)

Description: List of all email distribution lists configured in the environment.

How to validate:

  • Verify if all distribution lists should exist in the environment based on their name and email address.
  • Confirm that each distribution list has a clear purpose and is being used.
  • Identify duplicate or obsolete lists that can be removed.

Main fields to check:

  • List Name (displayName)
  • Email (mail)
  • Mail Enabled (mailEnabled)

12. Tab DLMembers (Distribution List Members)

Description: List of all users who receive messages from each distribution list. Each user is listed on a new line.

How to validate:

  • Verify if each listed user should receive email messages from the indicated distribution list on the same line.
  • Validate if each user's permission is appropriate:
    • Owner: Administrator permission, has full control over the distribution list.
    • Member: Receives messages but cannot approve, add, or remove members.

Main fields to check:

  • List Name (groupName)
  • User Name (memberName)
  • User Email (memberMail)
  • Permission (role)

13. Tab Membership (User Memberships to Groups)

Description: List of all user memberships to Microsoft 365 groups (unified, security groups, etc.).

How to validate:

  • Verify if each user should belong to the indicated group.
  • Validate the permissions and roles of each member.
  • Identify duplicate or unnecessary memberships.

Main fields to check:

  • Group Name (groupName)
  • User Name (userName)
  • User Email (userMail)

14. Tab GroupsMembers (Group Members)

Description: Detailed list of members of Microsoft 365 groups that are not distribution lists or teams.

How to validate:

  • Verify if each user should be a member of the listed group.
  • Validate permissions (Owner vs. Member).

Main fields to check:

  • Group ID (groupID)
  • Group Display Name (displayName)
  • Member Email (member_mail)
  • Permission

15. Tab Domains (Domains)

Description: List of verified domains associated with the Microsoft 365 tenant.

How to validate:

  • Verify if all listed domains belong to the organization.
  • Confirm that unused or old domains are removed.

Main fields to check:

  • Domain Name
  • Authentication Status
  • Is Default Domain?

16. Tab Rooms.Equipments (Rooms and Equipment)

Description: List of resource mailboxes (meeting rooms and equipment).

How to validate:

  • Verify if all listed rooms and equipment still physically exist.
  • Confirm that each resource is correctly configured.

Main fields to check:

  • Resource Name (displayName)
  • Email (mail)
  • Type (userPurpose: room or equipment)

17. Tab Linked.Others (Other Linked Users/Accounts)

Description: Special users or accounts linked to the environment (e.g., service accounts).

How to validate:

  • Verify if all listed accounts are necessary.
  • Validate the purpose of each linked account.

Main fields to check:

  • Display Name
  • Email
  • Purpose

18. Tab NoMailbox (Users without Mailbox)

Description: Users who do not have an assigned mailbox.

How to validate:

  • Verify if these users really do not need a mailbox.
  • Confirm if they are service accounts or other types of special accounts.

Main fields to check:

  • User Name
  • Email

19. Tab Planners (Microsoft Planner Plans)

Description: List of plans created in Microsoft Planner.

How to validate:

  • Verify if all listed plans are actively used.
  • Confirm that each plan has a clear purpose.
  • Identify duplicate or obsolete plans.

Main fields to check:

  • Plan Name
  • Associated Group ID

20. Tab TeamsFromGroups (Teams Created From Groups)

Description: Teams that were created from Microsoft 365 groups.

How to validate:

  • Verify the relationship between groups and teams.
  • Confirm there are no duplications or inconsistencies.

Main fields to check:

  • Group ID
  • Team Name
  • Email

21. Tab SharePointWithoutTeamsFromGroup (SharePoint Without Associated Team)

Description: SharePoint sites that do not have an associated Teams team.

How to validate:

  • Verify if these sites should continue without an associated team.
  • Evaluate if it would be beneficial to create a team for collaboration.

Main fields to check:

  • Site Name
  • URL
  • Associated Group

Permission Descriptions

  • Owner: Administrator permission, has full control over the resource (SharePoint, Distribution List, Team, Group, etc.). Can add and remove members, change settings, and manage permissions.
  • Member: Has full access to content and can collaborate, but cannot approve requests, add or remove other members, or change administrative settings.

Important Notes

  • Regular Review: This audit process should be performed periodically to ensure that accesses and resources are always up to date.
  • Principle of Least Privilege: When validating permissions, always apply the principle of least privilege, ensuring users have only the permissions strictly necessary to perform their functions.
  • Restricted Groups: Remember that the "abuse", "postmaster", and "security" groups are reserved and managed by the technology infrastructure. They should not be manually modified.
  • Documentation: Keep documentation updated about the purpose of each resource (teams, sites, lists, etc.) to facilitate future audits.
  • Compliance: Ensure all configurations comply with the organization's security and governance policies.
  • Access Audit: Review access logs (especially for Shared Drives and groups) to identify abnormal or unauthorized access.

After completing validation of all tabs, reply to this email confirming approval or indicating the necessary adjustments.

Was this article helpful?

0 out of 0 found this helpful
Return to top

Related articles