Your credit union runs Microsoft 365. Your IT team configured it when you migrated. But when was the last time anyone verified those configurations against what NCUA examiners actually look for?
That question keeps coming up in examination debriefs. Credit unions pass their annual IT exams, then discover months later that a single misconfigured Conditional Access policy left member data exposed to unmanaged devices. Or that legacy authentication protocols were still enabled because nobody thought to check.
This checklist covers 15 Microsoft 365 settings that map directly to NCUA examination expectations and FFIEC guidance. Each one is something your IT team can verify this week. Most take less than 10 minutes to check. Several can be fixed in the same session.
In This Article
- Why Credit Unions Need a CU-Specific M365 Security Checklist
- Identity and Access Management (Settings 1-4)
- Email Security (Settings 5-8)
- Data Loss Prevention (Settings 9-11)
- Device and Application Management (Settings 12-13)
- Monitoring and Response (Settings 14-15)
- Turning This Checklist Into an Ongoing Process
- Frequently Asked Questions
Why Credit Unions Need a CU-Specific M365 Security Checklist
Generic Microsoft 365 security guides miss what matters to credit unions. They optimize for Secure Score points without considering NCUA examination procedures, FFIEC authentication guidance, or the specific regulatory obligations that come with holding member deposits.
NCUA Letter 24-CU-02, issued in October 2024, raised the bar on cybersecurity oversight. It requires credit union boards to actively engage in cybersecurity governance, not just receive annual reports. The 2026 NCUA Supervisory Priorities letter doubled down, listing cybersecurity and information security as top examiner focus areas for every federally insured credit union.
The FFIEC Authentication and Access guidance (updated 2021) specifically calls out multi-factor authentication, risk-based access controls, and device management as examination areas. Microsoft 365 is where most of those controls live for credit unions running Business Premium or E3/E5 licensing.
A credit-union-specific checklist maps each M365 setting to the regulatory requirement it satisfies. That way, when an examiner asks about your access controls, your IT team can point to the exact Conditional Access policy that enforces them.
Identity and Access Management (Settings 1-4)
Identity is the perimeter for cloud-based credit unions. If an attacker compromises a staff credential, every member record in your tenant is at risk. These four settings form the foundation that NCUA examiners evaluate first.
Setting 1: Enforce MFA for All Users (Including Admins)
Multi-factor authentication blocks 99.9% of automated credential attacks, according to Microsoft's own security research. Yet MFA adoption across Microsoft Entra ID tenants hovers around 50%, meaning half of organizations still rely on passwords alone for at least some accounts.
For credit unions, the check is straightforward: every user account, including Global Admins, service accounts, and break-glass emergency accounts, should require MFA. Security defaults handle this for basic tenants. Credit unions on Business Premium or E3/E5 should use Conditional Access policies instead, which provide granular control over when and how MFA is triggered.
What to verify: Open the Entra ID admin center. Navigate to Protection > Conditional Access. Confirm a policy exists that requires MFA for all users, all cloud apps. Check that no exclusions exist for admin accounts.
Setting 2: Configure Conditional Access Policies for Risk-Based Access
MFA is the floor. Conditional Access is the architecture. FFIEC guidance specifically calls for risk-based authentication that adapts to the context of each sign-in: device, location, user risk level, and application sensitivity.
Credit unions should have policies that block sign-ins from countries where they have no operations, require compliant devices for access to SharePoint and Exchange, and force reauthentication for high-risk sign-ins detected by Entra ID Protection.
What to verify: Review your Conditional Access policy set. At minimum, you need policies covering: (1) MFA for all users, (2) block legacy authentication, (3) require compliant devices for sensitive apps, (4) block or require MFA for risky sign-ins, (5) restrict access by location.
Setting 3: Enable Privileged Identity Management (PIM) for Admin Roles
Permanent Global Admin assignments are the single biggest identity risk in any M365 tenant. If a Global Admin account is compromised, the attacker owns everything: mailboxes, files, security settings, audit logs. PIM converts permanent admin roles to just-in-time assignments. Admins request elevated access when they need it, approve it through a workflow, and the elevation expires automatically.
What to verify: In Entra ID, go to Identity Governance > Privileged Identity Management > Roles. Check how many users have permanent (active) Global Admin assignments. The target is zero permanent assignments, with all admin access flowing through PIM activation.
NCUA Letter 24-CU-02, issued October 2024, explicitly requires credit union boards to engage in cybersecurity oversight. Examiners are now asking boards to demonstrate they understand their institution's cybersecurity posture. For M365 environments, that means documenting who has admin access, how it's controlled, and how the institution detects unauthorized changes. If your board can't answer those questions, expect follow-up findings.
Setting 4: Review and Restrict Guest Access
Guest accounts let external users access your Teams channels, SharePoint sites, and shared files. Many credit unions enable guest access for auditors, vendors, or CUSOs without setting expiration dates or limiting what guests can see.
What to verify: In Entra ID, review External Identities settings. Confirm guest invite permissions are restricted to admins or specific users (not "anyone in the organization"). Check for stale guest accounts that haven't signed in within 90 days. Verify that Conditional Access policies apply to guest users, not just members.
Email Security (Settings 5-8)
Email is the primary attack vector for credit unions. Phishing, business email compromise, and impersonation attacks all start in the inbox. These four settings close the gaps that attackers exploit most often.
Setting 5: Implement SPF, DKIM, and DMARC
These three email authentication protocols prevent attackers from sending emails that appear to come from your credit union's domain. SPF declares which servers can send mail for your domain. DKIM signs outbound messages with a cryptographic key. DMARC tells receiving servers what to do when SPF or DKIM checks fail.
Many credit unions have SPF configured but stop there. Without DKIM and a DMARC policy set to "quarantine" or "reject," spoofed emails using your domain can still reach member inboxes at other institutions.
What to verify: Check your DNS records. You need an SPF record (v=spf1), at least two DKIM CNAME records (selector1 and selector2), and a DMARC TXT record. The DMARC policy should be p=quarantine at minimum, with p=reject as the target. If your DMARC record says p=none, it's monitoring only and not blocking anything.
Setting 6: Configure Anti-Phishing Policies
Microsoft Defender for Office 365 includes anti-phishing policies that detect impersonation attempts. The default policy catches obvious phishing. Custom policies tuned for credit unions catch the sophisticated attacks: emails that impersonate your CEO, your regulator, or your CUSO partners.
What to verify: In the Microsoft 365 Defender portal, go to Policies > Anti-phishing. Confirm that user impersonation protection is enabled for executives, board members, and key vendors. Enable mailbox intelligence, which learns each user's communication patterns and flags anomalies. Set the action to quarantine, not just "move to junk."
Setting 7: Enable Safe Attachments
Safe Attachments opens every email attachment in a sandbox before delivering it. Malicious files are caught before they reach the user. This is a Defender for Office 365 feature, available in Business Premium and E5 licensing.
What to verify: In the Defender portal, check Policies > Safe Attachments. The policy should apply to all recipients with the action set to "Block." Enable Safe Attachments for SharePoint, OneDrive, and Teams as well, since malicious files can enter through file-sharing, not just email.
Setting 8: Enable Safe Links
Safe Links rewrites URLs in emails and Office documents, checking them at time of click rather than just at delivery. An email that passes inspection at 8 AM can contain a URL that becomes malicious by 10 AM when a user clicks it. Safe Links catches that.
What to verify: In the Defender portal, check Policies > Safe Links. The policy should apply to all users. Enable "Do not allow users to click through to original URL" so users cannot bypass the protection. Apply Safe Links to messages within the organization (internal emails), not just external messages.
Top 5 Most-Missed M365 Security Settings in Credit Unions
- DMARC set to p=none instead of p=reject — Monitors spoofing but does not block it, leaving member-facing domains exposed to impersonation
- Legacy authentication still enabled — Allows password-only sign-ins that bypass MFA entirely, often through POP3, IMAP, or SMTP relay
- No Conditional Access policy for unmanaged devices — Staff accessing member data from personal laptops without compliance checks
- Safe Attachments not extended to SharePoint/OneDrive/Teams — Email attachments are scanned, but files uploaded directly to Teams channels are not
- Audit log retention at default 90 days — NCUA incident investigations often look back 6-12 months; 90 days of logs means evidence gaps
Data Loss Prevention (Settings 9-11)
Credit unions handle Social Security numbers, account numbers, routing numbers, and loan application data every day. Microsoft 365 includes built-in tools to prevent that data from leaving your tenant through email, file sharing, or Teams messages.
Setting 9: Deploy DLP Policies for Member Data
Data Loss Prevention policies scan outbound emails, OneDrive files, SharePoint documents, and Teams messages for sensitive information patterns. Microsoft includes pre-built templates for U.S. financial data, including SSN, bank account, and credit card number detection.
What to verify: In the Microsoft Purview compliance portal, go to Data loss prevention > Policies. Confirm that at least one policy covers Exchange, SharePoint, OneDrive, and Teams. The policy should detect SSNs, account numbers, and routing numbers at minimum. Set the action to block external sharing and notify the compliance team.
Setting 10: Apply Sensitivity Labels
Sensitivity labels classify documents and emails by their confidentiality level. A document labeled "Member Confidential" can be encrypted so only internal staff can open it, even if it's accidentally shared externally. Labels can also enforce watermarks, prevent copy/paste, and restrict printing.
What to verify: In the Purview compliance portal, check Information protection > Labels. You should have at minimum three labels: Public, Internal, and Confidential. The Confidential label should apply encryption. Test it: create a document, apply the Confidential label, then try to share it externally. The share should be blocked or require justification.
Setting 11: Enable Auto-Classification for Sensitive Content
Manual labeling depends on staff remembering to apply it. Auto-classification policies scan documents as they're created or modified and apply the appropriate label automatically based on content. A document containing 10+ SSNs gets the Confidential label without anyone remembering to click a button.
What to verify: In Purview, check Information protection > Auto-labeling. Confirm policies exist for financial data patterns (SSN, account numbers). Review the simulation results before enabling enforcement mode. Auto-labeling requires E5 or E5 Compliance add-on licensing.
"The frequency, speed, and sophistication of cyberattacks have increased at an exponential rate. Federally insured credit unions must ensure their boards of directors understand cybersecurity risks and actively engage in oversight."
NCUA Letter 24-CU-02, Board of Director Engagement in Cybersecurity Oversight, October 2024Device and Application Management (Settings 12-13)
A hardened M365 tenant means nothing if staff access it from compromised or unmanaged devices. Intune device management and app protection policies close this gap.
Setting 12: Enroll Devices in Intune and Enforce Compliance
Microsoft Intune manages credit union devices: laptops, tablets, and phones. Compliance policies define what a "healthy" device looks like: encrypted storage, current OS version, active antivirus, screen lock enabled. Conditional Access can then block non-compliant devices from accessing M365 data.
What to verify: In the Intune admin center, check Devices > Compliance policies. Confirm policies exist for Windows, iOS, and Android. Each policy should require encryption, minimum OS version, and active threat protection. Then check Conditional Access to confirm a policy requires device compliance for Exchange and SharePoint access.
Setting 13: Configure App Protection Policies for BYOD
Not every credit union issues company devices. App protection policies (also called MAM policies) protect data on personal devices without requiring full device enrollment. They create a managed container around Outlook, Teams, OneDrive, and other M365 apps. Data inside the container can't be copied to personal apps, and the container can be wiped remotely without touching personal photos or messages.
What to verify: In Intune, go to Apps > App protection policies. Confirm policies exist for iOS and Android. Each policy should prevent data transfer to unmanaged apps, require a PIN to open managed apps, and block screenshots of managed app content. Test it by trying to copy text from Outlook to a personal notes app on a managed device.
Monitoring and Response (Settings 14-15)
Prevention is half the equation. The other half is knowing when something goes wrong and having the tools to investigate. NCUA examiners consistently ask credit unions about their logging and incident detection capabilities.
Setting 14: Configure Unified Audit Logging and Alerts
The Microsoft 365 unified audit log records every significant action in your tenant: mailbox access, file shares, admin changes, permission modifications, and login events. By default, logs are retained for 90 days. For credit unions, that's not enough. NCUA incident investigations often look back 6 to 12 months.
What to verify: In the Purview compliance portal, go to Audit and confirm it's enabled. Check your retention policies. E5 licensing provides 1-year retention by default, with 10-year retention available. Business Premium users should configure custom retention policies to extend beyond 90 days. Set up alerts for high-risk events: new Global Admin assignments, mailbox forwarding rule creation, mass file downloads, and disabled MFA for any account.
Setting 15: Enable Microsoft Defender and Automated Investigation
Microsoft Defender for Office 365 (Plan 2, included in E5) provides automated investigation and response. When a phishing email gets past filters and a user reports it, Defender can automatically investigate all recipients, quarantine related messages, and reset compromised credentials without waiting for your IT team to do it manually.
What to verify: In the Defender portal, confirm that Automated Investigation and Response (AIR) is enabled. Check the investigation history to see if investigations are running or if the feature is sitting idle. Configure alert policies for Defender to notify your security team of completed investigations and recommended actions. If you're on Business Premium (Defender Plan 1), you won't have AIR, but you should still configure manual incident response procedures.
How Does Your Credit Union's M365 Security Stack Up?
ABT's Security Grade Assessment evaluates your Microsoft 365 tenant against the same benchmarks NCUA examiners reference. You'll get a detailed report showing which of these 15 settings are configured correctly and which need attention.
Get Your Security GradeTurning This Checklist Into an Ongoing Process
Running through 15 settings once is a start. Keeping them verified continuously is what separates credit unions that pass exams from credit unions that scramble before them.
Microsoft 365 configurations drift. An admin creates an exception for a vendor integration and forgets to remove it. A new hire gets added to a group that bypasses Conditional Access. A Defender policy gets disabled during troubleshooting and never re-enabled. Each of these is a compliance gap waiting for an examiner to find it.
Three practices turn a one-time checklist into an ongoing security program:
Monthly configuration reviews. Schedule a recurring task to walk through these 15 settings. Microsoft Secure Score can automate part of this: set a target score and track drift over time. But Secure Score doesn't cover everything on this list (DMARC enforcement, PIM activation, and audit log retention require manual verification).
Change management documentation. Every time a Conditional Access policy is modified, a DLP rule is updated, or an admin role is assigned, document who made the change, why, and when it will be reviewed. NCUA examiners look for evidence that changes are intentional and tracked, not reactive and undocumented.
Continuous monitoring through a managed service partner. Credit unions with internal IT teams of 2-5 people can run this checklist quarterly. But continuous monitoring requires tooling and staffing that most credit unions can't maintain in-house. ABT's Guardian platform provides exactly this: continuous verification of M365 security configurations against credit-union-specific baselines, with drift alerts and remediation before examiners find the gap. Guardian monitors the settings on this checklist (and dozens more) across 750+ financial institutions, so the baselines reflect what actually passes examination, not just what Microsoft recommends.
Frequently Asked Questions
Microsoft 365 Business Premium covers settings 1 through 13 and basic audit logging. Settings 14 and 15 in their full form require E5 licensing or the E5 Security add-on for extended audit retention, automated investigation, and advanced Defender capabilities. Most credit unions under $500 million in assets operate effectively on Business Premium with targeted E5 add-ons for compliance staff.
Monthly reviews of core settings such as Conditional Access policies and MFA enrollment are the minimum. Quarterly deep reviews should cover all 15 settings with documented results. Continuous monitoring through tooling or a managed service partner catches configuration drift between manual reviews and is what NCUA examiners increasingly expect to see.
No. Secure Score covers roughly 60-70% of these items. It tracks MFA enrollment, Conditional Access policies, Safe Attachments, and Safe Links effectively. However, it does not evaluate DMARC enforcement level, PIM activation versus permanent assignments, audit log retention periods, sensitivity label effectiveness, or whether DLP policies match your specific regulatory obligations. Credit unions need manual verification for those gaps.
NCUA examiners follow FFIEC IT examination procedures, which focus on access controls, authentication mechanisms, data protection, logging, and incident response. For M365, they typically review Conditional Access policies, MFA coverage, admin role assignments, email authentication records, DLP policy configurations, audit log retention, and documented evidence that configurations are reviewed and updated regularly.
Yes, if the team has Microsoft 365 security expertise and time for ongoing verification. The initial configuration of all 15 settings is a project most competent IT teams can complete. The challenge is sustained monitoring and keeping configurations aligned as Microsoft releases updates, staff changes occur, and regulatory expectations evolve. Many credit unions use a co-managed model where internal IT handles day-to-day operations and a specialized partner handles security configuration, monitoring, and compliance alignment.
The FFIEC CAT assesses a credit union's cybersecurity maturity across five domains. This M365 checklist maps most directly to Domain 3 (Cybersecurity Controls) covering access management, data protection, and threat detection. Settings 1-4 address access and authentication. Settings 5-8 map to email and communications security. Settings 9-11 cover data protection. Settings 14-15 align with detection and incident response. Completing this checklist supports an "Evolving" or "Intermediate" maturity rating in those CAT domains.