# M365 Project Risk Register > *"Most M365 projects fail not because Teams does not work, but because governance was an afterthought and the tenant became an ungovernable monoculture."* This risk register applies the antifragile risk methodology specifically to Microsoft 365 projects—greenfield deployments, tenant modernisations, migrations, and consolidations. It is designed for M365/Azure consultancies to identify, classify, and mitigate project-specific risks before they become tenant-wide liabilities. --- ## M365-Specific Risk Taxonomy ### Category 1: Identity and Access Risks | Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner | |---------|-----------|-------------|----------|-----------|-----------------|-------| | M365-001 | Excessive Global Admins | More than 3-5 Global Admins with standing access | T0 | Compromise any admin → full tenant control → data exfiltration / deletion | Reduce to minimum; deploy PIM; use delegated roles | Identity Team | | M365-002 | No MFA on Admin Accounts | Admin accounts lack multi-factor authentication | T0 | Phish password → direct tenant access → no second factor to stop | Enforce MFA for all admins; hardware tokens for break-glass | Security | | M365-003 | Legacy Authentication Enabled | Legacy auth protocols allow MFA bypass | T1 | Password spray via IMAP/POP3/SMTP → account access without MFA | Block legacy auth tenant-wide; monitor for attempts | Security | | M365-004 | Stale Guest Accounts | Former partners/vendors retain guest access indefinitely | T1 | Stale guest → credential compromise → Teams/SharePoint access | Quarterly guest access review; time-bounded invitations | Collaboration Team | | M365-005 | Unmanaged OAuth Consents | Users granted permissions to unauthorized applications | T1 | Malicious app → mailbox access / data exfiltration / phishing | Disable user consent; admin consent workflow; quarterly audit | Security | | M365-006 | Shared Mailboxes with Login | Shared mailboxes configured with user passwords and sign-in enabled | T2 | Shared credential compromise → email access → BEC / data theft | Disable sign-in on shared mailboxes; convert to proper delegation | Exchange Team | | M365-007 | No Conditional Access (E5/P1) | Missing location, device, or risk-based access controls | T1 | Compromised credentials usable from any device, any location | Deploy conditional access: MFA, device compliance, location, risk | Identity Team | | M365-008 | Hybrid Identity Stuck | AAD Connect configured with no plan to migrate to cloud-native | T1 | AAD Connect compromise → cloud identity manipulation → tenant takeover | Document cloud-native migration path; secure AAD Connect server | Identity Team | ### Category 2: Data Governance Risks | Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner | |---------|-----------|-------------|----------|-----------|-----------------|-------| | M365-009 | No Data Classification | Documents and emails stored without sensitivity labels | T1 | Proprietary/confidential data mixed with public data → uncontrolled sharing → leakage | Deploy sensitivity labels (Purview) or manual classification guidance | Compliance | | M365-010 | Open External Sharing | SharePoint/OneDrive default allows anyone-links or external sharing | T1 | Accidental or malicious public link → data exposure → regulatory fine / reputational damage | Default sharing: internal only; anyone-links disabled; per-site justification | SharePoint Team | | M365-011 | No Retention Policy | No defined retention for email, Teams, or files; data accumulates indefinitely | T2 | Excessive data → discovery cost → compliance failure → inability to respond to legal hold | Deploy retention policies for all workloads; legal hold procedures | Compliance | | M365-012 | Teams Channel Sprawl | Uncontrolled team creation; stale teams with sensitive data | T2 | Stale team with external access → forgotten but accessible → data leakage | Governed team creation; expiration policies; access reviews | Collaboration Team | | M365-013 | OneDrive as Shadow IT | Users store business-critical data in personal OneDrive without backup | T1 | User departure / account deletion → data loss; no organizational recovery | Migrate business data to SharePoint; backup strategy; user education | SharePoint Team | | M365-014 | Copilot Without Governance | Microsoft 365 Copilot deployed without data governance baseline | T0 | Copilot surfaces sensitive data to unauthorized users → internal data breach | Deploy sensitivity labels BEFORE Copilot; conditional access; user training | Security / Compliance | | M365-015 | eDiscovery Unprepared | No eDiscovery processes, legal hold capability, or retention for litigation | T2 | Litigation → inability to produce documents → adverse inference / sanctions | eDiscovery training; retention hold procedures; Purview eDiscovery licensing | Legal / Compliance | ### Category 3: Security and Threat Risks | Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner | |---------|-----------|-------------|----------|-----------|-----------------|-------| | M365-016 | Business Email Compromise (BEC) | Executive mailbox compromised; fraudulent payment instructions sent | T1 | Phish executive → mailbox control → invoice fraud / wire transfer | Impersonation protection; mailbox auditing; MFA; financial process verification | Security | | M365-017 | EOP Misconfiguration | Basic Exchange Online Protection not tuned for client's threat profile | T1 | Phishing email reaches inbox → user compromise → lateral movement | Tune anti-phishing, anti-malware, anti-spam; impersonation protection | Security | | M365-018 | No Audit Logging | Unified Audit Log disabled or unmonitored | T1 | Incident occurs → no forensic evidence → cannot determine scope or contain | Enable UAL immediately; forward to SIEM; 90-day minimum retention | Security | | M365-019 | Device Unmanaged | Corporate devices accessing M365 without MDM or compliance policy | T1 | Compromised personal device → M365 access → data exfiltration | Intune enrollment; conditional access requiring compliance | Endpoint Team | | M365-020 | No Backup Beyond Native | Reliance on recycle bin and soft delete as "backup" | T1 | Ransomware / malicious admin / sync error → data loss → no recovery | Third-party immutable backup; quarterly recovery testing | Backup Team | ### Category 4: AI and Emerging Technology Risks | Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner | |---------|-----------|-------------|----------|-----------|-----------------|-------| | M365-021 | Shadow AI via M365 Apps | Employees paste proprietary data into Copilot, Bing, or third-party AI through browser | T0 | Proprietary data → public AI model → competitive intelligence loss | Deploy Azure OpenAI bridge; DLP policies blocking AI uploads; user education | Security | | M365-022 | Copilot Data Overexposure | Copilot synthesizes and surfaces data the user should not have access to | T1 | Overpermissioned user → Copilot reveals sensitive synthesis → internal breach | Zero-trust permissions review; sensitivity labels; just-in-time access | Security | | M365-023 | AI-Generated Misinformation | Users make business decisions based on unverified AI-generated content | T2 | AI hallucination → bad decision → financial loss / compliance failure | Human-in-the-loop for critical decisions; source attribution requirements; user training | Compliance | | M365-024 | No AI Governance Policy | Organization has no policy for approved AI tools, data handling, or vendor evaluation | T1 | Uncontrolled AI adoption → data leakage → regulatory / legal exposure | AI governance framework; approved tool list; data classification for AI inputs | Security / Legal | ### Category 5: Project and Organizational Risks | Risk ID | Risk Name | Description | T0/T1/T2 | Kill Chain | Antifragile Move | Owner | |---------|-----------|-------------|----------|-----------|-----------------|-------| | M365-025 | Tenant as Monoculture | All data, identity, and collaboration in one tenant with no exit architecture | T0 | Tenant compromise / lockout / vendor change → total organizational paralysis | Domain ownership by client; data portability architecture; documented tenant exit | Architecture | | M365-026 | Scope Creep Without Governance | Workloads deployed incrementally without security review | T2 | New app/service → unmapped risk → incident | Governance gate before new workload; security review checklist | Project Manager | | M365-027 | Insufficient Admin Training | Client team lacks skills to operate and secure the tenant post-handover | T2 | Misconfiguration → vulnerability → incident | Structured training program; runbook documentation; knowledge transfer sessions | Training | | M365-028 | Power Platform Shadow IT | Citizen developers create apps and flows with ungoverned data access | T1 | Unmanaged flow → external data sharing / credential exposure → breach | DLP policies; environment governance; citizen developer training | Power Platform Team | | M365-029 | Migration Data Loss | Legacy data lost or corrupted during migration to M365 | T1 | Corrupted migration → missing records → compliance / operational failure | Pre-migration backup; validation sampling; rollback plan | Migration Team | | M365-030 | Vendor Lock-in via Add-ons | Heavy reliance on third-party M365 add-ins that create dependency | T2 | Add-on vendor discontinues / changes terms → workflow collapse | Evaluate add-ons for portability; maintain native fallback; contractual exit clauses | Procurement | --- ## Risk Scoring for M365 Projects ### Probability Scale | Score | Definition | M365 Example | |-------|-----------|--------------| | 1 | Rare (< 1% annually) | Total Azure region failure | | 2 | Unlikely (1-10%) | Major zero-day in Exchange Online | | 3 | Possible (10-50%) | Successful phishing campaign against users | | 4 | Likely (50-90%) | Stale guest account remains accessible | | 5 | Almost certain (> 90%) | Shadow AI usage if no sanctioned alternative | ### Impact Scale | Score | Definition | M365 Example | |-------|-----------|--------------| | 1 | Negligible | Minor inconvenience; no data loss | | 2 | Minor | Single user/service affected; recoverable in hours | | 3 | Moderate | Departmental impact; recoverable in days; potential compliance notice | | 4 | Major | Organizational impact; recoverable in weeks; regulatory fine likely | | 5 | Catastrophic | Existential threat; business termination possible; criminal liability | ### M365-Specific Convexity Assessment | Convexity | Definition | M365 Example | |-----------|-----------|--------------| | **Extreme** | €0 control prevents €500K+ loss | Enabling MFA (free in E3) prevents total tenant compromise | | **High** | Small labor investment prevents major incident | Quarterly guest access review prevents data breach via stale account | | **Moderate** | Moderate investment prevents significant loss | Third-party backup prevents data loss from ransomware | | **Low** | Investment comparable to potential loss | Advanced threat protection add-on vs. basic EOP | --- ## Project Phase Risk Gates ### Greenfield Deployment Gates | Phase | Gate | Risk Closure Requirement | |-------|------|-------------------------| | **Architecture** | Go/No-Go before provisioning | M365-025 (tenant monoculture) assessed and mitigated; M365-030 (add-on lock-in) evaluated | | **Foundation** | Go/No-Go before user onboarding | M365-001 (excessive admins), M365-002 (no MFA), M365-018 (no audit) closed | | **Workload Rollout** | Go/No-Go per workload | M365-009 (no classification), M365-010 (open sharing), M365-028 (Power Platform) addressed | | **Go-Live** | Go/No-Go before production | M365-016 (BEC), M365-017 (EOP), M365-020 (no backup) mitigated; M365-027 (training) completed | | **30-Day Post** | Review | M365-021 (shadow AI) inventoried; M365-024 (AI governance) drafted | ### Modernisation Gates | Phase | Gate | Risk Closure Requirement | |-------|------|-------------------------| | **Audit** | Complete before changes | All 30 risks assessed; T0 and T1 risks prioritized | | **Kill Chain Closure** | Day 30 checkpoint | All T0 risks closed or accepted with board sign-off | | **Governance Deployment** | Day 60 checkpoint | All T1 identity and data risks closed | | **Sovereignty** | Day 90 checkpoint | M365-021 (shadow AI) mitigated via sanctioned alternative; M365-020 (backup) tested | | **Antifragility** | Day 180 checkpoint | Automated monitoring for M365-003, M365-005, M365-010; quarterly review cadence established | --- ## The M365 Risk Dashboard (For Steering Committee) ``` M365 PROJECT RISK DASHBOARD — [Client] — [Date] T0 RISKS (Existential) ├─ Open: [X] ├─ In Progress: [X] └─ Closed: [X] ├─ [Risk ID] [Name] — Owner: [Name] — Target: [Date] └─ [Risk ID] [Name] — Owner: [Name] — Target: [Date] T1 RISKS (Major) ├─ Open: [X] ├─ In Progress: [X] └─ Closed: [X] ├─ [Risk ID] [Name] — Owner: [Name] — Target: [Date] └─ [Risk ID] [Name] — Owner: [Name] — Target: [Date] IDENTITY & ACCESS [████░░░░░░] [X]% mitigated DATA GOVERNANCE [██████░░░░] [X]% mitigated SECURITY & THREATS [█████░░░░░] [X]% mitigated AI & EMERGING TECH [███░░░░░░░] [X]% mitigated PROJECT & ORGANIZATIONAL [███████░░░] [X]% mitigated TOP 3 RISKS REQUIRING ESCALATION 1. [Risk ID] — [Reason for escalation] 2. [Risk ID] — [Reason for escalation] 3. [Risk ID] — [Reason for escalation] RECOMMENDATION: [Proceed / Pause / Escalate] ``` --- ## Integration With Project Deliverables | Deliverable | Risk Register Integration | |------------|--------------------------| | **Project charter** | Include T0 risk identification as success criterion | | **Architecture document** | Map each design decision to risk mitigation | | **Configuration baselines** | Reference risk IDs in change justification | | **Test plan** | Include recovery drills for M365-020; penetration testing for M365-016 | | **Training plan** | Address M365-027; include AI governance for M365-024 | | **Handover document** | Transfer risk ownership to client team with review cadence | --- *For the general antifragile risk register methodology, see [Antifragile Risk Register](antifragile-risk-register.md).* *For the M365 antifragile project playbook, see [M365 Antifragile Project](../playbooks/m365-antifragile-project.md).*