What Should a Microsoft 365 Tabletop Exercise Test? (2-7-3)

What Should a Microsoft 365 Tabletop Exercise Test? (2-7-3)

Learn what to test in a microsoft 365 tabletop exercise, including data handling decisions, incident actions, owners, and evidence.

LakeRidge Team
July 17, 2026
9 min read

Share:

Schedule Your Free Compliance Consultation

Feeling overwhelmed by compliance requirements? Not sure where to start? Get expert guidance tailored to your specific needs in just 15 minutes.

Personalized Compliance Roadmap
Expert Answers to Your Questions
No Obligation, 100% Free

CMMC Phase 2 begins November 10, 2026.

A Microsoft 365 tabletop exercise should test whether your business can identify sensitive data, make safe handling decisions, contain inappropriate access, preserve evidence, and communicate clearly when a data-related incident occurs. For what to test in a microsoft 365 tabletop exercise, focus on the real decisions your people must make in Exchange Online, SharePoint, OneDrive, Teams, and Microsoft Entra ID—not on whether they can recite policies. This supports Essential Cybersecurity Controls (ECC – 2 : 2024), Practice 2-7-3, which requires data and information protection requirements to include applicable requirements from the NCA Data Cybersecurity Controls.

What are the exercise objectives for ECC 2-7-3?

For an SMB owner without a security team, the exercise objective is simple: prove that the people who run the business can recognize when Microsoft 365 data needs protection and can make defensible decisions quickly. You are not testing technical perfection. You are testing whether your business has a workable process when an employee, supplier, customer, or former staff member may have access to information they should not have.

  • Identify the data: Can participants determine whether the affected files, emails, or Teams messages contain personal data, contracts, financial information, service records, internal reports, or other protected business information?
  • Identify the location and access path: Can they establish whether the information is in SharePoint, OneDrive, Teams, Exchange Online, a shared mailbox, or a synced local device?
  • Make a containment decision: Can an authorised person remove an external sharing link, revoke a user session, reset credentials, remove a guest account, or restrict access without unnecessarily destroying evidence?
  • Apply data-handling requirements: Can the business decide what must be retained, restricted, reported, deleted, or preserved according to its documented data requirements and applicable NCA Data Cybersecurity Controls?
  • Escalate and communicate: Do staff know who owns the incident, who contacts management, who speaks to an affected customer or partner, and when external advice is needed?
  • Capture evidence: Can the team save audit details, screenshots, file links, timestamps, names, and decisions so that the event can be reviewed later?

A useful success measure is not “the incident was solved in 10 minutes.” It is “the team identified the data, contained the most urgent exposure, assigned accountable owners, and documented decisions without guessing.”

What should the scenario narrative include?

Use a scenario that reflects work your staff actually perform. The following example is designed for a fictional semi-government service operator, but the same Microsoft 365 decisions apply to a small consultancy, retailer, clinic, or professional-services firm.

Al Wadi Community Services Company has 78 employees and manages local service requests for a regional development authority. Its staff use Microsoft 365 Business Premium, with Microsoft Entra ID for identity management, Exchange Online for email, Teams for collaboration, and SharePoint Online for departmental document libraries. A small outsourced IT provider administers the tenant, while the finance manager acts as the internal Microsoft 365 owner. The company receives resident service requests through a web portal and exports weekly request data into a SharePoint library called Operations-Casework. The files contain names, mobile numbers, addresses, request descriptions, contractor assignment details, and occasionally identity-document attachments.

On a Tuesday morning, the operations manager receives an email from a contractor stating that they can access a spreadsheet that appears to contain service requests outside their assigned district. The contractor provides a screenshot showing a SharePoint file named June_Service_Request_Register.xlsx. The screenshot includes customer names, telephone numbers, street addresses, complaint details, and internal notes about priority cases. The contractor says the file opened from a link in an old Teams chat.

The finance manager is away, and the IT provider’s help desk says it needs approval before making changes. The operations manager asks an administrator in the IT provider to “just remove the file immediately.” At the same time, a customer calls the contact centre saying they received a message from someone claiming to know details of their service request. No one can yet confirm whether the caller’s information came from the spreadsheet, a mailbox, a Teams chat, or another system.

Participants are told that the spreadsheet was stored in the Operations SharePoint site and was shared using an “Anyone with the link” setting six weeks earlier so a temporary contractor could update completion dates. The contractor’s access may have been forwarded through Teams. Microsoft Purview Audit is available, but the organisation has never practised finding sharing events or determining which user created the link. The immediate challenge is to protect affected information while keeping essential field operations running.

For this scenario, participants should decide who leads the response, what data is affected, whether external sharing must be disabled, whether the SharePoint site needs restricted access, what records must be preserved, and what management or legal/privacy escalation is required. The exercise should also expose whether the organisation knows its own approved rules for sharing, retention, classification, supplier access, and use of personal information.

Which injects should you introduce at 15, 30, and 45 minutes?

Time Facilitator inject Decision being tested Microsoft 365 evidence to request
15 minutes The IT provider confirms that the spreadsheet has an active anonymous sharing link. It cannot yet confirm how many times it was used. Will the team remove the link, restrict the file, or take the entire SharePoint site offline? Who has authority to approve the action? SharePoint file details, Manage Access screen, sharing-link settings, file owner, and site membership.
30 minutes Audit results show that a former temporary employee created the sharing link, and the link was accessed from three unfamiliar IP addresses after their departure. Will the team treat this as possible account misuse, review offboarding, preserve logs, and assess other files the user accessed? Microsoft Purview Audit search results, Entra sign-in logs, user account status, group membership, and recent file activity.
45 minutes A director asks whether the company must notify the development authority today. A supervisor wants to email the full spreadsheet to the IT provider for investigation. Can the team apply secure communications, minimise further disclosure, and escalate notification decisions through the right owner? Incident record, approved contact list, secure file-sharing method, data classification or handling procedure, and decision log.

Do not give participants the answer immediately. Ask them to state the action, the owner, the evidence needed, and the risk if they delay. If they say “IT will handle it,” ask which named person has the authority to instruct IT and who verifies that the action occurred.

How do you facilitate what to test in a microsoft 365 tabletop exercise?

Set aside 60 to 90 minutes and invite the owner or general manager, the Microsoft 365 administrator or IT provider, the person responsible for operations, finance or HR if they own sensitive records, and a person who handles customer or supplier communications. One person should facilitate; they should not solve the scenario for the group.

Ask these facilitation questions

  1. What information is exposed, and what makes it sensitive or business-critical?
  2. Where is the authoritative copy, and are there duplicates in OneDrive, Teams chats, email attachments, or synced devices?
  3. Who can immediately remove anonymous links or external guests in SharePoint Online?
  4. Would deleting the file remove useful evidence? What should be preserved before changes are made?
  5. Can the organisation search Microsoft Purview Audit, and who has permission to do so?
  6. Should the affected user account, supplier account, or guest account be disabled, and who approves that action?
  7. What data-sharing requirement was breached or unclear: external sharing, least-privilege access, retention, classification, supplier access, or secure transfer?
  8. Who decides whether the incident requires notification to management, a regulator, an authority, customers, or contractual partners?
  9. How will the team avoid creating a second exposure by emailing unprotected evidence to suppliers or managers?
  10. What single control improvement would have prevented or reduced this incident?

For a smaller business, document the expected response in a short runbook rather than a complex incident-response manual. A practical entry might be:

Incident: Suspected Microsoft 365 data exposure
Incident lead: General Manager
Technical containment: Outsourced IT Provider
Data owner: Operations Manager
Initial actions:
1. Preserve file URL, screenshot, reporter details, and time discovered.
2. Remove anonymous sharing link and review file permissions.
3. Disable or revoke access only with authorised approval.
4. Search Purview Audit and Entra sign-in logs.
5. Record affected data categories, recipients, decisions, and next actions.
6. Escalate notification and legal/privacy decisions to management.

The test is valuable when it reveals gaps. For example, if no one knows whether anonymous sharing is enabled tenant-wide, record that as an action to review SharePoint and OneDrive sharing settings. If the IT provider cannot act without an unclear approval path, define emergency authority. If the organisation cannot state its data-handling rules, update them so they incorporate the applicable requirements under ECC 2-7-3.

What should the hot-wash debrief capture?

Hold the hot-wash immediately after the scenario while details are fresh. Keep it blameless: the purpose is to improve the process, not to judge the person who made the original sharing mistake.

Debrief item Record during hot-wash
What worked Example: Operations manager identified the data owner and contacted the IT provider within 10 minutes.
What failed or delayed action Example: No documented authority existed for disabling external SharePoint sharing during an incident.
Evidence gap Example: Purview Audit search permissions were held only by the outsourced provider.
Data-handling gap Example: Staff did not know whether contractor access should use guest accounts, expiry dates, or anonymous links.
Corrective action Example: Disable anonymous sharing for the Operations site; owner: IT provider; due date: 30 days.
Exercise evidence Attendance list, scenario version, decisions made, action register, and management approval of follow-up actions.

Review your action register within 30 days and run a shorter follow-up exercise after the highest-risk Microsoft 365 sharing and access gaps have been corrected.

Next step: Schedule a 60-minute exercise with your Microsoft 365 administrator this month and use the scenario to create a named, dated action list for ECC 2-7-3.

 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

 CMMC Level 1 Compliance App

CMMC Level 1 Compliance

Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
 NIST SP 800-171 & CMMC Level 2 Compliance App

NIST SP 800-171 & CMMC Level 2 Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
 HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
 ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
 FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
 ECC Compliance App

ECC Compliance

Become compliant, provide compliance services, or verify partner compliance with Essential Cybersecurity Controls (ECC – 2 : 2024) requirements.