Runbook - Tenant Care M365
Runbook stub • Effective 26 Sep 2025 • Version v1.0
Scope
Operate Microsoft 365 tenant hygiene: Conditional Access/MFA, DLP and labels, external sharing governance, OAuth and inbox-rule hygiene, posture monitoring.
In scope Operations, monitoring, reporting to SLAs/SLOs, continuous improvement (SIP).
Out of scope One-off projects/uplifts (CPS), custom application development, non-standard integrations unless agreed.
Dependencies
- Named Agency sponsor and SPOC; vendor contacts and maintenance windows
- Access: least-privilege operational accounts; logging destinations agreed
- Licences/tenants/tools provided by Agency (where applicable)
Standard Operating Procedures (SOPs)
Daily
- Review overnight alerts and ticket queues
- Check critical service health dashboards
- Triage new incidents and changes
Weekly
- Review open incidents and problems
- Patch ring planning and exceptions (if applicable)
- Update Decision Log and RAID as needed
Monthly
- Service review pack: SLA/SLO, incidents/changes, risks/issues
- Restore or failover test (if applicable)
- SIP actions updated with owners/dates
Quarterly
- Trend analysis and control effectiveness review
- Tabletop or restore drill (if applicable)
- Access review and break-glass validation
SLAs and SLOs
| Measure | Target |
|---|---|
| Incident response (business hours) | Ack within 30 minutes; priority-based resolution targets |
| Change records | 100 percent with rehearsal and rollback for high-risk changes |
| Reporting | Monthly service review delivered within 5 business days of month end |
| CA and MFA hygiene review | Weekly drift review and correction |
| DLP and policy upkeep | Policy updates applied within agreed window |
KPIs and Signals
| KPI | Definition |
|---|---|
| Ticket SLA compliance | Percent of incidents and requests meeting SLA |
| Backlog health | Aged tickets over threshold |
| SIP closure rate | Percent of improvement actions closed by due date |
| OAuth and inbox-rule anomalies | Count and mean time to remediate |
| External sharing hygiene | Sites with over-permissive links reduced over time |
Escalation
| Functional SPOC | Service Lead (email/phone as per contact matrix) |
|---|---|
| Duty escalation | Service Manager → Account Lead → Executive Sponsor |
| Vendor escalation | As per vendor matrix; include ticket ref and evidence |
| Incident bridge | Spin up within 15 minutes for SEV1/SEV2; roles per playbook |
Evidence and Records
- Monthly service review pack (SLA/SLO, incidents/changes, restore evidence, risks/issues, SIP)
- Change records with rehearsal and rollback plan
- PIRs and Problem records; Decision Log and RAID entries
- Backups: immutability checks and restore results with achieved RTO/RPO (if applicable)