Active incidents
Confirm incident ID, affected workload, start time, user scenarios, Microsoft’s current status, workaround, estimated recovery, and whether the tenant is actually experiencing impact.
Turn Microsoft service incidents, advisories, planned changes, retirements, and action deadlines into owned operational work—with clear impact analysis, communication, evidence, and closure.
Service Health answers “what is affecting the tenant now?” Message center answers “what will Microsoft change, and what must the organization prepare for?” Treating both feeds as an accountable queue improves outage triage, help-desk readiness, change control, executive visibility, and defensible evidence.
Important: Service Health is not a complete monitoring platform. A tenant may still have identity, network, endpoint, configuration, third-party, or localized user issues even when Microsoft reports a service as healthy.
The review is useful only when it answers business and technical questions—not merely whether someone opened the portal.
Confirm incident ID, affected workload, start time, user scenarios, Microsoft’s current status, workaround, estimated recovery, and whether the tenant is actually experiencing impact.
Track degradation that may be partial, intermittent, regional, or limited to features such as authentication, mail flow, Teams meetings, SharePoint access, or device enrollment.
Filter Message center posts by service, impact, relevance, and “act by” date. Identify feature rollouts, retirements, defaults, administrative actions, and training needs.
Translate service language into affected users, locations, regulated processes, customer commitments, executive concerns, help-desk demand, and revenue or productivity consequences.
Assign service, security, compliance, communications, and business owners. Record who watches after hours, who can authorize changes, and when Microsoft support should be engaged.
Retain source message IDs, timestamps, tickets, decisions, test results, communications, change records, completion notes, residual risks, and post-incident lessons.
Use the table as a minimum record for a ticket, incident channel, change record, or service review. The local process should define severity thresholds and response targets.
| Area | Questions to answer | Action | Evidence to retain |
|---|---|---|---|
| Service Health | Which services, features, regions, and user groups are affected? Is impact confirmed locally? | Open or link an incident; set severity; assign incident commander and technical owner. | Incident ID, timeline, screenshots/export, local telemetry, affected-user sample, Microsoft updates. |
| Advisory | Is degradation intermittent or limited? Could it affect a critical workflow despite low reported scope? | Monitor defined scenarios; prepare help-desk guidance; decide whether proactive communication is needed. | Advisory ID, monitoring results, ticket trend, workaround, decision rationale. |
| Message center | Is the post relevant to deployed licenses, services, settings, integrations, users, or policy? | Classify as no action, monitor, communicate, test, configure, train, purchase, or retire. | Message ID, relevance decision, owner, due date, linked change/project ticket. |
| Change control | Will the change affect authentication, data handling, security controls, support scripts, integrations, or user experience? | Test in a safe group where possible; document rollback; approve; schedule; communicate. | Test plan/results, approval, rollback, communication, completion record. |
| Privacy/security | Does the notice involve privacy, data residency, security behavior, admin consent, or new data exposure? | Route to security/privacy owners using least-privileged Message center roles. | Risk review, policy decision, control update, legal/compliance input when applicable. |
| Closure | Was impact resolved or the planned change completed? Are residual risks and follow-up items owned? | Close with outcome, lessons, open actions, and the next review date. | Closure summary, post-incident report, action register, owner and due dates. |
Keep the workflow simple enough to execute consistently and detailed enough to prove what was reviewed and why a decision was made.
Review active incidents, advisories, issue history, organizational action items, and workload monitoring. Validate reported impact against local telemetry and help-desk demand.
Set severity using affected users and business services. Record incident ID, current Microsoft statement, known workaround, internal owner, and next update time.
Review new and changed posts, “act by” deadlines, affected services, rollout dates, retirements, privacy/security notices, and Microsoft-recommended preparation.
Create or link accountable work. Include due date, testing requirement, user communication, technical dependency, evidence requirement, and escalation path.
Provide technical updates to responders, plain-language status to users, impact and decisions to leaders, and targeted instructions to help desk or business owners.
Record resolution or no-action rationale, completed change, validation, communication, residual risk, lessons learned, and any open follow-up assignment.
Do not make Global Administrator the routine answer for service communications. Microsoft documents Service Support Administrator and Helpdesk Administrator access for Service Health, while Message center access varies by role and content type. Validate current role behavior in your tenant and keep at least one trained backup reviewer.
Owns the cadence, queue hygiene, classification, and daily handoff.
Evaluates workload impact, testing, implementation, and closure.
Reviews security and data-privacy posts using appropriate role access.
Covers leave, after-hours escalation, turnover, and role-access failure.
Notification design: Test delivery to named people and shared operational channels. A distribution list is not evidence that someone accepted ownership. Review membership and notification settings after staff or role changes.
Retention should follow the organization’s records, security, privacy, and compliance requirements. Avoid screenshots containing unnecessary personal or sensitive information.
Review active incidents and advisories at least daily, with more frequent monitoring during business hours for critical environments. Trigger immediate review when telemetry, help-desk volume, monitoring, or users indicate possible Microsoft 365 impact.
For most organizations, two or three structured reviews per week provide a practical baseline. Higher-change or regulated environments may need daily triage. The process should prioritize new posts, changed posts, act-by dates, retirements, privacy/security content, and changes affecting critical integrations.
No. Microsoft’s service status does not rule out tenant configuration, identity, network, endpoint, third-party, licensing, application, or localized problems. Correlate Microsoft communications with tenant telemetry and user impact.
Use named primary and backup reviewers plus routing to service, security, privacy, help-desk, communications, and business owners. Grant least-privileged roles, test notification delivery, and revalidate membership after staff or role changes.
Retain the source ID, key timestamps, impact assessment, owner, decision, ticket or change record, test results, communications, closure, residual risk, and follow-up actions according to organizational retention requirements.
IT Perfection helps Orange County and Southern California organizations establish practical Microsoft 365 monitoring, incident coordination, change review, tenant administration, and evidence-driven operations.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.