As you dive further into your O365 tenant and look to start rolling out the services you will have to work with your security officers to insure that you are compliant with that group.
Microsoft has provided several resources
For an example if you look at the Microsoft Trust Center it contains a long list of audit reports that cover both O365 and Azure, with more reports beings added every week. And looking at the Penetration Testing Rules of Engagement it will help you understand what you can and cannot do during Penetration testing…but hold it why would you not let me doing certain steps in pen testing that I already perform in my Enterprise? What you have to remember is that you are on shared hardware and shared networks and as you want others to not ruin your experience and thus we expect you not to ruin others experience, what this means is there are certain tests that cannot be performed as they potentially could cause performance or security issues.
More information to look at:
Wow…you mean you can get paid for hacking Microsoft. Well yes but you have to record it, report it, and make sure you provide an eligible submission.
If you look at the Red Teaming whitepaper it discusses Microsoft’s strategy and execution of Red Teaming and live site penetration testing against Microsoft managed cloud infrastructure, services and applications. You will learn how Microsoft simulates real-world breaches, conducts continuous security monitoring and practices security incident response to validate and improve the security of Microsoft Azure and Office 365.