Toni on Tech

50 Best Practices for Securing Microsoft 365

by

Toni Frankola
in

During the pandemic, many companies enabled their employees to work from home using Microsoft Teams, resulting in a substantial growth in Teams’ daily active users. The remote work-related growth began in March and grew staggeringly throughout 2020!

Microsoft undertook a study to uncover the pandemic-related threats that companies see coming in 2021. Nearly 800 business leaders in India, Germany, the UK, and the US took the survey. The study has shown that 82% of respondents plan to add security staff, 81% feel pressure to lower security costs, while 58% of leaders have already increased their security budgets.

With all this being said, security concerns will continue to make business leaders worry in 2021. That’s why I’d like to dedicate this blog to them and show them a few security tips and tricks.

Impact on budget priorities

Source: Microsoft

Optimizing Security Across Office 365

In this blog, I will lead you through some security best practices I have gathered throughout the years of dealing with SharePoint and Microsoft 365.

Azure AD

No security best practices post could be published without Azure AD tips. Azure AD is the backbone of Office 365 – everything you do in Office 365 is configured here.

MFA

It would be best if you turned on Azure Multi-Factor authentication for all the employees working from home or the office when they’re logging into Office 365. It can be done using a simple Microsoft authenticator app on their phones.

These are a couple of default security practices: ​

  • Require all users to register for Azure AD Multi-Factor Authentication.
  • Require administrators to perform multi-factor authentication.​
  • Block legacy authentication protocols.​
  • Require users to perform multi-factor authentication when necessary.​
  • Protect privileged activities like access to the Azure portal.

Emergency access accounts

It is a good practice to create two or more emergency access accounts in your organization to mitigate the impact of an accidental lack of administrative access. Those accounts will enable you to work when the system is down, but, make sure to use them only in necessity.

These Super admin accounts are cloud-only, and they’re not connected to any personal devices. However, if there is a connected device by any chance, it should be kept in a known, secure, and accessible location.

The MFA mechanisms for these accounts are somewhat different from the “regular “accounts, so it’s advisable to use third-party MFA if the primary is not working. They are irregular in one more way, as they are not subject to clean-up actions if they become inactive.

All things being said, you should always keep a close eye on the sign-ins from these accounts and regularly validate them.

Protect your global M365 admin accounts

You need to use the strongest form of secondary authentication to protect your Microsoft 365 global admin accounts. Also, it’s good practice to introduce backup procedures for situations when global admins cannot log in.

On top of that, there are some additional protection activities, such as usage of privileged access workstations and Azure AD Privileged Identity Management.

Limit Admin roles in AAD

You should limit the use of Global administrator roles to situations when it’s only necessary. Many other roles can supplement global admin accounts, such as printer administrator and privileged role administrator.

Administrative Units

Administrative units act as a container for other Azure AD resources like users and groups. In other words, you can put many users and groups into a unit and assign an admin to it to delegate admin privileges.

My Staff

My Staff is a new application in Microsoft 365, built on top of Administrative Units. The person using this app doesn’t need to be a power user to do simpler security actions.

An everyday use case of this app is in retail stores. A store manager can easily do operations via their phone app, such as changing a phone number, enabling/disabling MFA, or updating contact info.

My staff app

Access Review

Companies should regularly review access to reduce the risk associated with stale roles and ensure proper role assignments. That’s especially important for highly privileged roles. That’s why it’s recommended to configure periodic access reviews for the entire tenant.

Access Review

Microsoft Defender for Office 365

Microsoft Defender is another security option in Microsoft. It is a system that purges all malware, spam, phishing, and other threats coming from outside of the company via email, OneDrive, and SharePoint.

Microsoft Defender is built around AI, and it allows you to proactively track all possible hazards threatening multiple Office 365 customers before they harm them.

Security Dashboard

With the Security Dashboard, admins can get an overview of what is happening in the tenant – how many malware messages are blocked, how many phishing messages are detected, etc., and learn how to manage the system’s security proactively.

Security Dashboard

Conditional Access

Conditional access is a tool within Azure AD that analyses various signals to make decisions. In general, these are comprehensive if-then statements that use machine learning to enforce organizational policies proactively.

They are built on top of various signals such as your location, your login pattern, etc. For example, if your company is from the US, and somebody is trying to log in from a different country – you can block that user.

Conditional Access

Source: Microsoft

Some of the signals you can use in conditional access​ are:

  • User or group membership​
  • IP Location​
  • Device​
  • Application​
  • Real-time risk​

Some of the decisions you can enforce in conditional access are​:

  • Block
  • Grant​
    • Require MFA​
    • Require compliant device​

Standard Conditional Access policies are:

  • Requiring multi-factor authentication for users with administrative roles​
  • Requiring multi-factor authentication for Azure management tasks​
  • Blocking sign-ins for users attempting to use legacy authentication protocols​
  • Requiring trusted locations for Azure AD Multi-Factor Authentication registration​
  • Blocking or granting access from specific locations​
  • Blocking risky sign-in behaviors​
  • Requiring organization-managed devices for specific applications​

Azure AD Identity Protection

It is one step above conditional access in using machine learning to help you proactively protect your environment. It is used to automate the detection and remediation of identity-based risks such as:

  • Atypical travel,
  • Anonymous IP address,
  • Unfamiliar sign-in properties,
  • Malware linked IP address,
  • Leaked Credentials,
  • Password spray,
  • Azure AD threat intelligence.

The first step is to investigate risks using data in the portal and then export risk detection data to third-party utilities for further analysis.​

Microsoft Intune

Microsoft Intune helps you control how your organization’s devices are used, including mobile phones, tablets, and laptops​. It is divided into two fragments:

  • Mobile device management (MDM)
  • Mobile application management (MAM)​

It enables people in your organization to be productive on all of their devices while keeping your organization’s information protected with the policies you create.

Microsoft 365 security center

The Security Center gives you an overview of the essential aspects of Microsoft 365 security:​

  • Overall security health of your organization.​
  • Service Incidents.​
  • Alerts – All the alerts across your Microsoft 365 environment​
  • Action center – Actions to be performed by the IT team.​
  • Reports – Get the details and information you need to better protect your users, devices, and apps.
  • Secure score.​
  • Advanced hunting – Proactively search for malware, suspicious files, and activities in your Microsoft 365 organization.​
  • Classification – Adding labels to classify documents, email messages, documents, sites, and more.​
  • Policies – Set up procedures to manage devices, protect against threats, and receive alerts about various activities in your org.

Microsoft 365 Secure Score

Microsoft 365 Secure Score is a dashboard from where you can monitor and improve the security of your Microsoft 365 identities, data, apps, devices, and infrastructure. The dashboard validates you against best practices and industry standards and gives you a score.

Microsoft Secure Score

You can use it to check if your system has been set up correctly and do recommended tasks if you’re missing some essential configuration.

Microsoft Cloud App Security

Microsoft Cloud App Security acts like a broker that roots your applications’ traffic and makes sure that data flowing from your users to applications is secure. Some of the key benefits are:

  • Discovers and controls the use of Shadow IT​.
  • Protects your sensitive information anywhere in the cloud​
  • Protects against cyberthreats and anomalies​
  • Assesses the compliance of your cloud apps

Microsoft Cloud App Security

Source: Microsoft

Support working from home

I listed here some actions to make your remote workers more efficient, secure, and empowered:

  • Enable MFA​
  • Protect against threats​
  • Configure Defender O365​
  • Configure Defender for Identity​
  • Turn on Defender​
  • Configure Intune for mobile​
  • MFA conditional + Intune app​
  • Device Management​
  • Optimize​
  • Train​
  • Cloud App Security​
  • Monitor the system​

VPN Split tunneling

To optimize the end-user experience and speed up your traffic flow through Office 365, you should channel that traffic directly to Office 365 instead of through the company network.

VPN Split tunneling

Source: Microsoft

Collaboration Security

One of the most significant cloud advantages versus on-prem is collaborating with people inside and outside your company. But, that flexibility comes with some security concerns as well.

Secure Collaboration with Microsoft 365

Microsoft 365 offers different aspects of sharing as you can set up sharing with:

  • Anyone (unauthenticated)​
  • People inside the organization​
  • Specific people inside the organization​
  • Specific people inside and outside the organization

Secure collaboration

Source: Microsoft

There are different components you can employ to share your resources safely:

Workloads and Capabilities

Collaborating with people outside your organization

The great advantage of Microsoft 365 is the possibility to collaborate with partners, vendors, customers, and others who don’t have an account in your directory​.

You can enable sharing on different levels in Microsoft 365 – in Azure Active Directory, Teams, Microsoft 365 Groups, OneDrive, and SharePoint.

External Sharing

Tame Unauthenticated Sharing

Anonymous links can be useful in various scenarios​, but you should be careful about using them. These are the standard recommendations when sharing anonymously:​

  • Choose expiration and permissions options for Anyone links (for the entire organization, or just one site)​
  • Control the allowed permission levels for files and folders​
  • Set default link type to only specified people​
  • Use DLP rules to control sharing of sensitive content

Limit Accidental Exposure to Files

It’s good practice to limit sharing with specified groups or domains – let’s say just your own or partners’ domains.

Add domains

Create a secure guest sharing environment

Make sure you control how guests act inside your organization. You can do various control activities, such as:

  • Applying MFA for guests
  • Timing out their session time
  • Limiting their access for unmanaged devices to web-only access
  • Applying sensitivity labels
  • Performing guest access review

Sensitivity labels

You should follow these concepts in regards to your data and content:

  • Classify and protect your organization’s data while ensuring that user productivity and their ability to collaborate are not hindered.​
  • Protect content in Office apps across different platforms and devices. ​
  • Protect containers that include Teams, Microsoft 365 Groups, and SharePoint sites.

Some documents in your organization can be confidential, and as such, they require a high level of access control. The best practice is to label confidential content and disallow any sharing of them.

You can further extend control by using Azure Information Protection by encrypting sensitive documents. So even if nonauthorized users gain access to them, they won’t be able to read them.

Site Classification

We can apply classification labels on sites, as well. So you can classify sensitive sites that only specific people can access.

Site Classification

Teams Deployment

Due to the unexpected events early last year, a lot of organizations didn’t have time to plan Teams’ deployment in advance. The results were disorganized Teams’ architecture, undefined roles, and lack of governance controls.

Every organization has to ask themselves these questions before digging into Teams deployment:

  • Who will be Teams Administrators​
  • Who will be Owners and Members​
  • What will the Messaging Policies​ be
  • How is Provisioning​ going to happen
  • Which level of External / Guest Access​ will be allowed
  • What will the Teams Settings​ be
  • Which Teams Clients​ will be used
  • Will we have Usage Reporting​
  • Which Default Apps will we use

SharePoint Security

Microsoft Teams go hand in hand with SharePoint. With every team, there is a SharePoint site and a default set of SharePoint groups. You need to think about these settings for your SharePoint sites:

  • Sharing settings
  • SharePoint Groups​
  • AD Groups​
  • Breaking permission inheritance​
  • Sites not connected to Microsoft 365 groups​
  • Sites related to Microsoft 365 groups​
  • Change how members can share​
  • [Site Access] Access Requests

Data Encryption in OneDrive and SPO

When it comes to the security of data stored within Microsoft 365 datacenters, Microsoft is doing a plethora of security actions:

  • BitLocker disk-level encryption​
  • Per-file encryption AES-256, distribution of content, keys, and credentials (FIPS 140-2)​
  • Chunks encrypted with multiple keys on blob storage​
  • A different set of keys depending on the operation (read, write, enum, delete)

Additional email protection practices

You can implement additional email protection practices in your company:

  • Conditional access​
  • Disable external email forwarding​
  • Disable anonymous external calendar sharing​
  • Configure data loss prevention policies for sensitive data​
  • Implement data classification and information protection policies​
  • Protect data in 3rd party apps and services w/ Cloud App Security​
  • Use Microsoft Defender for Endpoint​
  • Use AIP

Licensing

Most advanced security and compliance features are available in the Premium Plans​ listed below:

  • Office 365 E5​
  • Microsoft 365 E5​
  • Standalone:
    • Azure AD Premium 1 or 2​
    • Intune

SysKit security best practices

Our good developers at SysKit have developed their own Office 365 best practices that will complement existing industry best practices. We are adding an extra layer to it, taking into account all the types of content and specific governance procedures that companies might have.

With SysKit’s best practices in place, businesses will truly become power users and be entirely in control of what’s going on in their environment.

How Can SysKit Point Help You?

SysKit Point is a web-based Office 365 governance solution that lets you:

  • Govern your inventory from a central place
  • Automate your Office 365 governance
  • Audit your Office 365 activity
  • Report on overall Office 365 security
  • Analyze usage and trends in your Office 365 tenant
  • Manage user access in bulk