Get Control of M365 Security Controls

Microsoft 365, as a service, contains many features that focus on security. Each service uses Azure Active Directory for authentication and authorization to access either the app itself or the content that resides within it. Organization-specific security controls and procedures should augment all out-of-the-box configurations. Remember that security within Microsoft 365 is not just about enabling features and controls; it also involves teaching and guiding end-users to understand the restrictions and knowing how to use them.  

Download Free M365 Security Controls Checklist 

Knowing which controls to enable, licenses to purchase, or rules to create is critical to deploying successful security capabilities. All organization types and sizes will benefit from enabling the most common controls regardless of whether the tenant is new or currently being used.  

Common Security Controls 

All organizations need to review their current Microsoft 365 Tenants and determine the controls to enable. Organizations should use current written policies and core business requirements for enabling the proper controls. The most common security control categories are: 

  1. Multi-Factor authentication for end-users and administrators
  2. Conditional access policies for controlling access 
  3. Block legacy authentication protocols to reduce the surface area of attacks
  4. Deployment of core password controls 
  5. External sharing restrictions and policies
  6. Managing mobile device connections, including corporate and personal devices 
  7. Controlling the dissemination of data capabilities within email and document storage 
  8. Classification of content with additional protections 

Each category can contain either single or multiple features, controls, and rules, and requires in-depth reviewing before implementation. 

Multi-factor authentication for end-users and administrators 

Risk: Almost all data and security breaches involve a compromised account. Simply enabling Multi-Factor Authentication would most often protect the compromised account from this type of attack. Forcing every authentication request to validate a second factor, such as using an SMS or token, limits malicious actors’ ability to use the account.

Capabilities: Multi-factor authentication can be explicitly assigned to users or administrators and implemented using conditional access policies. Policies provide granularity when users need to present the second factor, versus it having to be every time. Administrator multi-factor authentication using conditional access policies can be created and enabled for free, while end-user multi-factor authentication using Conditional Access Policies requires licensing each user. 

Conditional access policies for controlling access 

Risk: Users access company resources both on-premises within offices and remote locations such as their home or on mobile devices, which in effect could be any location. Logging in from various locations increases the security risk for any organization, making it almost impossible to control and manage. Most organizations cannot differentiate between valid and invalid logins, such as a compromised account. To add, knowing whether the device is compliant with company policies or is even a company device is almost impossible. 

Capabilities: Conditional Access Policies can control by location, such as country, region, and IP address. They can also control the applications, devices, and accounts used to connect to services. Multiple types of policy configurations are available to support user, device, and location controls and protections. 

Block legacy authentication protocols to reduce the surface area of attack 

Risk: Legacy authentication is a term that refers to an authentication request made by either older versions of Office clients that do not support modern authentication or any client that uses legacy mail protocols such as POP3, IMAP, or SMTP. Most sign-in attempts that resulted in a compromised account came from legacy authentication within Microsoft 365. The reason is that legacy authentication doesn’t support multi-factor authentication (MFA). Organizations with Multi-factor Authentication policies enabled within Azure Active Directory can still be compromised by a bad actor using a legacy protocol bypassing multi-factor authentication. 

Capabilities: Conditional access policies can control the use of the standard legacy protocols. These protocols are available within nearly all services provided by Microsoft 365. Modern authentication is more secure user authentication and authorization. With a multi-factor authentication policy in place in Azure Active Directory, modern authentication ensures the user is prompted for a second factor when required. It provides the organization with a more secure alternative to legacy authentication protocols. 

Deployment of core password controls 

Risk: Organizations that enforce periodic password resets could inadvertently make end-user passwords less secure. Users tend to pick weaker passwords, and when asked to reset, vary it slightly for each reset. This behavior leads to the reuse of existing passwords. Without password protection, not only are passwords reused, but simple passwords are chosen, making it easy for malicious actors to guess.   

Capabilities: Azure Active Directory provides core password protections. When a password is changed or reset by any user within the Azure Active Directory tenant, a global banned password list validates the password’s strength. Organizations can, however, define a custom banned password list, ensuring users cannot reset or change their password to any values found within the list. 

External sharing restrictions and policies 

Risk: Microsoft 365 as a platform provides content sharing capabilities as part of the default service. SharePoint Online, OneDrive for Business, and Teams predominantly allow for sharing content both with internal and external users. Due to the ease of sharing content across these platforms and often open sharing policies, either incorrect content is shared, and often to the wrong individuals. It could lead to company intellectual property, personally identifiable information, medical information, or business-critical data leaving the organization when it shouldn’t. 

Capabilities: Conditional access policies control the conditions in which people access shared content. Traditional SharePoint permissions through a set of groups govern access into content locations. External sharing settings exist at the parent of the tenant, within Azure Active Directory, and within some of the services. SharePoint Online and OneDrive for Business allow granular controls within sites that differ from the parent. To enhance external sharing protections further, content labeling provides higher security levels, encryption, and protection that follow the content no matter where it resides. 

Managing mobile device connections, including corporate and personal devices 

Risk: When end-users connect to Microsoft 365, they use their login details, which authorize their access. Whether they connect from a corporate laptop, personal computer, tablet, or mobile device, only account authorization is needed. A malicious, disgruntled, or regular user may sync SharePoint Online or OneDrive for Business files directly to a non-sanctioned location such as mobile devices, allowing offline access to business data.  

Capabilities: Microsoft 365 provides essential mobile device management to provide fundamental restrictions. Endpoint Manager combines mobile device management, mobile application management, and Windows 10 security controls and deployment. Mobile device management allows complete device control and management for corporately owned devices such as mobile phones, tablets, and Windows 10 deployments. Mobile application management supports personal devices for bring-your-own-device scenarios, where corporate data resides on personal devices. Implementing these controls will limit personal device access, copy and paste between supported applications, and encrypt all business data. 

Controlling the dissemination of data capabilities within email and document storage 

Risk: Sending information to others, whether internal or external, is an everyday use case in all organizations. As such, information is often allowed to freely leave and enter the organization through services such as email. Unfortunately, this leads to services such as an email being the exit path for data that shouldn’t leave the organization. Although not always malicious, end-users find ways of bypassing content restrictions to get their job done, which inadvertently leads to the dissemination of data. 

Capabilities: Controlling data dissemination starts with account controls, ensuring the end-user has the allowed access for sharing. Applying content controls directly to either locations or the content will enable organizations to secure content, limiting its exposure. Unified labeling within Microsoft 365 provides these capabilities. Another protection to control corporate data dissemination is via data loss prevention policies within SharePoint Online, OneDrive for Business, Microsoft Teams, and Exchange Online. Data loss prevention controls the flow of data, whether sharing internally or externally. Policies block and constrain the content from leaving the organization based on rules and definitions of content. 

Classification of content with additional protections 

Risk: Organizational content is often mission-critical, sensitive, or private. As such, the content needs controlling and needs limiting to end-users and external users. When no content protections are in place, organizations run the risk of confidential data leakage. Data leakage ramifications are well defined and could involve company embarrassment, legal issues, and potentially fines. 

Capabilities: Microsoft Information Protection services are core components designed to protect and classify content. Azure Information Protection, unified labeling, and sensitivity policies contain criteria for identifying content and security protections to apply. Creating policies to identity content allows for either end-users, administrators, or auto-classification of content. Designating protections such as watermarking, labeling, encrypting, and modifying permissions are core protections. 

If this all seems pretty overwhelming to an IT department who is understaffed and overworked – that’s because it is. The checklist you will find below describes all the requirements and steps to help with deploying proper security controls across Microsoft 365 tools. 

Your other option is to deploy a much simpler-to-use, while still robust, data governance platform natively integrated with M365 and designed to secure content across SharePoint, OneDrive, Teams and Exchange Online. 

Liam Cleary began his career as a trainer of things computer related. He realized that programming, breaking, and hacking was a lot more fun. The next few years he worked within core infrastructure and security services until he found SharePoint. As a Microsoft MVP and Microsoft Certified Trainer, and can be found presenting all over the planet, as well as teaching his kids how to code, raspberry PI programming, hacking the planet, or building Lego robots.

Comments are closed.