8 Microsoft 365 Security Features You Should Know

Microsoft 365 contains many security features, but if you want to successfully deploy those capabilities, you have to know which controls to enable, which licenses to purchase, and which rules to create.

Each service within the Microsoft 365 suite uses Azure Active Directory for authentication and authorization to access either the app itself or the content that resides within it. However, organization-specific security controls and procedures should augment all out-of-the-box configurations. Plus, organizations have to continually teach and guide end users so they understand the restrictions and know how to use them.  

Organizations of all types and sizes will benefit from enabling the most common controls, regardless of whether the tenant is new or currently in use. In this blog post, you'll learn about those features and why they're important, which should help you better secure your Microsoft 365 assets and improve the likelihood that your end users will practice good cyber hygiene.

Common Microsoft 365 Security Features

Organizations need to review their current Microsoft 365 tenants and determine the controls to enable. Organizations should use current written policies and core business requirements for enabling the proper controls. The most common security control categories are:

1. Conditional Access policies for controlling access
2. Multi-factor authentication for end users and administrators
3. Blocking legacy authentication protocols to reduce the surface area of attacks
4. Deployment of core password controls
5. External sharing restrictions and policies
6. Managing mobile device connections, including corporate and personal devices
7. Controlling the dissemination of data capabilities within email and document storage
8. Classification of content with additional protections

Each category can contain either single or multiple features, controls, and rules, and requires in-depth reviewing before implementation.

Conditional Access Policies for Controlling Access

Users access company resources from any number of locations, including the office, their homes, or on the run. Logging in from various locations increases the security risk for any organization, making it extremely difficult to control and manage. Most organizations cannot distinguish valid logins from invalid logins, such as a compromised account. To add, it's almost impossible to know whether the device is compliant with company policies or is even a company device.

Conditional Access policies can control by location, such as country, region, and IP address. They can also control the applications, devices, and accounts used to connect to services. Multiple types of policy configurations are available to support user, device, and location controls and protections.

Multi-factor Authentication for End Users and Administrators

Almost all data and security breaches involve a compromised account. Simply enabling multi-factor authentication would most often protect the compromised account from this type of attack. Forcing every authentication request to validate a second factor, such as using an SMS or token, limits malicious actors' ability to use the account.

Multi-factor authentication can be explicitly assigned to users or administrators and implemented using Conditional Access policies. Policies provide granularity when users need to present the second factor, versus it having to be every time. Administrator multi-factor authentication can be created and enabled for free, while end user multi-factor authentication requires licensing for each user.

Blocking Legacy Authentication Protocols To Reduce the Surface Area of Attack

Legacy authentication refers to an authentication request made by either older versions of Office clients that do not support modern authentication or any client that uses legacy mail protocols such as POP3, IMAP, or SMTP. These requests don't support multi-factor authentication, which is why most sign-in attempts that resulted in a compromised account come from legacy authentication.

Conditional Access policies can control the use of standard legacy protocols and help ensure more secure user authentication and authorization. With a multi-factor authentication policy in place in Azure Active Directory, modern authentication ensures the user is prompted for a second factor when required. It provides the organization with a more secure alternative to legacy authentication protocols.

Deployment of Core Password Controls

Organizations that enforce periodic password resets could inadvertently make end user passwords less secure. Users tend to pick weaker passwords. And when asked to reset their password, they only vary it slightly for each reset. This behavior leads to the reuse of existing passwords. Without password protection, not only are passwords reused, but simple passwords are chosen, making it easy for malicious actors to guess.   

Azure Active Directory provides core password protections. When a password is changed or reset by any user within the Azure Active Directory tenant, a global banned password list validates the password's strength. Organizations can, however, define a custom banned password list, ensuring users cannot reset or change their password to any values found within the list.

External Sharing Restrictions and Policies

Microsoft 365 provides content sharing capabilities as part of the default service. SharePoint Online, OneDrive for Business, and Teams predominantly allow for sharing content with internal and external users. Due to the ease of sharing content across these platforms, as well as open sharing policies, content is often shared incorrectly or with the wrong individuals. This could lead to intellectual property, personally identifiable information, medical information, or business-critical data leaving the organization when it shouldn't.

Conditional Access policies control the conditions in which people access shared content. External sharing settings exist at the parent of the tenant, within Azure Active Directory, and within some of the services. SharePoint Online and OneDrive for Business allow granular controls within sites that differ from the parent. To enhance external sharing protections further, content labeling provides higher security levels, encryption, and protections that follow the content no matter where it resides.

Managing Mobile Device Connections, Including Corporate and Personal Devices

When end users connect to Microsoft 365, they use their login details, which authorize their access. Whether they connect from a corporate laptop, personal computer, tablet, or mobile device, only account authorization is needed. A user may sync SharePoint Online or OneDrive for Business files—either maliciously or inadvertently—directly to a non-sanctioned location such as mobile devices, allowing offline access to business data. 

Microsoft 365 provides essential mobile device management to provide fundamental restrictions. Endpoint Manager combines mobile device management, mobile application management, and Windows 10 security controls and deployment.

Mobile device management allows complete device control and management for corporate-owned devices such as mobile phones, tablets, and Windows 10 deployments. Mobile application management supports personal devices for bring-your-own-device scenarios, where corporate data resides on personal devices. Implementing these controls will limit personal device access, copy and paste between supported applications, and encrypt all business data.

Controlling the Dissemination of Data Capabilities Within Email and Document Storage

Sending information to others, whether internal or external, is an everyday use case in all organizations. As such, information is often allowed to freely leave and enter the organization through services such as email. Unfortunately, this leads to these services being the exit path for data that shouldn't leave the organization. Although not always malicious, end-users find ways of bypassing content restrictions to get their job done, which inadvertently leads to the dissemination of data.

Controlling data dissemination starts with account controls, ensuring the end user has the allowed access for sharing. Applying content controls directly to either locations or the content will enable organizations to secure content, limiting its exposure. Unified labeling within Microsoft 365 provides these capabilities.

Another protection to control corporate data dissemination is via data loss prevention (DLP) policies within SharePoint Online, OneDrive for Business, Microsoft Teams, and Exchange Online. DLP policies control the flow of data, whether sharing internally or externally. They block and constrain the content from leaving the organization based on rules and definitions of content.

Classification of Content With Additional Protections

Organizational content is often mission-critical, sensitive, or private. As such, the content needs to be controlled through limits on end users and external users. When no content protections are in place, organizations run the risk of confidential data leakage. Data leakage ramifications are well defined and could involve company embarrassment, legal issues, and potentially fines.

Microsoft Information Protection (MIP) services are core components designed to protect and classify content. Azure Information Protection, unified labeling, and sensitivity policies contain criteria for identifying which content and security protections to apply. Creating policies to identity content allows for either end users, administrators, or auto-classification of content. Designating protections such as watermarking, labeling, encrypting, and modifying permissions are core protections.

Microsoft 365 Checklist and More

If this all seems pretty overwhelming to an IT department that is understaffed and overworked, that’s because it is. To help make sense of it all, Egnyte has built a checklist that describes all the requirements and the steps you need to follow to deploy proper security controls across Microsoft 365 tools. Click here to download the checklist.

Alternatively, your could deploy a much simpler-to-use, while still robust, data governance platform natively integrated with Microsoft 365 and designed to secure content across SharePoint, OneDrive, Teams, and Exchange Online. For more information about how Egnyte can help take additional steps to control your Microsoft 365 environment, visit Egnyte's data governance for Microsoft 365 and Azure webpage.

‍