Data Security and Governance in Microsoft 365
A Security Controls Checklist
Microsoft 365, as a service, contains many features that focus on security. Each service uses Azure Active Directory for authentication and authorization to access either the app itself or the content that resides within it. Organization-specific security controls and procedures should augment all out-of-the-box configurations. Remember that security within Microsoft 365 is not just about enabling features and controls; it also involves teaching and guiding end-users to understand the restrictions and knowing how to use them.
Knowing which controls to enable, licenses to purchase, or rules to create is critical to deploying successful security capabilities. All organization types and sizes will benefit from enabling the most common controls regardless of whether the tenant is new or currently being used.
Common Security Controls
All organizations need to review their current Microsoft 365 Tenants and determine the controls to enable. Organizations should use current written policies and core business requirements for enabling the proper controls. The most common security control categories are:
- Multi-Factor authentication for end-users and administrators
- Conditional access policies for controlling access
- Block legacy authentication protocols to reduce the surface area of attacks
- Deployment of core password controls
- External sharing restrictions and policies
- Managing mobile device connections, including corporate and personal devices
- Controlling the dissemination of data capabilities within email and document storage
- Classification of content with additional protections
Each category can contain either single or multiple features, controls, and rules, and requires in-depth reviewing before implementation.
Multi-factor authentication for end-users and administrators
Risk: Almost all data and security breaches involve a compromised account. Simply enabling Multi-Factor Authentication would most often protect the compromised account from this type of attack. Forcing every authentication request to validate a second factor, such as using an SMS or token, limits malicious actors' ability to use the account.
Capabilities: Multi-factor authentication can be explicitly assigned to users or administrators and implemented using conditional access policies. Policies provide granularity when users need to present the second factor, versus it having to be every time. Administrator multi-factor authentication using conditional access policies can be created and enabled for free, while end-user multi-factor authentication using Conditional Access Policies requires licensing each user.
Conditional access policies for controlling access
Risk: Users access company resources both on-premises within offices and remote locations such as their home or on mobile devices, which in effect could be any location. Logging in from various locations increases the security risk for any organization, making it almost impossible to control and manage. Most organizations cannot differentiate between valid and invalid logins, such as a compromised account. To add, knowing whether the device is compliant with company policies or is even a company device is almost impossible.
Capabilities: Conditional Access Policies can control by location, such as country, region, and IP address. They can also control the applications, devices, and accounts used to connect to services. Multiple types of policy configurations are available to support user, device, and location controls and protections.
Block legacy authentication protocols to reduce the surface area of attack
Risk: Legacy authentication is a term that refers to an authentication request made by either older versions of Office clients that do not support modern authentication or any client that uses legacy mail protocols such as POP3, IMAP, or SMTP. Most sign-in attempts that resulted in a compromised account came from legacy authentication within Microsoft 365. The reason is that legacy authentication doesn't support multi-factor authentication (MFA). Organizations with Multi-factor Authentication policies enabled within Azure Active Directory can still be compromised by a bad actor using a legacy protocol bypassing multi-factor authentication.
Capabilities: Conditional access policies can control the use of the standard legacy protocols. These protocols are available within nearly all services provided by Microsoft 365. Modern authentication is more secure user authentication and authorization. With a multi-factor authentication policy in place in Azure Active Directory, modern authentication ensures the user is prompted for a second factor when required. It provides the organization with a more secure alternative to legacy authentication protocols.
Deployment of core password controls
Risk: Organizations that enforce periodic password resets could inadvertently make end-user passwords less secure. Users tend to pick weaker passwords, and when asked to reset, vary it slightly for each reset. This behavior leads to the reuse of existing passwords. Without password protection, not only are passwords reused, but simple passwords are chosen, making it easy for malicious actors to guess.
Capabilities: Azure Active Directory provides core password protections. When a password is changed or reset by any user within the Azure Active Directory tenant, a global banned password list validates the password's strength. Organizations can, however, define a custom banned password list, ensuring users cannot reset or change their password to any values found within the list.
External sharing restrictions and policies
Risk: Microsoft 365 as a platform provides content sharing capabilities as part of the default service. SharePoint Online, OneDrive for Business, and Teams predominantly allow for sharing content both with internal and external users. Due to the ease of sharing content across these platforms and often open sharing policies, either incorrect content is shared, and often to the wrong individuals. It could lead to company intellectual property, personally identifiable information, medical information, or business-critical data leaving the organization when it shouldn't.
Capabilities: Conditional access policies control the conditions in which people access shared content. Traditional SharePoint permissions through a set of groups govern access into content locations. External sharing settings exist at the parent of the tenant, within Azure Active Directory, and within some of the services. SharePoint Online and OneDrive for Business allow granular controls within sites that differ from the parent. To enhance external sharing protections further, content labeling provides higher security levels, encryption, and protection that follow the content no matter where it resides.
Managing mobile device connections, including corporate and personal devices
Risk: When end-users connect to Microsoft 365, they use their login details, which authorize their access. Whether they connect from a corporate laptop, personal computer, tablet, or mobile device, only account authorization is needed. A malicious, disgruntled, or regular user may sync SharePoint Online or OneDrive for Business files directly to a non-sanctioned location such as mobile devices, allowing offline access to business data.
Capabilities: Microsoft 365 provides essential mobile device management to provide fundamental restrictions. Endpoint Manager combines mobile device management, mobile application management, and Windows 10 security controls and deployment. Mobile device management allows complete device control and management for corporately owned devices such as mobile phones, tablets, and Windows 10 deployments. Mobile application management supports personal devices for bring-your-own-device scenarios, where corporate data resides on personal devices. Implementing these controls will limit personal device access, copy and paste between supported applications, and encrypt all business data.
Controlling the dissemination of data capabilities within email and document storage
Risk: Sending information to others, whether internal or external, is an everyday use case in all organizations. As such, information is often allowed to freely leave and enter the organization through services such as email. Unfortunately, this leads to services such as an email being the exit path for data that shouldn't leave the organization. Although not always malicious, end-users find ways of bypassing content restrictions to get their job done, which inadvertently leads to the dissemination of data.
Capabilities: Controlling data dissemination starts with account controls, ensuring the end-user has the allowed access for sharing. Applying content controls directly to either locations or the content will enable organizations to secure content, limiting its exposure. Unified labeling within Microsoft 365 provides these capabilities. Another protection to control corporate data dissemination is via data loss prevention policies within SharePoint Online, OneDrive for Business, Microsoft Teams, and Exchange Online. Data loss prevention controls the flow of data, whether sharing internally or externally. Policies block and constrain the content from leaving the organization based on rules and definitions of content.
Classification of content with additional protections
Risk: Organizational content is often mission-critical, sensitive, or private. As such, the content needs controlling and needs limiting to end-users and external users. When no content protections are in place, organizations run the risk of confidential data leakage. Data leakage ramifications are well defined and could involve company embarrassment, legal issues, and potentially fines.
Capabilities: Microsoft Information Protection services are core components designed to protect and classify content. Azure Information Protection, unified labeling, and sensitivity policies contain criteria for identifying content and security protections to apply. Creating policies to identity content allows for either end-users, administrators, or auto-classification of content. Designating protections such as watermarking, labeling, encrypting, and modifying permissions are core protections.
If this all seems pretty overwhelming to an IT department who is understaffed and overworked - that’s because it is. The checklist you will find below describes all the requirements and steps to help with deploying proper security controls across Microsoft 365 tools.
Your other option is to deploy a much simpler-to-use, while still robust, data governance platform natively integrated with M365 and designed to secure content across SharePoint, OneDrive, Teams and Exchange Online.
For more information, visit Egnyte's Data Governance and Compliance for M365 webpage.
Security Control Checklist
To help with deployment, organizations can step through this checklist and enable as required.
[ ]Require Multi-factor Authentication for Administrators
Create a conditional access policy that includes all administrator directory roles. Ensure either all cloud apps or specific apps are selected. Grant access and select Require multi-factor Authentication.
[ ]Require Multi-factor Authentication for All Users
Create a conditional access policy that includes all user or a group that contains the chosen users. Ensure either all cloud apps or specific apps are selected. Grant access and select Require multi-factor Authentication.
[ ]Block Legacy Authentication
Create a conditional access policy that includes all users and groups. Select all cloud apps, then in the conditions, choose to configure and select Exchange ActiveSync and Other Clients. Within access controls, choose Block access.
[ ]Enforce Trusted Location for Multi-factor Registration
Create a conditional access policy that includes all users and groups. Select all cloud apps or actions, and select User actions. Choose the Register Security Information. Within Conditions, choose Locations and include Any Location, then exclude All Trusted Locations. Select Client Apps, and set Configure to Yes. Under Access controls, select Block Access.
[ ]Block Access to Unapproved Locations
Create Named Locations within Conditional Access to represent the Blocked Locations, Subnet, or IP Ranges for the organization. Create a conditional access policy that includes all users and groups. Ensure either all cloud apps or specific apps are selected. Under conditions, set the included locations to the blocked locations. Within Access Controls, select Block Access.
[ ]Sign out Inactive Users
Navigate to the SharePoint Admin Center, expand Policies and choose Access Control. Click the Idle Session Sign-out option. Toggle the Sign out inactive users automatically, then select when to sign out users and how much warning you want to give them before signing them out.
[ ]Configure Password Expiration
Navigate to the Microsoft 365 Admin Center, click on Settings, then choose Org Settings. Click the Security & privacy page, then select Password expiration policy. Uncheck the box next to set user passwords to expire after a number of days.
[ ]Configure Banned Password Lists
Navigate to Azure Active Directory, choose Security. Under Manage, select Authentication Methods, then select Password Protection. Set the Enforce custom list to yes, then add the list of banned passwords. To use within On-premises Active Directory as welk, install the agent.
[ ]Set the External Sharing Level
Navigate to the SharePoint Administration Center, click Policies, then Sharing. Set the sharing sliders as required, with a recommendation to use existing guests as the default. Configure any other specific configuration to control sharing and links to content.
[ ]Set the Account Lockout Threshold
Navigate to Azure Active Directory, then select Security, Authentication methods followed by Password protection. Set the Lockout Threshold to the number of failed sign-ins allowed before accounts are locked out. To mitigate a denial-of-service account attack, this should be 0; the default, however, should be 10.
[ ]Restrict External Sharing by Domain
Navigate to the SharePoint Administration Center, click Policies, then Sharing. Expand More external sharing settings, then check Limit external sharing by domain. Add the chosen domains allowed for external sharing.
[ ]Restrict External Sharing to specific Security Groups
Navigate to the SharePoint Administration Center, click Policies, then Sharing. Expand More external sharing settings and then check the Allow only users in specific security groups to share externally option. Add the chosen security groups allowed for external sharing.
[ ]Block Client Forwarding Rules within Exchange Online
Launch Windows PowerShell, create a new PowerShell session to Exchange Online. Execute New-TransportRule command with the required property values. New-TransportRule -Name "Block Client Forwarding" `
-Priority 1 `
-SentToScope NotInOrganization `
-FromScope InOrganization `
-MessageTypeMatches AutoForward `
-RejectMessageEnhancedStatusCode 5.7.1 `
[ ]Restrict Un-managed Application Consent
Navigate to Azure Active Directory, click Enterprise applications. Select Consent and permissions, then choose User consent settings. Under the User consent for applications option, set to the required control. The recommendation is to use Users can consent to apps from verified publishers or your organization, but only for permissions, you select.
[ ]Enable Sign-in Risk-based Conditional Access
Navigate to Azure Active Directory, then click Security. Click Conditional Access. Create a new Conditional Access Policy. Under assignments, select Users and Groups and set to All Users. Within Cloud Apps or Actions, select All Cloud Apps or the chosen Apps. Select Conditions, and configure the Sign-in Risk to either High or Medium.
[ ]Enable User Risk-based Conditional Access
Navigate to Azure Active Directory, then click Security. Click Conditional Access. Create a new Conditional Access Policy. Under assignments, select Users and Groups and set to All Users. Within Cloud Apps or Actions, select All Cloud Apps or the chosen Apps. Select Conditions, and configure User Risk to be High. Under Access Controls, choose Grant and set to Require Password Change.
Get started with Egnyte today
Explore the best secure platform for business-critical content across clouds, apps, and devices.
Don’t miss an update
Subscribe today to our newsletter to get all the updates right in your inbox.