Office 365 Security Best Practice
Best Practices for Securing Microsoft 365 for Business
Advanced Threat Protection (ATP)
ATP detects, prevents, and responds to advanced threats that can bypass traditional security protections such as firewall, antivirus, and monitoring solutions. It provides access to a database of known threats that is updated in real-time.
Configuring Conditional Access takes Office 365 security to the next level by enabling customized policies at a granular level to detect and stop unusual behavior that could be the sign of an attack.
Disable Auto-Forwarding of Emails
Auto forwarding email can pose a significant security risk. Attackers commonly use this to gain persistent access to a compromised mailbox and use it to steal data.
Exchange Online Protection
Exchange online protection is a cloud-based filtering service that protects organizations against spam, malware, and other email threats. It can also be used to verify inbound email by configuring DMARC, DKIM, and SPF records.
Attackers are often located in another state or country from where they are targeting. Geo-blocking uses conditional access policies to prevent user access by country or region to the risk of attack.
Logging and Auditing
Use SIEM technology to provide analysis and reporting on security alerts coming from end-user devices, servers, and network equipment. It can also process data from specialized security equipment, such as firewalls, antivirus systems, intrusion detection systems (IDS), and intrusion prevention systems (IPS). Combining security information management and security event management provides a holistic view.
Mobile Device Management (MDM) and Mobile Application Management (MAM)
Using MDM and MMA supports the management of security across all devices that use Office 365. In addition to monitoring activity, it can be used to remotely wipe a device if it is lost or stolen. MDM and MAM also allow admins to define which apps on a mobile device can access corporate data and enforce security compliance policies on mobile devices.
With multi-factor authentication, weaknesses with passwords can be overcome. This is widely considered one of the most effective ways to prevent automated attacks.
OneDrive Known Folder Protection
Enabling OneDrive Folder Protection securely backs up users’ Desktop and Document folders to the cloud automatically—without VPN tunneling. It not only prevents accidental data loss, but provides ransomware remediation. This is because 100 versions of every file are kept by default, making it easy to roll back to a clean version and reimage the users’ devices
Role-Based Access Control
Determine what users need and only grant them access based on the requirements for that specific role. This adheres principle of least privilege policy and helps minimize the damage if an account is breached, because the attackers have access to limited information.
Secure Email Flow
Securing email flow ensures the smooth movement of mail as well as prevents breaches that can occur through email. A few ways that this can be done are to configure Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) records. Additional tactics to secure mail flow are to use:
- Safe Attachment scanning
- Safe Link URL scanning for all hyperlinks in an email
Microsoft Secure Score provides an overview of security performance at a glance with the ability to drill down to get details about areas that need improvement. This allows admins to focus their attention on the areas with the lowest performance or highest risk.
Strong passwords should always be used to prevent unauthorized access from the many approaches attackers use to break into systems, such as password spray and brute force. A few rules for creating a secure password are:
- Avoid obvious passwords, such as 123456 or abcdefg
- Do not use the same password for different accounts
- Mix symbols, uppercase and lowercase letters, and digits
- Passwords should have at least eight characters
- Revise passwords every six months or less
Unified Audit Log (UAL)
UAL should be enabled. It contains logs from Office 365 services like Azure AD, Microsoft Teams, SharePoint Online, and OneDrive. By enabling UAL, an admin can identify unusual activities. UAL can integrate logs with SIEM tools to improve security with a more holistic view.
Zero-Trust Network Access
Following zero-trust network access protects all parts of Office 365 by assuming that there are attackers both within and outside the network. Based on this assumption, no users or machines are automatically trusted. Zero-trust verifies users’ identities and privileges as well as device identity and security.
About the Microsoft 365 Secure Score
Measurement is a key part of following and getting the most out of best practices for Security Microsoft 365 for Business. Microsoft 365 Secure Score is a free tool that can be used for assessing the performance of security across Microsoft 365. The score that is provided gives guidance on areas for improvement.
Is Office 365 Secure?
Office 365 is secure as long as best practices for security are implemented and followed. The security of Office 365 is enabled by features and processes that fall into four main security solution categories.
Identity and Access Management
Office 365 includes access to Microsoft identity and access management (IAM) solutions that allow admins to manage digital identities. This comes with secure access to resources connected to Office 365, including applications, databases, and networks. In addition, admins can use Microsoft IAM’s risk-based access controls, identity protection tools, and strong authentication options to deflect suspicious login attempts and secure user credentials. These enable admins to use role-based access controls to assign and manage users’ privileges. Among the other functionality provided as part of Microsoft IAM are:
- Seamless user experience to streamline secure access to systems, applications, and data
- Secure, adaptive access to protect users against identity compromise with strong authentication and real-time, risk-based adaptive access policies that ensure only authorized users and reliable devices can access resources and data
- Unified identity management gives increased visibility and control over identities and easy, secure access to applications and data from a central location
Microsoft Information Protection (MIP) helps Office 365 users and admins locate, organize and protect sensitive information across clouds, applications, and endpoints. Several features of Microsoft MIP that secure and adjacent solutions data and prevent data loss are:
- Data classification identifies and labels important information as it travels across environments to protect sensitive information regardless of where it resides. This feature also supports data governance by facilitating the enforcement of retention rules for data.
- Data loss prevention (DLP) uses the Microsoft 365 Compliance Center to create and manage data protection policies.
- Microsoft Information Governance (MIG) supports adherence to data privacy regulations by enabling admins to efficiently manage information lifecycles—from creation to destruction.
Security and Risk Management
Within Office 365, security and risk management functionality helps admins quickly identify and remediate risks from both malicious and unintentional activities. Security and risk management functions include:
- Advanced audit supports forensic and compliance investigations by increasing audit log retention and providing access to event-related data that provides insights into and understanding of the scope and causes of security incidents.
- Communication compliance minimizes internal and external risks by allowing admins to quickly identify and respond to messages that violate code-of-conduct policies.
- Customer Lockbox allows admins to manage how Microsoft’s IT support engineers access content by granting or denying permissions.
- Information barriers allow admins to limit or restrict communication and collaboration between certain users or groups to avoid conflict of interest or protect internal information.
- Insider risk management functionality helps admins identify, detect, analyze, and respond to insider risks.
- Privileged access management (PAM) supports the addition or removal of privileged admin access based on demonstrated needs.
To secure email, data, applications, devices, and identities against cyberthreats, Office 365 includes has integrated, automated security solutions that include:
- Extended detection and response (XDR) capabilities are available from Microsoft 365 Defender and Azure Defender to prevent and detect attacks across identities, endpoints, email, data, and cloud apps.
- Powered by artificial intelligence (AI), the Security Information and Event Management (SIEM) functionality, available with Azure Sentinel, enables proactive detection and prevention of threats with a holistic view across an organization.
Reasons Office 365 Security Effort Requires Focus
Without proper configuration, management, and monitoring, the productivity gains made possible with Office 365 will be overshadowed by risk or security compromises at worst, such as data theft, reputational damage, regulatory compliance penalties, and monetary losses. Despite effective default and customizable Office 365 security, an unwavering focus is required to combat persistent security challenges, including:
- Growing costs of security compromises—hard and soft
- Constantly changing threat actors and attack methods
- Increasingly stringent compliance requirements from industry and governments
Office 365 Activities to Monitor
With Office 365, Microsoft performs extensive monitoring and auditing of all delegation, privileges, and operations. Much of this is done using automated processes that employ access controls based on the principle of least privilege and audits. Office 365 monitoring includes:
- Ensuring that all permitted access is traceable to a unique user.
- Holding administrators accountable for how information is handled
- Capturing data about all access control requests, approvals, and administrative operations logs for security analysis to identify malicious activity
- Reviewing access levels to ensure that only users with a demonstrated requirement have access to systems, networks, and data
- Auditing third parties (e.g., partners, vendors, contractors) for compliance with relevant regulations and standards
Additional Office 365 activities to monitor are:
- Changes to passwords or policies by admins
- Creation or deletion of accounts
- Data users tried to access
- Detect brute force login attempts to Office 365
- Escalation of privileges for accounts
- Failed logins within a short period of time
- Identify suspicious login attempts by location
- Login activities with an eye toward unusual access attempts or signs of brute force
- Mailbox access attempts by non-owners
- Mailbox purges or deletions, such as large amounts of email or folders
- Modifications to files and documents
- Updates to configuration, especially as related to security
- User behavior, especially as related to access
Office 365 Security Defaults
Office 365 was designed to help protect organizations’ user accounts with pre-configured security settings as well as Conditional Access for customized security settings.
Office 365 defaults include enabling multi-factor authentication (MFA) for accounts—users and admins. Following Office 365 security best practices, the defaults provide protection against unauthorized access to accounts and thwart identity-related attacks. The default security settings protect accounts by:
- Disabling authentication from legacy authentication clients that do not support MFA.
- Having admins go through the extra authentication every time they sign in.
- Requiring all users and admins to sign up for MFA
- Using MFA to validate users’ identities when trying to perform critical roles or tasks and when
- they appear with a new device.
Rules around passwords are also included as part of Office 365 security defaults. The password policy has three primary requirements, based on strong passwords, to ensure optimal protection.
1. Password length—minimum of eight characters
2. Password complexity—must include a mix of uppercase and lowercase letters, numbers, and non-alphabetic symbols (e.g., %, ; !,@,#,_,-)
3.Password expiration time—the is 90 days, but this time can be changed, or the password can be set to never expire (not recommended)
Premium subscriptions offer additional capabilities, including:
- Global banned passwords—a list of commonly used and compromised passwords
- Custom banned passwords—a custom list of words to be blocked from appearing in passwords
An alternative to the default security settings is conditional access. With conditional access, more complex security requirements can be supported. Conditional access allows admins to create and define policies that react to specific sign-in events. An example of conditional access is requesting additional authentication before a user is granted access to an application or service if they are logging in from a location for the first time. Conditional access policies can be used for highly-granular controls based on users, locations, connection types, or activities.
NOTE: Conditional Access and security defaults can not be used at the same time. Security defaults must be turned off to use Conditional Access.
Office 365 Security Best Practices: More Is Better
Following Office 365 security best practices is an important first step to protecting against the litany of threat vectors that all users and organizations face. Couple these with standard security best practices to have the most effective defense strategy.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 9th January, 2023