Don’t be that guy. With Microsoft 365, you have everything required for a seriously secure experience – so long as it is properly configured.
The good news: setting it up isn’t difficult, and you can do most of it yourself. Check out these five tips and tricks for often overlooked features and recommendations - and get a more secure Microsoft 365.
With MFA built into Microsoft 365, and with Microsoft MFA simple yet effective, ‘you’d be crazy not to use it’. Turn it on for all administrators and all users.
The most common vulnerabilities today include business email compromise, the use of legacy protocols which have only basic authentication, and password reuse. MFA instantly bypasses all these vulnerabilities, blocking up to 99.9 percent of account compromises.
Microsoft has made things easier with the recent introduction of Combined MFA and Self-Service Password Reset (SSPR) registration. Users register for MFA and SSPR in the same portal.
With MFA, knowing or cracking the password won’t be enough to gain access. And enabling it is literally a flick of a switch. Just like that.
I often see administrators using their daily or personal accounts as a ‘Global Administrator’, performing various tasks (provisioning users, managing access, etc.). This is a bad idea which leaves your organisation vulnerable. Instead, create dedicated Admin accounts, rename them, and limit the number of Azure AD ‘Global Administrator’ roles. We recommend fewer than 5 such accounts, and never sharing them.
The reason is that administrative accounts are valuable targets for hackers because they permit access to your organisation’s settings and most of the data.
A further tip is turning on Customer Lockbox. This addresses situations where Office 365 Administrators need explicit control of the tenant. Customer Lockbox ensures Microsoft can’t access your content to perform a service operation without your explicit approval. It also records all interactions for auditing purposes.
Administrators often joke that users are the problem when it comes to security. They’re not wrong, of course, because if you don’t have users, you don’t have security issues. You also don’t have a company, so making the most of how users interact with your systems is the task at hand.
Using Conditional Access, you can get users to register for the MFA and SSPR discussed in Point 1 above. Conditional Access provides various controls, including a ‘location’ condition which restricts MFA/SSPR registrations from trusted network locations. Other controls include:
· Sign-in frequency, which lets you determine how often users must sign in to enjoy access to their applications and data (set to daily and eliminate the risk of sessions left open for months).
· Persistent browser sessions. A persistent browser session allows users to remain signed in after closing and reopening their browser window. By choosing ‘never persistent’ in session control, users must sign in again for new browsers sessions. This prevents unauthorised access via the browser, as only the person with the right username and password – and MFA, of course! – can get in.
Azure Active Directory works hand in hand with Microsoft 365, providing control over identity and access (and bear in mind almost all hacks focus on identity first, then access).
Let’s look at how to block legacy authentication with Azure AD using Conditional Access; you want to block legacy authentication, of course, so that MFA is exclusively used instead.
There are three steps to help blocking legacy authentication:
1. In the Azure portal, use Azure AD Sign-ins to identify legacy authentication. Filter by client app to identify sign-ins by modern and legacy authentication. Client apps, including Browser or Mobile Apps and Desktop clients, are considered modern, while the others, such as IMAP, POP, and MAPI are considered legacy.
2. With legacy authentication identified, use Conditional Access with ‘report-only’ mode to monitor the impact of blocking. Policies in ‘report-only’ mode are evaluated at sign-in, but the grant controls are not enforced, so you can see who is using legacy authentication in real time without blocking them.
3. Should the impact on users be deemed acceptable and manageable, the final step is turning on the ‘Block Legacy Authentication’ policy.
Staying in the Azure AD portal, let’s examine activity controls from a governance perspective. Many customers manage your users, groups, and organisation settings in Microsoft 365 Admin Portal, but haven’t gone through the Azure AD settings or features in the Azure portal.
This means Azure AD activity controls are routinely overlooked.
When collaborating with external organisations, Azure AD provides external user invitation, controlling who users can invite to collaborate within your Microsoft 365 environment. By default, all users and existing guests in your directory can invite guests, even if they are not assigned an admin role. This is an obvious vulnerability.
Restrictions controlling who users can invite should include:
· Only Admins and Users with ‘Guest Inviter Roles’ assigned should be permitted to invite guest users.
· Use the ‘Allow invitation only to specific domains’ setting. This furthers lock down invitations to target domains.