10 steps to secure your M365 environment (part 1)
Updated: Aug 20, 2021
Working in the cloud has become a daily routine and has given us many opportunities. Activities that used to take days - think of visiting multiple customers in different countries in one day - are now feasible in a few hours.
Unfortunately, malicious parties also benefit from these new opportunities that no longer require a physical presence. Reports of organisations being hit by malware, ransomware, and digital intrusion have exploded. And a proportion of the victims probably do not (yet) know that they are victims.
So how do you reduce the chance that your organisation will also be affected and that the consequences will be as small as possible? It's like a game of simultaneous-chess, only the board and rules tend to change over time.
In a few blogs, I am going to discuss - and give some tips about - a number of basic features that Microsoft provides for enhancing the security of your Microsoft 365 environment:
Set up multi-factor authentication
Train your users
Use separate administrative accounts
Protect against e-mail malware
Protect against ransomware
Stop automatic e-mail forwarding
Use Office Message Encryption
Protect against e-mail phishing attacks
Protect against malicious attachments and files in e-mails
Protect against phishing attacks with Safe Links
A number of these actions will sound familiar and your organisation may have already implemented them. But have they been implemented correctly? A periodic check-up never hurts. As I mentioned before: the board and rules of the game are evolving. A good practice is to regularly check the security posture of your Microsoft365 tenant using the Secure Score.
So let's start with the first step.
1. Set up Multi-Factor Authentication
What's Multi-Factor Authentication (MFA)
When you sign into your online accounts - a process called "authentication" - you're proving to the service that you are who you say you are. Traditionally that's been done with a username and a password. Unfortunately that's not a very good way to do it. Usernames are often easy to discover; sometimes they're just your email address. Since passwords can be hard to remember, people tend to pick simple ones, or use the same password at many different sites.
That's why almost all online services - banks, social media, shopping and yes, Microsoft 365 too - have added a way for your accounts to be more secure. You may hear it called "Two-Step Verification" or "Multi-Factor Authentication".
A factor in authentication is a way of confirming your identity when you try to sign in. For example, a password is one kind of factor, it's a thing you know. The three most common kinds of factors are:
Something you know - Like a password, or a memorized PIN.
Something you have - Like a smartphone, or a secure USB key.
Something you are - Like a fingerprint, or facial recognition.
Here you can learn more on Multi Factor Authentication in general.
Determine your MFA strategy
A Microsoft365 environment normally hosts many different user accounts. You've got your employee accounts, there are administrators, service accounts, guest accounts, you may have outsourced administration, etc. A Microsoft365 license will have been assigned to many (but for sure not all) users.
A. Security Defaults
Your first idea will probably be to protect 'all user accounts' by MFA. And that's easy to implement by enabling the 'Security Defaults' in your 'Azure Active Directory admin center'. Security Defaults activates MFA for each and every account (even the external users and users without a M365 license),but - as you can read here - it also applies a couple of other security settings.
By that quick implementation for all users comes at a cost: it imposes a number of limitations that may not suit your organization. Just some examples:
It only works with the 'Authenticator' app. So every user needs a smartphone that has the app installed. And you cannot use 3rd party MFA solutions already in place.
You cannot make any exceptions to the accounts that are subjected to MFA. Think about the 'break glass accounts' or 'service accounts'.
You cannot combine Security Defaults with Conditional Access Policies.
To summarize: Only use the Security Defaults if your organization and (external) users have a simple and modern IT infrastructure and you are happy with using the free tier of Azure Active Directory.
B. Compound Strategy
This probably is the strategy that bet fits your organisation,
It combines a number of actions even if you decide to only use the embedded features of Microsoft 365:
applying Conditional Access policies
'manually' assigning MFA
As implementing this strategy takes some preparation and explanation I will save that for the next blog.