During the pandemic, many companies enabled their employees to work from home using Microsoft Teams, resulting in a substantial growth in Teams’ daily active users. The remote work-related growth began in March and grew staggeringly throughout 2020!
Microsoft undertook a study to uncover the pandemic-related threats that companies see coming in 2021. Nearly 800 business leaders in India, Germany, the UK, and the US took the survey. The study has shown that 82% of respondents plan to add security staff, 81% feel pressure to lower security costs, while 58% of leaders have already increased their security budgets.
With all this being said, security concerns will continue to make business leaders worry in 2021. That’s why I’d like to dedicate this blog to them and show them a few security tips and tricks.
Source: Microsoft
Optimizing Security Across Office 365
In this blog, I will lead you through some security best practices I have gathered throughout the years of dealing with SharePoint and Microsoft 365.
Azure AD
No security best practices post could be published without Azure AD tips. Azure AD is the backbone of Office 365 – everything you do in Office 365 is configured here.
MFA
It would be best if you turned on Azure Multi-Factor authentication for all the employees working from home or the office when they’re logging into Office 365. It can be done using a simple Microsoft authenticator app on their phones.
These are a couple of default security practices:
- Require all users to register for Azure AD Multi-Factor Authentication.
- Require administrators to perform multi-factor authentication.
- Block legacy authentication protocols.
- Require users to perform multi-factor authentication when necessary.
- Protect privileged activities like access to the Azure portal.
Emergency access accounts
It is a good practice to create two or more emergency access accounts in your organization to mitigate the impact of an accidental lack of administrative access. Those accounts will enable you to work when the system is down, but, make sure to use them only in necessity.
These Super admin accounts are cloud-only, and they’re not connected to any personal devices. However, if there is a connected device by any chance, it should be kept in a known, secure, and accessible location.
The MFA mechanisms for these accounts are somewhat different from the “regular “accounts, so it’s advisable to use third-party MFA if the primary is not working. They are irregular in one more way, as they are not subject to clean-up actions if they become inactive.
All things being said, you should always keep a close eye on the sign-ins from these accounts and regularly validate them.
Protect your global M365 admin accounts
You need to use the strongest form of secondary authentication to protect your Microsoft 365 global admin accounts. Also, it’s good practice to introduce backup procedures for situations when global admins cannot log in.
On top of that, there are some additional protection activities, such as usage of privileged access workstations and Azure AD Privileged Identity Management.
Limit Admin roles in AAD
You should limit the use of Global administrator roles to situations when it’s only necessary. Many other roles can supplement global admin accounts, such as printer administrator and privileged role administrator.
Administrative Units
Administrative units act as a container for other Azure AD resources like users and groups. In other words, you can put many users and groups into a unit and assign an admin to it to delegate admin privileges.
My Staff
My Staff is a new application in Microsoft 365, built on top of Administrative Units. The person using this app doesn’t need to be a power user to do simpler security actions.
An everyday use case of this app is in retail stores. A store manager can easily do operations via their phone app, such as changing a phone number, enabling/disabling MFA, or updating contact info.
Access Review
Companies should regularly review access to reduce the risk associated with stale roles and ensure proper role assignments. That’s especially important for highly privileged roles. That’s why it’s recommended to configure periodic access reviews for the entire tenant.
Microsoft Defender for Office 365
Microsoft Defender is another security option in Microsoft. It is a system that purges all malware, spam, phishing, and other threats coming from outside of the company via email, OneDrive, and SharePoint.
Microsoft Defender is built around AI, and it allows you to proactively track all possible hazards threatening multiple Office 365 customers before they harm them.
Security Dashboard
With the Security Dashboard, admins can get an overview of what is happening in the tenant – how many malware messages are blocked, how many phishing messages are detected, etc., and learn how to manage the system’s security proactively.
Conditional Access
Conditional access is a tool within Azure AD that analyses various signals to make decisions. In general, these are comprehensive if-then statements that use machine learning to enforce organizational policies proactively.
They are built on top of various signals such as your location, your login pattern, etc. For example, if your company is from the US, and somebody is trying to log in from a different country – you can block that user.
Source: Microsoft
Some of the signals you can use in conditional access are:
- User or group membership
- IP Location
- Device
- Application
- Real-time risk
Some of the decisions you can enforce in conditional access are:
- Block
- Grant
- Require MFA
- Require compliant device
Standard Conditional Access policies are:
- Requiring multi-factor authentication for users with administrative roles
- Requiring multi-factor authentication for Azure management tasks
- Blocking sign-ins for users attempting to use legacy authentication protocols
- Requiring trusted locations for Azure AD Multi-Factor Authentication registration
- Blocking or granting access from specific locations
- Blocking risky sign-in behaviors
- Requiring organization-managed devices for specific applications
Azure AD Identity Protection
It is one step above conditional access in using machine learning to help you proactively protect your environment. It is used to automate the detection and remediation of identity-based risks such as:
- Atypical travel,
- Anonymous IP address,
- Unfamiliar sign-in properties,
- Malware linked IP address,
- Leaked Credentials,
- Password spray,
- Azure AD threat intelligence.
The first step is to investigate risks using data in the portal and then export risk detection data to third-party utilities for further analysis.
Microsoft Intune
Microsoft Intune helps you control how your organization’s devices are used, including mobile phones, tablets, and laptops. It is divided into two fragments:
- Mobile device management (MDM)
- Mobile application management (MAM)
It enables people in your organization to be productive on all of their devices while keeping your organization’s information protected with the policies you create.
Microsoft 365 security center
The Security Center gives you an overview of the essential aspects of Microsoft 365 security:
- Overall security health of your organization.
- Service Incidents.
- Alerts – All the alerts across your Microsoft 365 environment
- Action center – Actions to be performed by the IT team.
- Reports – Get the details and information you need to better protect your users, devices, and apps.
- Secure score.
- Advanced hunting – Proactively search for malware, suspicious files, and activities in your Microsoft 365 organization.
- Classification – Adding labels to classify documents, email messages, documents, sites, and more.
- Policies – Set up procedures to manage devices, protect against threats, and receive alerts about various activities in your org.
Microsoft 365 Secure Score
Microsoft 365 Secure Score is a dashboard from where you can monitor and improve the security of your Microsoft 365 identities, data, apps, devices, and infrastructure. The dashboard validates you against best practices and industry standards and gives you a score.
You can use it to check if your system has been set up correctly and do recommended tasks if you’re missing some essential configuration.
Microsoft Cloud App Security
Microsoft Cloud App Security acts like a broker that roots your applications’ traffic and makes sure that data flowing from your users to applications is secure. Some of the key benefits are:
- Discovers and controls the use of Shadow IT.
- Protects your sensitive information anywhere in the cloud
- Protects against cyberthreats and anomalies
- Assesses the compliance of your cloud apps
Source: Microsoft
Support working from home
I listed here some actions to make your remote workers more efficient, secure, and empowered:
- Enable MFA
- Protect against threats
- Configure Defender O365
- Configure Defender for Identity
- Turn on Defender
- Configure Intune for mobile
- MFA conditional + Intune app
- Device Management
- Optimize
- Train
- Cloud App Security
- Monitor the system
VPN Split tunneling
To optimize the end-user experience and speed up your traffic flow through Office 365, you should channel that traffic directly to Office 365 instead of through the company network.
Source: Microsoft
Collaboration Security
One of the most significant cloud advantages versus on-prem is collaborating with people inside and outside your company. But, that flexibility comes with some security concerns as well.
Secure Collaboration with Microsoft 365
Microsoft 365 offers different aspects of sharing as you can set up sharing with:
- Anyone (unauthenticated)
- People inside the organization
- Specific people inside the organization
- Specific people inside and outside the organization
Source: Microsoft
There are different components you can employ to share your resources safely:
Collaborating with people outside your organization
The great advantage of Microsoft 365 is the possibility to collaborate with partners, vendors, customers, and others who don’t have an account in your directory.
You can enable sharing on different levels in Microsoft 365 – in Azure Active Directory, Teams, Microsoft 365 Groups, OneDrive, and SharePoint.
Tame Unauthenticated Sharing
Anonymous links can be useful in various scenarios, but you should be careful about using them. These are the standard recommendations when sharing anonymously:
- Choose expiration and permissions options for Anyone links (for the entire organization, or just one site)
- Control the allowed permission levels for files and folders
- Set default link type to only specified people
- Use DLP rules to control sharing of sensitive content
Limit Accidental Exposure to Files
It’s good practice to limit sharing with specified groups or domains – let’s say just your own or partners’ domains.
Create a secure guest sharing environment
Make sure you control how guests act inside your organization. You can do various control activities, such as:
- Applying MFA for guests
- Timing out their session time
- Limiting their access for unmanaged devices to web-only access
- Applying sensitivity labels
- Performing guest access review
Sensitivity labels
You should follow these concepts in regards to your data and content:
- Classify and protect your organization’s data while ensuring that user productivity and their ability to collaborate are not hindered.
- Protect content in Office apps across different platforms and devices.
- Protect containers that include Teams, Microsoft 365 Groups, and SharePoint sites.
Some documents in your organization can be confidential, and as such, they require a high level of access control. The best practice is to label confidential content and disallow any sharing of them.
You can further extend control by using Azure Information Protection by encrypting sensitive documents. So even if nonauthorized users gain access to them, they won’t be able to read them.
Site Classification
We can apply classification labels on sites, as well. So you can classify sensitive sites that only specific people can access.
Teams Deployment
Due to the unexpected events early last year, a lot of organizations didn’t have time to plan Teams’ deployment in advance. The results were disorganized Teams’ architecture, undefined roles, and lack of governance controls.
Every organization has to ask themselves these questions before digging into Teams deployment:
- Who will be Teams Administrators
- Who will be Owners and Members
- What will the Messaging Policies be
- How is Provisioning going to happen
- Which level of External / Guest Access will be allowed
- What will the Teams Settings be
- Which Teams Clients will be used
- Will we have Usage Reporting
- Which Default Apps will we use
SharePoint Security
Microsoft Teams go hand in hand with SharePoint. With every team, there is a SharePoint site and a default set of SharePoint groups. You need to think about these settings for your SharePoint sites:
- Sharing settings
- SharePoint Groups
- AD Groups
- Breaking permission inheritance
- Sites not connected to Microsoft 365 groups
- Sites related to Microsoft 365 groups
- Change how members can share
- [Site Access] Access Requests
Data Encryption in OneDrive and SPO
When it comes to the security of data stored within Microsoft 365 datacenters, Microsoft is doing a plethora of security actions:
- BitLocker disk-level encryption
- Per-file encryption AES-256, distribution of content, keys, and credentials (FIPS 140-2)
- Chunks encrypted with multiple keys on blob storage
- A different set of keys depending on the operation (read, write, enum, delete)
Additional email protection practices
You can implement additional email protection practices in your company:
- Conditional access
- Disable external email forwarding
- Disable anonymous external calendar sharing
- Configure data loss prevention policies for sensitive data
- Implement data classification and information protection policies
- Protect data in 3rd party apps and services w/ Cloud App Security
- Use Microsoft Defender for Endpoint
- Use AIP
Licensing
Most advanced security and compliance features are available in the Premium Plans listed below:
- Office 365 E5
- Microsoft 365 E5
- Standalone:
- Azure AD Premium 1 or 2
- Intune
SysKit security best practices
Our good developers at SysKit have developed their own Office 365 best practices that will complement existing industry best practices. We are adding an extra layer to it, taking into account all the types of content and specific governance procedures that companies might have.
With SysKit’s best practices in place, businesses will truly become power users and be entirely in control of what’s going on in their environment.
How Can SysKit Point Help You?
SysKit Point is a web-based Office 365 governance solution that lets you:
- Govern your inventory from a central place
- Automate your Office 365 governance
- Audit your Office 365 activity
- Report on overall Office 365 security
- Analyze usage and trends in your Office 365 tenant
- Manage user access in bulk