Last week I shared part one of my Microsoft 365 Security Assessment where we took a deep dive into securing things related to Azure Active Directory. If you haven’t had a chance to read through it yet, take a few minutes and read it here.
Now that we’re all on the same page, lets dive into part two, where we’ll cover security settings in the Microsoft 365 Admin Center.
Moving on to the Microsoft 365 Admin Center
Turn ON modern authenticationModern authentication is what allows you to enforce MFA and other identity based security features. Products that don’t use “modern authentication” use what we call “Legacy Authentication” (obviously) or “Basic Authentication”. It only uses username and password pairs to authenticate a user. The example shown in Figure 14: Basic authentication prompt is using legacy authentication, also known as basic authentication.
Configure your external sharing settings
Configure guest access in Teams
Figure 17: Guest access in Teams admin center
Review your Secure Score
Microsoft Secure Score is a measurement of your organization’s security posture, with a higher number indicating more improvement actions taken. It can be found at https://security.microsoft.com/securescore or in the Microsoft 365 security center.
Figure 18: Microsoft Secure Score Dashboard
The improvement actions are security recommendations that are based on the information pertaining only to your tenant and the settings configured (or not configured). Improvement actions are ranked by implementation difficulty, user impact and number of points achievable. Review the improvement actions, create an action plan to address the recommendations and track your Secure score on a regular basis.
Limit the number of Admins (Roles)
This advice may be obvious to many organizations, but the more privileged accounts you have (accounts with admin privileges to services and data), the easier it is for attackers to target your organization and gain access to data.
It goes without saying that you shouldn’t assign admin roles to user accounts and in fact I recommend that admin accounts do not get assigned a license in Microsoft 365 unless the role requires an email alias.
Assign the least permissive roles to admins and have less than five global administrators (but more than one for emergencies).
“Roles” in the Microsoft 365 admin center (Figure 19: Roles in Microsoft 365 Admin Center) allows you to export the roles and users assigned these roles to a CSV file. Review the list in the export and try to follow the best practices mentioned above by removing some roles from people that don’t need the role and changing the combination of roles assigned to users so they can perform their daily admin function with the least privilege required.
Figure 19: Roles in Microsoft 365 Admin Center
Start the Zero Trust journey
Now, Zero Trust or ZT as I have seen it abbreviated before, is a framework. It’s not something you can turn on in an admin center and “poof” – magic, you are more secure. It is a journey that organizations embark on and strive to improve and enhance in an ongoing fashion.
Zero Trust teaches us to “never trust, always verify.”
Figure 20: Zero Trust diagram
There are many resources to help you get started with the zero trust journey. Microsoft have a Zero Trust assessment tool - Take the Zero Trust Assessment (microsoft.com) and Microsoft have also just announced the Zero Trust Deployment Center – a repository of information to improve ZT readiness and implementation guidance.
Configure Microsoft Defender for Office 365.
Defender for Office 365 (previously called Office 365 Advanced Threat Protection) helps you secure your organization by offering a comprehensive slate of prevention, detection, investigation and hunting, response and remediation, awareness and training, and secure posture features.
Figure 21: Microsoft Defender for Office 365 components
Microsoft Defender for Office 365 includes:
- Threat protection policies
- Reports to monitor threat protection in real-time
- Threat investigation and response capabilities to help you investigate, understand, simulate and prevent threats
- Time saving automation for response actions
ORCA (Office 365 ATP Recommended Configuration Analyzer) is a PowerShell report to help validate your anti-spam and anti-malware settings against recommendations from Microsoft. The tool compares your settings to the recommended practices in “Recommended settings for EOP and Office 365 ATP security”
Running ORCA is simple. Install the module, start a PowerShell session logged in with an administrator account and run the Get-ORCAReport cmdlet.
Figure 22: Running the Orca cmdlet
This checklist is not an exhaustive security checklist, but it’s definitely a baseline set of configurations I recommend to most organizations looking to tighten up their security or those that are just getting started with Microsoft 365. If you are new to Microsoft 365 security, it can be a daunting task securing your environment. I hope this list helps you get started because doing something is more secure than doing nothing at all.
Monitor Your Hybrid - Office 365 Environment with ENow
ENow’s Office 365 Monitoring solution is like your own personal outage detector that pertains solely to you environment. ENow’s solution monitors all crucial components including your hybrid servers, the network, and Office 365 from a single pane of glass. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.