Step 1 Check your score
After setting up all the accounts and moving all your data to Microsoft, Check your Security score, this is a good starting point and can help guide you on if you are moving in the right direction.
Step 2 Security Defaults
Enable Security Defaults, This enforces the following for every user
- Requiring all users to register for Azure Multi-Factor Authentication.
- Requiring administrators to perform multi-factor authentication.
- Blocking legacy authentication protocols.
- Requiring users to perform multi-factor authentication when necessary.
- Protecting privileged activities like access to the Azure portal.
Step 3 Application Consent
Look at Application consent settings for you Organization, this is found in the Microsoft 365 Admin portal under Settings > Org settings > Services Tab > User consent to apps or Settings > Integrated apps.
This is a case by case step, depending on the size of you business and will need to be looked at by your Administrators. but this setting allows users to connect applications / websites to there account. there are a lot of valid reasons for this But also a few not so valid reasons like giving an attacker access to your emails.
If you do choose to disable the users ability to do this it would be an idea to set up an administrative flow to allow users to request access from the sites IT / Administrator.
Disabling or Enabling User Application consent
https://docs.microsoft.com/en-us/microsoft-365/admin/misc/integrated-apps?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/admin/misc/integrated-apps?view=o365-worldwide
Configure the admin consent workflow
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
*Side note* on Admin Consent, it appears to have moved (17/07/2020) to the following location Azure Directory > Enterprise Applications > User settings
Step 4 External Sharing
Look at what you are allowing to be shared to external people from your users One drives and SharePoint sites.
SharePoint admin center > Policies > Sharing
This is the global setting and sets the limits for the sites them self's, you can also control what is shared per SharePoint site but it can go no higher then the Global settings.
To change it per site you will need to go to SharePoint admin center > Sites > Active sites > Select the site you wish to change > Policies > External Sharing
Again this can go no high then what is set at the global level.
Step 5 Passwords
Enable Dynamically banned Passwords, This will help with users that are setting to simpler or known password combinations
To do this go to Azure Active Directory > Security > Password Protection
Step 6 Company Branding
Brand your login portal, such a simple thing can help with security as it will help give basic fake login portal away.
You can access this by going too Azure Active Directory > Company branding
Step 7 Enable Audit Log
Not sure why but M365 does not have audit logs enabled by default, but this can be done by
- https://protection.office.com/
- Select Search
- Select Audit Log search
It can also be done via power shell too
Security Roadmap after the basics
Once you have the basic set up and its worth looking at the Microsoft 365 Security Road Map which gives you the recommendations from Microsoft for securing you 365 experience in the long term.
While all this is great you can not forget about the users devices.
You should always
- Have a Anti Virus installed
- Encrypt everything
- Use a firewall (on Device and Network)
No comments:
Post a Comment