Friday 17 July 2020

Basic Security for Microsoft 365

There is a lot to think about when setting up Microsoft 365 and how it fits in to you business but security should be a priority when using a 24 hour / 7 day a week access applications.

Step 1 Check your score

After setting up all the accounts and moving all your data to Microsoft, Check your Security score,  this is a good starting point and can help guide you on if you are moving in the right direction.

Step 2 Security Defaults

Enable Security Defaults,  This enforces the following for every user

  • Requiring all users to register for Azure Multi-Factor Authentication.
  • Requiring administrators to perform multi-factor authentication.
  • Blocking legacy authentication protocols.
  • Requiring users to perform multi-factor authentication when necessary.
  • Protecting privileged activities like access to the Azure portal.

Step 3 Application Consent

Look at Application consent settings for you Organization,  this is found in the Microsoft 365 Admin portal under Settings > Org settings > Services Tab > User consent to apps or Settings > Integrated apps.

This is a case by case step, depending on the size of you business and will need to be looked at by your Administrators.  but this setting allows users to connect applications / websites to there account.  there are a lot of valid reasons for this But also a few not so valid reasons like giving an attacker access to your emails.

If you do choose to disable the users ability to do this it would be an idea to set up an administrative flow to allow users to request access from the sites IT / Administrator.

*Side note* on Admin Consent, it appears to have moved (17/07/2020) to the following location Azure Directory > Enterprise Applications > User settings

Step 4 External Sharing

Look at what you are allowing to be shared to external people from your users One drives and SharePoint sites.

SharePoint admin center > Policies > Sharing

This is the global setting and sets the limits for the sites them self's,  you can also control what is shared per SharePoint site but it can go no higher then the Global settings.

To change it per site you will need to go to SharePoint admin center > Sites > Active sites > Select the site you wish to change > Policies > External Sharing

Again this can go no high then what is set at the global level.

Step 5 Passwords

Enable Dynamically banned Passwords,  This will help with users that are setting to simpler or known password combinations

To do this go to Azure Active Directory > Security >  Password Protection

Step 6 Company Branding

Brand your login portal,  such a simple thing can help with security as it will help give basic fake login portal away.

You can access this by going too Azure Active Directory > Company branding

Step 7 Enable Audit Log

Not sure why but M365 does not have audit logs enabled by default, but this can be done by

  2. Select Search
  3. Select Audit Log search
It can also be done via power shell too 

Security Roadmap after the basics

Once you have the basic set up and its worth looking at the Microsoft 365 Security Road Map which gives you the recommendations from Microsoft for securing you 365 experience in the long term.

While all this is great you can not forget about the users devices.

You should always
  1. Have a Anti Virus installed
  2. Encrypt everything
  3. Use a firewall (on Device and Network)


No comments:

Post a Comment