In a recent webinar, our M365-certified security administrators provided an in-depth look at various Microsoft 365 building blocks such as security configurations, features, and policies. The session also covered the significance of secure email protocols, data protection, and the continuous evolution of cloud security technologies.
This blog highlights several key security features and best practices to help you protect your institution’s data and ensure that only authorized users gain access to critical systems.
Understanding Key Terminology
M365 vs. Office 365
Office 365 features familiar tools such as Exchange Online, SharePoint, OneDrive, and Teams. Microsoft 365 (M365) enhances this suite by incorporating additional technologies focused on security, identity, and compliance, offering a more comprehensive package.
Entra ID
Essential for identity management, Entra ID covers users, devices, endpoints, and service principals, forming the backbone of various security configurations.
Security, Identity, and Compliance (SIC)
These conceptual buckets guide the technological frameworks and policies that ensure data security, identity assurance, and regulatory compliance.
M365 Security Features Breakdown
Security Defaults
Security Defaults are designed to provide a pre-configured baseline level of security by enforcing numerous non-customizable policies and settings. Among the policy sets is one requiring multifactor authentication (MFA) device registration for all new Azure accounts with at least one sign-in. However, registration does not equal enforcement. Security Defaults will only enforce MFA conditionally based on Microsoft’s analysis.
Consider implementing per-user MFA policies to ensure comprehensive enforcement, closing gaps that might be exploited if only Security Defaults are relied upon.
Applications
Registered Applications and Enterprise Applications can pose significant risks if not properly managed. By default, Microsoft allows users to register applications, which could potentially introduce security vulnerabilities without an administrator’s knowledge.
Consider disabling this default feature and actively managing which applications receive permissions to ensure there is no unauthorized access.
Global Auditing
Microsoft’s Purview compliance technology includes a crucial feature—global auditing—that logs all actions within the organization. If compromised, these logs are vital for forensic investigations to determine the breach’s extent and enact proper remediation steps.
Consider enabling this setting, which is disabled by default.
Office Store and Trial Accounts
Allowing users to purchase licenses and trials with their work identities, including AI tools like Copilot, may expose sensitive data inadvertently.
Consider disabling the ability for users to make these purchases on their own, as restricting user capabilities ensures organizational oversight and protects against data breaches stemming from unauthorized applications.
Administrative Roles, Partners, and GDAP
Regular reviews of administrative roles and partner access, such as those granted through Granular Delegated Admin Privileges (GDAP) are crucial. Microsoft recommends a maximum of five global administrators and stresses the principle of least privilege even for partners.
Consider conducting these reviews regularly to ensure security and compliance.
Exchange Online and Communication Protocols
Mailbox Protocols
Various mailbox protocols (IMAP, POP3, EAS) carry different risks, such as allowance for or reliance on basic authentication.
Consider disabling unused protocols to minimize these vulnerabilities.
Receive Connectors
Email architectures that utilize Exchange Online with edge services provided by a third party have a vulnerability in the form of a public-facing, organization-specific SMTP relay that delivers mail to Exchange Online. This relay allows for direct connectivity and enables anonymous identities to deliver emails inbound to an organization, thereby allowing attackers to bypass the organization’s edge services entirely.
Consider implementing Receive Connectors to limit delivery authorization on the relay to the trusted edge service provider.
Sharing in SharePoint and OneDrive
Sharing capabilities in SharePoint and OneDrive can expose organizations to external threats if not properly managed. External users leveraging shared links can gain unauthorized access to sensitive information, posing significant security risks.
Consider restricting sharing capabilities to internal users to prevent external threats from exploiting shared links..
Teams External Communication
By default, Teams allows global communication, which can serve as a potential risk vector. Unrestricted external communication can lead to interactions with unknown and potentially malicious entities.
Consider locking down these settings to ensure interactions are limited to known, secure identities.
Advanced Levels of Security
Conditional Access Policies (CAPs)
These advanced security rules specify who can access resources and under what conditions, enhancing the security posture when combined with telemetry from services like Entra ID and Intune. CAPs help ensure that only authorized users under specific conditions can access sensitive resources.
Consider implementing Conditional Access Policies to enhance security by defining access conditions based on user and device attributes.
Hybrid Computer Identity
Synchronizing on-premises Active Directory computers with Entra ID allows CAPs to limit access to trusted devices only, offering a substantial security improvement over generic Windows access.
Consider synchronizing your on-premises Active Directory computers with Entra ID to allow CAPs to restrict access to trusted devices and improve security.
Intune for Mobile Device Management (MDM)
Organizations should use Intune to enroll and manage mobile devices, ensuring compliance with security policies. By integrating Intune’s compliance telemetry with Conditional Access Policies (CAPs), only compliant devices can sign in and access corporate resources, enhancing overall security.
Consider using Intune for device enrollment and compliance, and integrate its telemetry with Conditional Access Policies to secure sign-ins.
Modern MFA and Azure Information Protection
Emerging MFA technologies like push notifications and phishing-resistant methods (FIDO2) are encouraged over legacy MFA practices. Meanwhile, Azure Information Protection manages data encryption and user access, ensuring sensitive information is secure even when it leaves the organization.
Consider adopting modern MFA technologies to protect your users and Azure Information Protection to protect sensitive data.
Conclusion
By understanding and implementing Microsoft security measures, you can significantly enhance the security and efficiency of your institution’s digital environment. In addition, leveraging advanced MFA technologies and synchronizing on-premises Active Directory with Entra ID is a proactive way to fortify access control. It is also important to regularly review and update your security protocols to ensure they remain effective against evolving threats.
Don’t forget to download this handy infographic to explore overlooked M365 security features. This knowledge can help you implement everything needed under your license type to enhance your cybersecurity posture.