Microsoft 365 is a very secure environment when used properly. This means following practices that will minimize the chances of unauthorized access. Administrators should pay attention to all of the following points and periodically review how well the accounts and settings follow them. Here is how to establish basic security in Microsoft 365.
Use Multi-Factor Authentication
Enabling basic security in Microsoft 365 starts at the login screen. Requiring users to confirm themselves in two ways makes accounts far more secure. This is called two-factor authentication (2FA) or multi-factor authentication (MFA). It’s easier than people think to steal or guess passwords. Using an SMS message or a mobile application to confirm the user’s identity forces impersonators to get past two or more barriers.
MFA is especially important for administrators and other high-privilege accounts. Whether it should be required for all accounts depends on the level of security your organization needs and the nature of the workforce.
Mobile apps provide better security than SMS confirmation. Indeed, criminals can trick mobile providers into creating duplicate SIMs for them, giving them access to a user’s phone number.
Get Rid of Legacy Authentication
Microsoft 365 and Active Directory allow multiple authentication protocols. Some of the older ones don’t support MFA, and Microsoft calls them legacy authentication protocols. The latest security defaults disable legacy authentication, and you should verify that it’s disabled for your organization.
The only reason to have it is an old application that doesn’t support modern authentication. You should upgrade or replace any such application on general principles. In addition to not supporting multi-factor authentication, the older protocols are more vulnerable to various attacks.
These old protocols include basic authentication for email (POP3 and IMAP). Outlook and other mail clients should be set to use modern authentication.
Keep Passwords Secure With Microsoft 365 Accounts
Creating good passwords is hard. Some people create very weak ones, like “password” or “12345678.” A good password policy will keep the chances of password theft low. Active Directory lets you set password policies that it will enforce.
First, here’s one thing not to do, even though you may still run into outdated recommendations. Don’t make passwords expire periodically and force users to change them. That does nothing to improve security, and it encourages people to create simpler passwords or write them down. Train users to create difficult passwords and protect them carefully.
Set a minimum password length of at least 10 characters. Longer passwords are much harder to guess. Enable the “complexity requirements” setting, which requires passwords to have a mix of upper and lower case, numbers, and symbols.
Enable the “banned password list” to disallow the most obvious passwords. The complexity requirement setting will lock out most of them, but having another layer of protection doesn’t hurt. It’s possible to customize the list, excluding passwords such as your company’s name and street address.
“Smart” Applications With Microsoft 365 Accounts
The Active Directory “smart lockout” feature will help to frustrate password guessers. If someone makes 10 bad attempts in a row to access an account, the account gets locked out for one minute. If the bad guesses keep coming, the lockouts get longer.
The “smart” part is that it treats logins from familiar locations differently from unusual locations. Also, it doesn’t count repeated attempts to use the same password. (Everyone has tried entering the same password over and over, only to realize later that they were using the wrong one.) These features reduce the chances of locking out legitimate users.
Active Directory has smart lockout enabled by default. Its settings let you configure it for the level of security you need. You can increase or decrease the number of attempts allowed. Ten is a pretty generous number of attempts, so you should decrease it if anything.
Be Careful With External Sharing
Careless document sharing leaks information. By default, SharePoint allows anyone with a link to a document to view it. A mistake in distributing the link could let unauthorized parties see your organization’s confidential information. Further, a more restrictive access level means it’s harder to make those mistakes.
The “new and existing guests” or “existing guests” settings let only designated visitors have access to shared documents. Additionally, the most secure is the “only people in your organization” setting, which turns off all external sharing.
You can put restrictions on who can share documents externally. People sharing documents can control internal sharing as well, giving only specific people access or letting anyone in the organization see the document.
Restrict Email Auto-Forwarding
Automatic forwarding of email is useful for situations such as a user having more than one address. However, it carries security risks. A compromised account could add an auto-forward rule that the user isn’t aware of.
Exchange Online provides several options. The simplest is to disallow auto-forwarding to remote domains. It’s also possible to set up transport rules that conditionally restrict auto-forwarding.
Role-based access control (RBAC) prevents users of Outlook on the Web from setting auto-forwarding rules. However, it doesn’t restrict the client app.
Allow Only Managed Applications
Users can give applications permission to access Microsoft 365 data, depending on the Active Directory settings. There are three options:
- Can grant consent to any application.
- Only to verified and registered applications.
- Can’t grant consent to applications that aren’t authorized by the administrator.
The last option is the safest, but it may be too restrictive. For many organizations, the second option gives the best security balance. Removing all restrictions is dangerous since applications from unknown sources could be insecure or even malicious.
Practice Smart Mobile Application Management
Mobile devices, if they aren’t well-managed, can create serious security problems. A BYOD policy is good, but only if it comes with adequate protection. Microsoft’s Mobile Application Management and its Intune application allow flexible policy settings to provide the right level of security.
Intune provides app protection policies that can prevent other applications from extracting data from Microsoft 365 client apps. It can require users to sign in with their organizational credentials before getting access to company data. A clipboard restriction option prevents company data from being pasted to other applications.
Allowing mobile access only from devices that have MAM activated will go a long way toward preventing data loss due to careless use, malicious applications, and lost devices.
Get Expert Advice From Us for Your Microsoft 365 Accounts
Basic security in Microsoft 365 is not the end of your security journey. While Microsoft makes managing its cloud applications as easy as possible, migrating and securing a suite of services can take more of your time than you would like. Agile IT’s cloud management services make the job easy, and you always have experts you can call on. Contact us to schedule a free consultation and discover all the advantages we offer.