Microsoft’s 365 platform is a complicated beast; to a new administrator it can be a daunting task to wrap your head around all of its intricacies, each with their own administrator portals and an untold number of settings available to tailor your experience.
For every environment, the requirements are unique; there’s no one size fits all answer resulting in some relatively lax security policies out of the box. We’ll cover five commonly overlooked areas that you should focus on to maximize the security of your modern experience.
In mid-2019, Microsoft went on the front foot against account compromises by introducing Baseline Conditional Access as a public preview. Fast forward to the beginning of 2020, those baseline policies are disappearing, replaced by Security Defaults. This is a toggle enabling three key features:
- Require all users, both end-users and administrators, to register for multi-factor authentication
- Challenge users for MFA where needed, mainly when using a new device or application
- Disable legacy authentication protocols that don’t support MFA.
This feature will be rolled out to most new tenants but if you would like to enable it now, navigate to your Azure Active Directory portal and head to the Properties pane. Tenants already using Conditional Access will not be automatically enabled for Security Defaults and cannot manually enable it without first removing those other policies.
If you want to make the jump from the baseline or custom policies across to Security Defaults and still receive errors about policies still being enabled, make sure to check the Classic Policies pane of Conditional Access for legacy data that will prohibit Security Defaults enabling.
Custom Mail Rules
Exchange Online’s Mail Rules are nothing new; if this, then do this. They provide logic around variables, whether that’s the sender or recipient details, data in the payload or another variable.
When mailboxes are breached, one of the first things an attacker will do is redirect a copy of any inbound message externally. A brief inspection of the Alert Policies in the Security & Compliance Center shows an alert that should trigger for this behavior, however its scope does not cover Outlook Mail Rules, only those created through Exchange directly (such as when you forward a mailbox using the Microsoft 365 Admin Center).
To prevent this behavior, simply add a rule into Exchange Online. The rule works by rejecting any message sent from inside the organization to an external recipient that is an auto-forward.
Another useful rule for some organizations is to warn a user that the email they’re receiving from Sally in Accounts may not actually be from Sally in Accounts. This rule works by prepending a disclaimer to any message coming into the organization that has a head matching a known value. These known values are the display names of your users.
This rule does require some manual maintenance to keep updated and does not scale well for larger organizations due to the hard limit on mail rule size (4KB).
File Sharing Policies
A completely anonymous and limitless link providing write access to a file or folder inside your organization? That sounds like a ticking time bomb waiting to be exploited. However Microsoft has the answer yet again with their sharing policies for OneDrive for Business and SharePoint Online. Found in the SharePoint Admin Center, these policies define what options your users are given when they click the share button.
I strongly recommend moving away from the default Anyone and View, going instead with requiring guests to sign in with their Microsoft account or using a 6-digit verification code if they don’t have one.
Protecting Your Brand
Normally when you receive a malicious email there’s usually a good giveaway in the email address, bank.com is suddenly bank.io or bank.sm.com. However, sometimes even that usual indicator appears legitimate. That’s because bank.com isn’t publishing their DMARC record.
At a very high level, your SPF record details the senders allowed to send on your behalf. For example, my personal domain chambers.cloud lists Exchange Online and that’s all: anything else should be considered spam. The issue is SPF doesn’t have any real enforcement, so that’s where DMARC comes in. It dictates what to do if the email you receive doesn’t match the SPF record: ignore, quarantine or reject.
Deploying DMARC does require some planning; consider all senders, including the not so obvious ones such as that mass mail sender that marketing is using, or your scan to email relay for the office copier. Start small with either monitoring only, or a quarantine policy. Moving to a Reject policy will do what’s on the label and may impact legitimate traffic. Lastly, MXToolBox has some handy tools, as does Valimail with their free monitoring.
Make it look pretty
One of the most overlooked features of the platform is the visual customization available. Branding or Organization Customization is available across the Microsoft 365 Suite however is far from unified. Branding options are available in the following locations:
- Azure Active Directory, Company Branding pane
- Microsoft 365 Admin Center Organization Profile, Custom Themes
- Teams Admin Center, Meeting Settings
- Intune Portal, Client Apps Branding.
Through these portals you’re able to brand the Microsoft 365 home screen, login portals, Company Apps portal and more. Don’t forget, using Intune you can also set a default branded wallpaper.
While seeming cosmetic at first, custom branding can help your users better identify suspicious circumstances such as a login portal that isn’t displaying the company branding as it normally would.
I hope this has given you some ideas on ways to improve the experience from both an end user perspective, as well as releasing some of the stress of management. If you have any questions about how to implement some of these or any other thoughts, feel free to get in touch!