Best Practices to Secure Office 365Best Practices to Secure Office 365
Reading Time: 16 minutes

In the current digital age, organizations are relying more and more on cloud-based solutions, such as Office 365, to support their operations and communications. However, as organizations adopt these solutions, they also face new security challenges and risks. It is crucial for organizations to understand and implement best practices for securing their Office 365 environment to protect sensitive information, maintain the integrity of their organization, and prevent cyber threats.

Office 365 is a popular cloud-based suite of productivity tools that have become a staple in many businesses. With millions of users, it’s crucial to ensure the security of Office 365 and the sensitive data it holds.

What are the Best Practice to Secure Office 365?

Here are the best practices to help you secure Office 365:

Office 365 Security Defaults

Office 365 Security Defaults are a set of built-in security features that are automatically enabled for all Office 365 tenants. They help provide a baseline level of security for all tenants, regardless of their size or complexity, and can be customized to meet specific security requirements.

The following are some of the key security defaults in Office 365:

  1. Multi-Factor Authentication (MFA): MFA requires users to provide two or more forms of identification before accessing their Office 365 account. This helps prevent unauthorized access, even if passwords are stolen or compromised.
  2. Secure Email: Office 365 uses Transport Layer Security (TLS) to encrypt email in transit, and all email sent to and from Office 365 tenants is encrypted.
  3. Data Loss Prevention (DLP): DLP helps you identify, monitor, and protect sensitive information, such as financial data, credit card numbers, and social security numbers.
  4. Azure Active Directory: Azure Active Directory is a cloud-based identity and access management solution that helps you manage user accounts, roles, and permissions, and provides single sign-on (SSO) for Office 365.

Also Read: What is the Difference Between OneDrive & OneDrive for Business; Step By Step Guide

How to Enable or Disable Security Defaults?

Enabling or disabling security defaults in Office 365 can be done through the Microsoft 365 admin center.

Here are the steps to enable or disable security defaults:

  1. Log in to the Microsoft 365 admin center with your administrative account.
  2. In the Microsoft 365 admin center, select “Settings” and then “Security & privacy.”
  3. In the Security & privacy section, select “Security defaults.”
  4. To enable security defaults, toggle the switch to “On.” To disable security defaults, toggle the switch to “Off.”
  5. If you’re disabling security defaults, you’ll be prompted to confirm your action. Click “Yes” to confirm and disable security defaults.

It’s important to note that disabling security defaults may make your data less secure, and it’s recommended to only disable them if you have a specific security requirement that cannot be met with the defaults enabled.

It’s also important to regularly review and update your security settings to ensure that your Office 365 environment remains secure. Enabling and disabling security defaults is just one aspect of securing Office 365, and it’s important to follow best practices, such as using multi-factor authentication and encrypting sensitive data, to help ensure the security of your data.

Multi-factor authentication (MFA)

It is an extra layer of security that requires users to provide two or more pieces of evidence to verify their identity.

Here are the steps to configure MFA in Office 365:

  1. Log in to the Microsoft 365 admin center with your administrative account.
  2. In the Microsoft 365 admin center, select “Users” and then “Active users.”
  3. Select the user account you want to configure MFA for and then click on the “Multi-factor auth” button.
  4. Click “Set up” to configure MFA for the selected user.
  5. Choose the MFA method you want to use, such as phone call, text message, or mobile app notification.
  6. Follow the prompts to set up the selected MFA method.
  7. Repeat the process for each user account you want to configure MFA for.

It’s recommended to configure MFA for all users to help ensure the security of your Office 365 environment. You can also use Azure Active Directory to enforce MFA for all users and configure MFA policies to ensure that users are prompted to use MFA when accessing sensitive data.

Also Read: Remove Deleted Users from Office 365 Permanently Using PowerShell: A Step-by-Step Guide

Create an emergency access Admin Account

Creating an emergency access admin account in Office 365 is a best practice to ensure that you have access to your data in the event of an emergency, such as the loss of your primary administrative account.

Here are the steps to create an emergency access admin account:

  1. Log in to the Microsoft 365 admin center with your primary administrative account.
  2. In the Microsoft 365 admin center, select “Users” and then “Active users.”
  3. Click on the “New user” button to create a new user account.
  4. Fill out the required information for the new user account, such as name, email address, and password.
  5. Assign a license to the new user account, such as Exchange Online or Microsoft 365 Business Premium.
  6. In the Microsoft 365 admin center, select “Settings” and then “Organization profile.”
  7. Under the “Global admin” section, select the new user account you just created and click “Add.”
  8. Save the changes to make the new user account a global administrator.

It’s important to keep the emergency access admin account information securely stored, and to regularly review and update the account to ensure that it remains secure. Additionally, it’s recommended to have a backup plan in place to ensure that you have access to your data in the event of an emergency. This can include creating additional emergency access admin accounts, regularly backing up your data, and implementing disaster recovery plans.

Also Read: How Long Does Office 365 Keep Deleted Emails? Learn Retention Period of Office 365

Assign Role-Based Access Control (RBAC) for admins

Role-Based Access Control (RBAC) is a method of granting access to resources based on the roles and responsibilities of users. By assigning RBAC to administrators in Office 365, you can control which actions they are able to perform and limit their access to sensitive data.

Here are the steps to assign RBAC to administrators in Office 365:

  1. Log in to the Microsoft 365 admin center with your administrative account.
  2. In the Microsoft 365 admin center, select “Settings” and then “Roles & administrators.”
  3. Under “Roles,” select the role you want to assign to the administrator, such as “Exchange administrator” or “SharePoint administrator.”
  4. In the “Assigned administrators” section, select the administrator you want to assign the role to and click “Add.”
  5. Save the changes to assign the role to the administrator.

It’s important to regularly review and update the RBAC assignments for administrators to ensure that they have the appropriate level of access to perform their duties and to limit their access to sensitive data. Additionally, it’s recommended to use Azure Active Directory to enforce role-based access control and to monitor and audit administrator actions to ensure that they are following best practices.

Also Read: Does Microsoft Backup Your Office 365 Data – Get Your Answers Here

Enable Unified Audit Log

Enabling the unified audit log in Office 365 is a best practice to help ensure the security of your environment and to track user activity. The unified audit log provides a centralized location to view and search audit logs for various services in Office 365, including Exchange Online, SharePoint Online, and Azure Active Directory.

Here are the steps to enable the unified audit log in Office 365:

  1. Log in to the Microsoft 365 admin center with your administrative account.
  2. In the Microsoft 365 admin center, select “Security & Compliance” and then “Audit log search.”
  3. In the audit log search, click “Start recording user and admin activity.”
  4. Confirm that you want to start recording user and admin activity.
  5. The unified audit log will now start recording user and admin activity in your Office 365 environment.

It’s important to regularly review the unified audit log to monitor user and admin activity and to ensure that all activity is in compliance with your security policies. Additionally, it’s recommended to implement alerts to notify you of specific events, such as suspicious activity, and to use Azure Active Directory to enforce security policies and monitor access to sensitive data.

Enable Alert Policies

Enabling alert policies in Office 365 is a best practice to help ensure the security of your environment and to proactively monitor and respond to security incidents. Alert policies allow you to set up notifications for specific security events, such as suspicious activity or access to sensitive data, so that you can respond quickly to potential security threats.

Here are the steps to enable alert policies in Office 365:

  1. Log in to the Microsoft 365 admin center with your administrative account.
  2. In the Microsoft 365 admin center, select “Security & Compliance” and then “Threat management” and then “Alerts.”
  3. Click on “New alert policy” to create a new alert policy.
  4. Select the type of security event you want to be notified about, such as “Suspicious activity” or “Access to sensitive data.”
  5. Configure the conditions for the alert policy, such as the specific type of activity or data that will trigger the alert.
  6. Select the recipients for the alert, such as administrators or security teams.
  7. Save the changes to enable the alert policy.

It’s important to regularly review and update the alert policies to ensure that they are configured to meet your security needs and to respond to the latest security threats. Additionally, it’s recommended to implement additional security measures, such as multi-factor authentication and role-based access control, to help prevent security incidents from occurring in the first place.

Must Read: Export Office 365 Mailbox to PST With Easy to Use Free Solutions

Enable Continuous Access Evaluation

Continuous Access Evaluation (CAE) is a security feature in Microsoft 365 that continuously evaluates the risk associated with a user’s access to sensitive data and automatically revokes access when necessary. By enabling CAE in Office 365, you can help ensure that sensitive data remains secure and that access is only granted to users who need it.

Here are the steps to enable Continuous Access Evaluation in Office 365:

  1. Log in to the Microsoft 365 admin center with your administrative account.
  2. In the Microsoft 365 admin center, select “Security & Compliance” and then “Threat management” and then “Access control.”
  3. In the “Access control” section, select “Continuous Access Evaluation.”
  4. Toggle the switch to “On” to enable Continuous Access Evaluation.
  5. Configure the specific conditions for Continuous Access Evaluation, such as the type of data that will trigger a review of access.
  6. Save the changes to enable Continuous Access Evaluation.

It’s important to regularly review and update the Continuous Access Evaluation settings to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Also Read: An Introduction to Tenants in Microsoft 365 and How to Configure an Office 365 Tenant

Enable Azure Portal Inactivity Timeout

Enabling the Azure portal inactivity timeout is a best practice to help ensure the security of your environment and to automatically sign out users after a specified period of inactivity. This helps to prevent unauthorized access to your resources and data if a user forgets to sign out or if their device is lost or stolen.

Here are the steps to enable the Azure portal inactivity timeout:

  1. Log in to the Azure portal with your administrative account.
  2. In the Azure portal, select “Azure Active Directory” and then “User settings.”
  3. In the “User settings” section, scroll down to the “Session” section.
  4. Enable the “Session timeout” option by selecting a timeout period, such as “15 minutes.”
  5. Save the changes to enable the Azure portal inactivity timeout.

It’s important to regularly review and update the Azure portal inactivity timeout settings to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Must Read: The Ultimate Microsoft Teams Migration Checklist: A Step-by-Step Guide

Enable Preset Security Policies in Exchange Online

Enabling preset security policies in Exchange Online is a best practice to help ensure the security of your email environment and to proactively monitor and respond to security incidents. Preset security policies allow you to quickly and easily implement security policies, such as spam filtering and malware protection, to help protect your organization against email-borne threats.

Here are the steps to enable preset security policies in Exchange Online:

  1. Log in to the Exchange admin center with your administrative account.
  2. In the Exchange admin center, select “policies” and then “preset policies.”
  3. Choose the preset policy you want to enable, such as “Exchange Online Protection default policy.”
  4. Select “Apply” to enable the preset security policy.
  5. Repeat the process for any additional preset security policies you want to enable.

It’s important to regularly review and update the preset security policies in Exchange Online to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Enable External Email Tagging

Enabling external email tagging is a best practice to help ensure the security of your email environment and to clearly identify external email messages that may contain sensitive information. This can help to prevent data leaks and to enforce security policies that are specific to external email messages.

Here are the steps to enable external email tagging in Exchange Online:

  1. Log in to the Exchange admin center with your administrative account.
  2. In the Exchange admin center, select “mail flow” and then “rules.”
  3. Select “New rule” to create a new mail flow rule.
  4. Choose the “Modify the message properties” option and then select “Add a message header.”
  5. Enter a header name, such as “X-External-Email” and a header value, such as “True” for external email messages.
  6. Save the changes to enable external email tagging.

It’s important to regularly review and update the external email tagging settings in Exchange Online to ensure that they are configured to meet your security needs and to respond to the latest security threats. A

Block Basic Authentication Protocols

Blocking basic authentication protocols is a best practice to help ensure the security of your environment and to prevent attacks that exploit known vulnerabilities in these protocols. Basic authentication protocols, such as POP3, IMAP, and SMTP, transmit credentials in plaintext and are susceptible to eavesdropping and man-in-the-middle attacks.

Here are the steps to block basic authentication protocols in Exchange Online:

  1. Log in to the Exchange admin center with your administrative account.
  2. In the Exchange admin center, select “protocols” and then “basic authentication.”
  3. Disable the basic authentication protocols you want to block, such as POP3 and IMAP.
  4. Save the changes to block the basic authentication protocols.

It’s important to regularly review and update the basic authentication protocol settings in Exchange Online to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Must Read: The Ultimate Guide to Office 365 Backup Best Practices; Explained in Detail

Block Legacy Authentication for SharePoint

Blocking legacy authentication for SharePoint is a best practice to help ensure the security of your environment and to prevent attacks that exploit known vulnerabilities in these protocols. Legacy authentication protocols, such as NTLM and Kerberos, transmit credentials in plaintext and are susceptible to eavesdropping and man-in-the-middle attacks.

Here are the steps to block legacy authentication for SharePoint:

  1. Log in to the SharePoint admin center with your administrative account.
  2. In the SharePoint admin center, select “Settings” and then “Security & privacy.”
  3. Under “Authentication policies,” select “Edit” for the policy you want to update.
  4. Change the policy to block legacy authentication protocols, such as NTLM and Kerberos.
  5. Save the changes to block the legacy authentication protocols.

It’s important to regularly review and update the legacy authentication protocol settings in SharePoint to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Block Shared Mailbox Sign-in

Blocking shared mailbox sign-in is a best practice to help ensure the security of your environment and to prevent unauthorized access to shared mailboxes. Shared mailboxes are a common target for attackers because they often contain sensitive information and may not have proper security controls in place.

Here are the steps to block shared mailbox sign-in in Exchange Online:

  1. Log in to the Exchange admin center with your administrative account.
  2. In the Exchange admin center, select “recipients” and then “shared.”
  3. Select the shared mailbox you want to update.
  4. Under “Sign-in status,” change the status to “Blocked.”
  5. Save the changes to block the shared mailbox sign-in.

It’s important to regularly review and update the shared mailbox sign-in settings in Exchange Online to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Block Auto-forwarding to External Domain

Blocking auto-forwarding to external domains is a best practice to help ensure the security of your environment and to prevent sensitive information from being leaked to unauthorized parties. Auto-forwarding to external domains can be a security concern because it can allow sensitive information to be sent to domains that may not have proper security controls in place.

Here are the steps to block auto-forwarding to external domains in Exchange Online:

  1. Log in to the Exchange admin center with your administrative account.
  2. In the Exchange admin center, select “recipients” and then “mailboxes.”
  3. Select the mailbox you want to update.
  4. Under “Mailbox features,” select “mail flow” and then “mail flow policies.”
  5. Create a new mail flow policy to block auto-forwarding to external domains.
  6. Apply the new mail flow policy to the mailbox.
  7. Save the changes to block the auto-forwarding to external domains.

It’s important to regularly review and update the auto-forwarding to external domains settings in Exchange Online to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Block User Consent to Apps

Blocking user consent to apps is a best practice to help ensure the security of your environment and to prevent unauthorized access to sensitive information. When users consent to apps, they may be granting the app access to sensitive information that could potentially be used for malicious purposes.

Here are the steps to block user consent to apps in Office 365:

  1. Log in to the Azure Active Directory (AAD) portal with your administrative account.
  2. In the AAD portal, select “Enterprise applications.”
  3. Select the application you want to update.
  4. Under “Properties,” select “Users and groups.”
  5. Change the setting for “User assignment required” to “Yes.”
  6. Save the changes to block user consent to the app.

It’s important to regularly review and update the user consent to apps settings in Office 365 to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Block User Access to Azure Portal

Blocking user access to the Azure portal is a best practice to help ensure the security of your environment and to prevent unauthorized access to sensitive information. The Azure portal provides access to many of the services and resources that make up Office 365, and it is important to ensure that only authorized users have access to these resources.

Here are the steps to block user access to the Azure portal:

  1. Log in to the Azure portal with your administrative account.
  2. In the Azure portal, select “Azure Active Directory.”
  3. Select “Users.”
  4. Select the user you want to update.
  5. Under “Access,” change the setting for “Azure portal” to “Block.”
  6. Save the changes to block the user’s access to the Azure portal.

It’s important to regularly review and update the user access to the Azure portal settings to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Block Guest can Invite Access

Blocking guest access to invite others is a best practice to help ensure the security of your environment and to prevent unauthorized access to sensitive information. When guests have the ability to invite others, they may inadvertently or maliciously invite users who do not have proper access to sensitive information.

Here are the steps to block guest access to invite others in Office 365:

  1. Log in to the Azure Active Directory (AAD) portal with your administrative account.
  2. In the AAD portal, select “Azure Active Directory.”
  3. Select “External Identities.”
  4. Select “Guest inviter settings.”
  5. Change the setting for “Who can invite” to “Only administrators.”
  6. Save the changes to block guests from inviting others.

It’s important to regularly review and update the guest access to invite others settings in Office 365 to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Block Anonymous Users can join a Meeting

Blocking anonymous users from joining a meeting is a best practice to help ensure the security of your environment and to prevent unauthorized access to sensitive information. Anonymous users can potentially access sensitive information during a meeting if they are able to join.

Here are the steps to block anonymous users from joining a meeting in Microsoft Teams:

  1. Log in to the Microsoft Teams admin center with your administrative account.
  2. In the Microsoft Teams admin center, select “Meetings.”
  3. Under “Meeting policies,” select the policy you want to update.
  4. Under “Join restrictions,” select “Everyone in my organization” or “People in my organization with a specific role.”
  5. Save the changes to block anonymous users from joining a meeting.

It’s important to regularly review and update the join restrictions settings in Microsoft Teams to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Limit External Sharing in SharePoint

Limiting external sharing in SharePoint is a best practice to help ensure the security of your environment and to prevent unauthorized access to sensitive information. SharePoint provides the ability to share content with external users, but it is important to limit external sharing to only what is necessary to minimize the risk of data loss or unauthorized access.

Here are the steps to limit external sharing in SharePoint:

  1. Log in to the SharePoint admin center with your administrative account.
  2. In the SharePoint admin center, select “Settings.”
  3. Under “Site Collection”, select “External Sharing.”
  4. Change the setting for “Who can share with external users” to “Admins only” or “Specific people.”
  5. Save the changes to limit external sharing in SharePoint.

It’s important to regularly review and update the external sharing settings in SharePoint to ensure that they are configured to meet your security needs and to respond to the latest security threats.

User Password Policies

Implementing strong user password policies is an important best practice to help ensure the security of your environment and to prevent unauthorized access to sensitive information. Office 365 provides the ability to set password policies for user accounts to enforce password length, complexity, and expiration.

Here are the steps to set user password policies in Office 365:

  1. Log in to the Office 365 admin center with your administrative account.
  2. In the Office 365 admin center, select “Users.”
  3. Select “Active users.”
  4. Select “Password reset policies.”
  5. Set the password policy requirements, such as password length, complexity, and expiration.
  6. Save the changes to set the user password policies.

It’s important to regularly review and update the user password policies in Office 365 to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Must Read: How to Whitelist a Domain in Office 365 Exchange Online? Step By Step Guide

Enable Self-Service Password Reset

Enabling self-service password reset is a best practice to help ensure the security of your environment and to prevent unauthorized access to sensitive information. Office 365 provides the ability to enable self-service password reset, which allows users to reset their own passwords without the need for administrative intervention.

Here are the steps to enable self-service password reset in Office 365:

  1. Log in to the Office 365 admin center with your administrative account.
  2. In the Office 365 admin center, select “Users.”
  3. Select “Active users.”
  4. Select “Password reset policies.”
  5. Under “Self-service password reset,” select “On.”
  6. Configure the self-service password reset options, such as security questions or phone verification.
  7. Save the changes to enable self-service password reset.

It’s important to regularly review and update the self-service password reset options in Office 365 to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Allow Combined Security Information Registration

Allowing combined security information registration is a best practice to help ensure the security of your environment and to prevent unauthorized access to sensitive information. Office 365 provides the ability to allow users to register multiple security information options, such as phone numbers and alternate email addresses, for use in password reset and multi-factor authentication scenarios.

Here are the steps to allow combined security information registration in Office 365:

  1. Log in to the Office 365 admin center with your administrative account.
  2. In the Office 365 admin center, select “Users.”
  3. Select “Active users.”
  4. Select “Password reset policies.”
  5. Under “Self-service password reset,” select “On.”
  6. Enable the option to allow combined security information registration.
  7. Save the changes to allow combined security information registration.

It’s important to regularly review and update the self-service password reset options in Office 365 to ensure that they are configured to meet your security needs and to respond to the latest security threats.

Configure SPF, DKIM and DMARC

Configuring SPF, DKIM, and DMARC is an important best practice for ensuring the security and authenticity of email sent from your organization. These technologies help protect your organization from email spoofing, phishing attacks, and other email-based threats. Here are the steps to configure SPF, DKIM, and DMARC for your Office 365 environment:

  1. SPF (Sender Policy Framework): To configure SPF for your domain, you need to create a TXT record in your domain’s DNS zone that specifies the authorized mail servers for your domain. The SPF record should include the necessary information to identify all the IP addresses and domain names that are used to send email from your domain.
  2. DKIM (DomainKeys Identified Mail): To configure DKIM for your domain, you need to create two DNS records in your domain’s DNS zone: one is a TXT record that includes the public key used to sign email messages, and the other is a selector record that specifies which public key to use for signing.
  3. DMARC (Domain-based Message Authentication, Reporting & Conformance): To configure DMARC for your domain, you need to create a TXT record in your domain’s DNS zone that specifies the DMARC policy for your domain. The DMARC policy specifies how email messages from your domain should be handled by recipient mail servers, including whether they should be accepted, rejected, or quarantined based on the results of the SPF and DKIM checks.

Must Read: How to Create a Private Teams Channel? Step By Step Explained

Conclusion

Securing your Office 365 environment is essential to ensuring the protection of sensitive information and the integrity of your organization. By following the best practices outlined in this guide, such as enabling security defaults, configuring multi-factor authentication, and setting password policies, you can take control of your Office 365 security and prevent cyber threats from compromising your environment. Regularly reviewing and updating your security configurations is critical to staying ahead of the latest security threats and maintaining the security of your Office 365 environment.

You cannot copy content of this page