The ubiquitous Office 365 has a lot of powerful options for safety, security, and logging – but almost none of it comes configured out of the box; you, the administrator, need to put in the leg-work to take full advantage of what 365 can do from a security standpoint.
There’s a fine balance to be struck here: productivity vs. security. We want security to be effective enough to protect from the vast majority of common threats – but we don’t want to be so restrictive that we stunt efficiency and productivity. Thankfully, productivity and security aren’t conversely proportional to each other – if you deploy the right measures the right way, we don’t sacrifice a lick of productivity.
Below are 3 of my primary tips to tremendously improve your 365 security posture without needlessly becoming “The Grinch who Destroyed Productivity”:
1. Enable Multifactor Authentication.
At this point, I should hardly need to qualify the importance of MFA. Studies from security researchers at Microsoft have shown that 99.9% of all hacking attempts can be stopped simply by leveraging MFA to protect user accounts.
MFA in the past was a bit of a pain – but the introduction of Modern Authentication has negated the prior use of headache-inducing app passwords, now making MFA a breeze. I’ve introduced MFA for dozens of client environments with very little difficulty or pain on the user side, especially after they’ve been trained. Simply configure Conditional Access policies, then announce/deploy the change to users.
2. Block Sign-in for all Shared Inboxes.
Shared Inboxes are a useful tool that allow you to leverage multiple inboxes across your user base without needing to purchase multiple licenses, so long as the shared inbox is attached to a licensed account. This is common when users leave an organization: convert their inbox to shared, then attach to another user in the business.
In my experience, these are often never blocked from direct access using the “Block Sign-In” option – instead being left wide open to login from anyone with the password. This, of course, leaves the entire business open to exploitation when someone signs into the mailbox and starts spamming other users, or worse: the business’s clients.
It’s not hard: Simply press the “Block Sign In” button on a Shared Inbox and close the security hole.
3. Enable Alert Policies.
Alert Policies are customizable alarms which can be set in 365 to draw your attention to suspicious behaviour indicative of malicious activity. This way, in the unlikely event that someone DOES crack your secure passwords, and DOES get past the MFA you’ve surely set up by now, then the said hacker is not simply home free.
If you get an alert reporting that one of your users in Cleveland has suddenly signed-in from Myanmar, this is cause for concern – and not something that should be shrugged at simply because the login passed MFA. Leverage a set of useful Alert Policies and get ahead of the curve on suspicious activity.
Austin Thomé - Cloud & DevOps Engineer 