Insync Blogs , Insync Tech Talk , microsoft 365 , Security , | 2020/10/29 at 12:19pm

Fundamental Security for Microsoft 365 – What do we need to do?

Fundamental Security for Microsoft 365 – What do we need to do?

  • Enforce MFA
  • Utilise Conditional Access to limit access via IP/Subnet, device, location
  • Block Legacy authentication
  • Manage External sharing with SharePoint
  • Mobile application management
  • Block / Audit Exchange forwarding rules
  • Block App Consent

In this blog, we will cover the fundamental security controls that ANY organisation should be using in this new hybrid world of work. It’s important to consider a variety of different security controls, particularly when staff are remote, from unfamiliar locations and possibly unfamiliar devices. With cybersecurity becoming a board-level responsibility, too often we find organisations with poor security controls applied to one of their biggest investments and locations of information, Microsoft 365.

Generally, we split the key things organisations should be doing into two categories – User Controls and Admin Controls. User Controls being things that touch the user, that the user can help be responsible for their own security and that of the organisation. Admin controls aren’t exposed to the end user but provide valuable minimums in protecting an organisation from various vulnerabilities or threats.

If you get nothing else from this blog other than the impetus to go and implement these in your organisation, we will consider this a success! If you need help implementing what’s discussed here or want a further conversation around our managed Microsoft security platform, @M365 Secure, please hit the links below to get in touch.


User Controls

Multifactor Authentication

Do we actually need to say this anymore? Apparently so, after a recent survey revealed that 78% of Microsoft 365 admins don’t activate MFA. This might sound like an aggressive statement but having dealt with organisations using these excuses not to implement basic security norms too often, it just needs to be said: Any organisation that hasn’t implemented this or is planning to – is either derelict in their duty, has a poor culture and difficult employees, or has some intractable technical problem that cannot be overcome. Deploy MFA, do some training, spend the time with your users to onboard them and then build the process into your employee lifecycle. Staff play a role in protecting organisational assets, not just the CISO or the board. If staff have an issue with the extra level of security, consider the scenario where they are the cause of a security breach that results in financial loss and flows over to job cuts – including theirs. That should be enough for staff to take on the responsibility to protect their job, their peers, and their employer. Financial loss flows through many parts of an organisation and can impact people as well as reputation.

Deploy MFA, do some training, spend the time with your users to onboard them and then build the process into.

External Sharing

This is a contentious one – often you need external sharing enabled to allow people to share files with contractors, visitors, business partners etc. SharePoint External Sharing is a top-level configuration setting which controls sharing content from SharePoint to anyone, including external accounts. It also offers control at the individual site level, but many admins aren’t aware of this. Some organisations might turn this off completely instead of being selective, but its worth understanding the implications of external sharing with regards to SharePoint, OneDrive (because this lives in SharePoint effectively) and Teams. Check out a link by our own Loryan Strant describing recommended External Sharing settings here.

Mobile App Management

For those customers that have access to Endpoint Manager (formerly known as Intune) as part of Microsoft 365, implementing Mobile Application Management (MAM) is another key aspect of managing corporate data leakage. MAM gives the ability for granular in-application controls, limiting things like saving data locally to mobile devices, inability to copy and paste data from corporate applications to consumer applications, and preventing screenshots and other items that could be construed as data leakage. This also means that consumer or personal devices can be used for business purposes, and securely separated so that work applications can sit side-by-side with consumer/personal applications in sandboxed areas.

Self Service Password Reset

No more continuous calls to the ICT Service Desk to get passwords reset, or an on-premises only server that can reset them. Enrolling staff in Self-service Password Reset relieves the service desk, allows 24/7 password resets from anywhere in the world based on known user criteria.

Admin Controls

In order of importance here…

  • Conditional Access
  • Block forwarding
  • Block consent
  • Block legacy authentication

Conditional Access

Conditional Access is straightforward – it lets you set conditions on who can access your data and Microsoft 365 services. These conditions could be – only from your office IP addresses, only using a corporate owned device, only from a device with up to date security patches etc. The basics should be set up to reflect your level of acceptable risk. Conditional Access works in tandem with MFA, allowing you to set stateful rules in addition to MFA to access resources.

However, in a COVID-world, it’s hard to lock down access via IP, if no one is in your office. So, you should think about what minimum conditions you want to impose for users to access your data. We would suggest allowing access from:

  • From a corporate owned or managed PC
  • Up to date antivirus/Windows Defender
  • Blocking swathes of geography where you have no users – e.g. Continental Europe, Asia
  • Blocking unsupported applications – e.g. specific mail clients and look to something that can utilise modern authentication, like Outlook Mobile or Nine.

Legacy Authentication

Legacy authentication comprises older protocols like Exchange Web Services, Autodiscover, SMTP – which have been phased out in favour of “modern” authentication which allows such things as multifactor authentication, per-session limits and controls – simply unavailable in older protocols. It is well known that most attacks on infrastructure utilise legacy authentication – looking for a hole in which to get in.

Implementing legacy authentication is a really simple process – in fact, Microsoft will tell you what applications are accessing your Microsoft 365 platform and using legacy authentication so you can remediate if you see fit. It could be someone had an old printer using SMTP that needs to be sorted out before you can totally block legacy auth.

Head over to:

  1. Jump into the Azure portal > Azure Active Directory > Sign-ins.
  2. Add the Client App column if it is not shown by clicking on Columns > Client App.
  3. Add filters > Client App > select all of the legacy authentication protocols. Select outside the filtering dialog box to apply your selections and close the dialog box.

This will show you what people, applications or clients are using legacy auth. If you don’t recognize any, and are comfortable with that – you can then go ahead and block legacy authentication from your tenant.

Block Consent

One of our favourite topics and one that we believe not enough customers review and manage sensibly. We’re not sure why this isn’t more prominent with Microsoft and organisations, but the consent process allows third-party applications access to the user in Microsoft 365, and consequently, whatever the user has access to in Microsoft 365.

Obviously, third-party consent to users’ applications and attributes are super important for app functionality, and there’s lots of apps that are beneficial to end user productivity. Items like Trello, Salesforce, AvePoint Cloud Governance etc. It’s an important part of the Office 365 / Microsoft 365 ecosystem. But – it should be carefully managed. It is almost too easy for users to click through and add applications to their workplace experience, but have little idea what data that application can access, where it is stored and what that organisation does with its data.

To be on the safe side, we generally recommend customers white-list their preferred external applications after going through an audit process, even if it is just high-level. This will allow some oversight for applications that are integrated with Microsoft 365 and limit the risk of data leakage to low quality or unsupported applications.

Block Exchange Forwarding

Some users like forwarding their mailboxes to external mailboxes for historical or posterity purposes. Sometimes this is acceptable in some organisations, particularly if someone is taking a sabbatical, they may want their mail forwarded, but generally, you don’t want automatic forwarding taking place from an internal mailbox to an external party.

This is how some organisations have been breached – for example, an accounts payable user with their mail being forwarded could open up the ability for someone to receive invoices, modify them and return leading to fraud. Stop this by following this guidance.

If you need help implementing what’s discussed here or want a further conversation around our managed Microsoft security platform, @M365 Secure, please hit the links below to get in touch.