Basic O365 Security

Photo by Kvalifik on Unsplash

And that escalated quickly; in response to my post “A Broken Record,” I have been “asked” to provide some specifics centered around Microsoft O365.

As most of my experience centers around forensics, recovery, and ritualistic defenestration of malevolent creatures, I tend to shy away from in-depth specifics. Nevertheless, there are several good resources available.

One might google “Office 365 Security Best Practices”, however since the probability of being done is low to none, I have reviewed a few of these and condensed them into this missive.

One of my main resources for this is the “Center for Internet Security,” another primary resource is the “Cybersecurity and Infrastructure Security Agency,” as well as Microsoft itself.

One note, I shall be referencing specific URLs and specific procedures in this missive. I expect them to be out of date and deprecated 0.03675 mili-microseconds after I hit publish.

All of the above have a number of items in common, and all discuss these items in varying detail. These items are:

  1. Set up multi-factor authentication.
  2. Train your users.
  3. Use dedicated admin accounts.
  4. Enable Unified Audit Log
  5. Enable Alerts for Anomalous Activity.
  6. Stop auto-forwarding for email.
  7. Use Office Message Encryption.
  8. Incorporate Microsoft Secure Score.
  9. Disable legacy protocol authentication.
  10. Protect against phishing attacks.

Item 1: Set up multi-factor authentication.

Probably the easiest and most effective way to increase the security of your organization. To set this up on a personal account one can use the guide “How to use two-step verification with your Microsoft account

For businesses using Microsoft 365, add a setting that requires your users to log in using multi-factor authentication. When you make this change, users will be prompted to set up their phone for two-factor authentication next time they log in. To see a training video for setting up MFA and how users complete the setup, see set up MFA and user set up.

I do STRONGLY suggest that these be done by a trained O365 administrator.

Item 2: Train your users.

As I said in my prior post “A BROKEN RECORD“:

The M1911, also known as the Colt 1911, or the Colt Government, is a single-action, semi-automatic, magazine-fed, recoil-operated pistol chambered .45 ACP cartridge. 1911 has 11 safeties; 10 are located on the weapon. The 11th is the person operating the weapon.

To bring this back to today, any number of technology safeguards can be implemented, but if basic common sense is disregarded they are useless.

Establishing a strong security awareness culture is the first line of defense. Part of that culture is strong passwords, unique passwords, password rotation, and not reusing passwords. The use of a password manager to lessen the burden of this is HIGHLY recommended.

The Harvard Kennedy School has excellent guidance on creating a security training campaign, worth reading even if you are not conducting security education.

Item 3: Use dedicated admin accounts.

Admins should have a separate user account for regular, non-administrative use and only use their administrative account when necessary to complete a task associated with their job function. There a number of community consensus recommendations:

  • Multiple Dedicated Admin Accounts
    • More than 1, less than 4
  • MFA enabled
  • Use Strong Unique Passwords
  • Close all browsers and tabs before logging in as admin
  • Close all browsers after logging out as admin.
  • Ensure that administrative actions are logged.
    • Ensure Administrative action logs are reviewed.

Item 4: Enable Unified Audit Log

O365 has a logging capability called the Unified Audit Log that contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 services.

An administrator must enable the Unified Audit Log in the Security and Compliance Center before queries can be run. Enabling UAL allows administrators to investigate and search for actions within O365 that could be potentially malicious or not within organizational policy.

Review those logs weekly.

Item 5: Enable Alerts for Anomalous Activity.

Enabling logging of activity within an Azure/0365 environment can greatly increase the owner’s effectiveness of identifying malicious activity occurring within their environment, and enabling alerts will enhance that.

Creating and enabling alerts within the Security and Compliance Center to notify administrators of abnormal events will reduce the time needed to identify and mitigate malicious activity effectively.

Item 6: Stop auto-forwarding for email.

Hackers who gain access to a user’s mailbox can exfiltrate mail by configuring the mailbox to automatically forward email. This can happen even without the user’s awareness. You can prevent this from happening by configuring a mail flow rule.

Item 7: Use Office Message Encryption.

Office Message Encryption is included with Microsoft 365. It’s already set up. With Office Message Encryption, your organization can send and receive encrypted email messages between people inside and outside your organization. Office 365 Message Encryption works with, Yahoo!, Gmail, and other email services. Email message encryption helps ensure that only intended recipients can view message content.

Item 8: Incorporate Microsoft Secure Score.

Microsoft provides a built-in tool to measure an organization’s security posture concerning its O365 services and offer enhancement recommendations.

These recommendations provided by Microsoft Secure Score do NOT encompass all possible security configurations, but organizations should still consider using Microsoft Secure Score because O365 service offerings frequently change.

Using Microsoft Secure Score will help provide organizations a centralized dashboard for tracking and prioritizing security and compliance changes within O365.

Again, Do speak with a trained O365 administrator.

Item 9: Disable legacy protocol authentication when appropriate.

Azure AD is the authentication method that O365 uses to authenticate with Exchange Online, which provides email services. There are a number of legacy protocols associated with Exchange Online that do not support MFA features.

These protocols include:

  • POP3
  • IMAP
  • SMTP

Legacy protocols are often used with older email clients, which do not support modern authentication. This leaves email accounts accessible through the internet with only the username and password as the primary authentication method.

Do migrate away from any devices, services, or applications that do not support modern authentication.

Item 10: Protect against phishing attacks.

Often malicious individuals will craft emails with links to less than benevolent sites. There are several systems to block these links. Enabling one of these is STRONGLY recommended.

Microsoft Defender for Office 365 has a service called Safe Links that provides time-of-click verifications of URLs. Proofpoint, Barracuda, and OpenDNS have similar services.

Authors Notes:


  • Good Cyber Hygiene
    • Strong Passwords
    • MFA
    • Password Rotation
    • Unique Passwords
  • Logging and Alerting
  • Situational Awareness
  • Training
    • “The more you sweat in training, the less you bleed in combat.”