Best Practice to Secure Office 365

Microsoft Office 365 comes with a lot of features to protect your data against today’s threats. If you create a new tenant, some but not all of these security features are enabled by default. Existing tenants however will need to keep up with the new security features and enable them manually to secure Office 365.

I have written this guide for you to use as a baseline to secure your Microsoft Office 365 tenant. All the security features can be enabled without the need for additional add-on products like Advanced Thread Protection, Defender for Office 365, or Azure Premium P1 or P2.

last updated: jun 2021 – added external email tagging

In this guide we are going to configure the following security settings:

Office 365 Security Defaults

Security Defaults in Microsoft Office 365 are preconfigured security settings that help you to secure your Office 365 data against common threats. These settings include:

  • Enable multi-factor authentication (MFA) for all users and admins
  • Blocking legacy authentication protocols
  • Require users to use MFA when necessary (risky sign-in events)
  • Block user access to Azure Portal

If your tenant was created after October 21, 2019, then it’s possible that the security defaults setting is enabled for your tenant.

Before you enable security defaults in Office 365 you should keep a few things in mind. You can’t make any exceptions to the policies. So you can’t disable MFA for one user or turn on the SMTP Authentication Protocol if you need it for a specific business application.

Also, you can only use the Microsoft Authenticator app using notifications for multi-factor authentication. Text messages or app passwords can’t be used with security defaults enabled.

To enable or disable Security Defaults you will have to login into the Azure Active Directory Admin Center:

  1. Log in at aad.portal.azure.com
  2. Click on Azure Active Directory and select Properties
  3. Select Manage Security Defaults
  4. Enable Security Defaults
office 365 security defaults

If you need to disable security defaults, then make sure you atleast enabled MFA for all the admins and users where possible and block all legacy protocols (per user).

Configure Multi-factor Authentication

Enabling multi-factor authentication (MFA) is the most recommend security measure to secure Office 365. It protects your accounts against phishing attacks and password sprays. Multi-factor authentication should be enabled for all admin and user accounts.

First we are going to check the default multi-factor authentication settings.

  1. Log in at aad.portal.azure.com
  2. Select Users and click Multi-Factor Authentication
Enable MFA in Office 365
  1. Do not allow users to create app passwords. App passwords are needed for apps that don’t support modern authentication. You should avoid the use of these kinds of apps in your tenant.
  2. Disable the Call to phone and text message verification methods. These are known to be less secure. The mobile app is the preferred method to use.
  3. Set trusted devices to 90 days. This will lower the frequency that the users need to verify which helps to prevent them from unintentionally approving the MFA request. If they get the request too often then they will get too much used to it and maybe approve it without performing a sign-in action themself.

Enabling MFA for your users

The best way to implement MFA is based on conditional access. You get this when you use the security defaults, but if you don’t want to or can’t use security defaults, then you will need Azure Premium Plan 1 for this.

If you don’t want to use the security defaults and you don’t have Conditional Access, then your only option is to enable MFA for each user manually.

A good option is to inform your users about MFA and give them a two-week period to enable MFA themself. Users can enable MFA through the following link https://aka.ms/mfasetup.

Next, you can use this PowerShell script to get all the users that don’t have MFA enabled yet, and even enable it per user with the following script.

Create an emergency access Admin Account

Microsoft recommends that you create two emergency admin accounts. The idea behind this is that these accounts are excluded from multi-factor authentication and conditional access policies. If you don’t use conditional access policies, then one emergency account excluded from MFA is enough.

These accounts prevent you from being locked out of your Azure Active Directory in case of an unforeseen circumstance. For example, a mobile phone network outage that prevents you from approving the MFA request or the sudden leave of the only Global Administrator.

Don’t use these accounts on a daily basis, only when you lost access to Azure AD with your normal global admin account.

You can create the admin account in the Office 365 admin center under Users > Active Users > Add a user.

Emergency tenant admin

You don’t need to assign a product license to the user, only make sure you give the account Global Administrator access under the optional settings.

Write down the temporary password and change the password to a strong and very long randomly generated password. Store the password in a safe place to which multiple authorized people have access.

Make sure you exclude one account from the Conditional Access policies (if you use them) and exclude the other account from multi-factor authentication.

You can find more information about the emergency admin account here in the Azure AD documentation.

Assign Role-Based Access Control (RBAC) for admins

Role-based access control for admins is based on the principle of least privilege (POLP). User (admin) accounts should always have the minimum privilege level that is needed to do their job.

Helpdesk employees don’t need to have Global Administrator access, for example, they could probably do their job with only the Helpdesk and User administrator role.

For service accounts that only need to read user accounts from the Azure Active Directory, you could use the Directory Reader role. This allows the application to read all the user accounts.

You can assign the roles in the Microsoft Office 365 Admin Center. But I find it easier to do this through the Azure Active Directory:

  1. Select Users and the user you want to change
  2. Click on Assigned Roles
  3. Click Add assignments
  4. Select the appropriate role(s) and click on Add
Azure AD admin roles

You can also view all the roles and the assigned users under Roles and administrator in the Azure Active Directory.

Enable Unified Audit Log

While we need to do everything to prevent unauthorized access and to secure our Office 365 tenant, we also need to plan ahead in case someone gained access to our systems. Logging allows you to trace back when what and maybe even how a breach happened.

The mailbox audit log is enabled by default, but you also want to enable the Unified Audit Log. This allows you to collect all the logs in the Microsoft 365 Compliance Center, which makes it easier to search through them. It also allows you to create alerts based on events that happen.

Each entry in the Unified Audit Log is kept for 90 days by default. If you need to keep the entries longer then you will need an E5 license for your users.

We can use PowerShell to enable the Unified Audit Log. Make sure you are connected to Exchange Online and run the following cmdlet:

# Get the current Unified Audit Log status
Get-AdminAuditLogConfig | select UnifiedAuditLogIngestionEnabled

# Enable Unified Audit Log
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

You can also enable it in the Compliance Center.

  1. Open the Compliance Center
  2. Click Show All in the sidebar
  3. Select Audit
  4. Click on Start recording user and admin activity
Enable Unified Audit Log

Enable Alert Policies

Alert Policies are enabled by default in your Microsoft Office 365 Tenant. These policies help you to track user and admin activities, and alert you in case of threats or data loss incidents. You will find the policies Microsoft 365 Compliance under Policies. They are listed as Office 365 Alert.

If you click on the policy you will be redirected to the old Security and Compliance center where you can view all the policies. Check if all the system type policies are enabled by filtering the list on StatusOff.

Alert policies to secure office 365

To prevent data loss I also recommend that you create a new alert that is triggered when a Team is deleted. When a Team owner deletes a Team from the list with Teams then this can also result in deletion of the SharePoint site and all the data.

Enable Continuous Access Evaluation

Authentication in Office 365 is based on OAuth 2.0 access tokens. These tokens authorize the user to access the services, for example when a user opens Outlook or logs into SharePoint. By default, the token is valid for one hour and refreshes automatically in the background when it’s expired.

The problem with this token lifetime of an hour is that any changes in the user’s authorization are only detected after an hour at most. When the user, for example, changes from network location, then the conditional access policies are only triggered when the token is renewed.

By enabling Continuous Access Evaluation (CAE) we can shorten this period to nearly real-time, with a max of 15 minutes due to event propagation time.

CAE is still in Preview mode but you can already enable it for your tenant:

  1. Log in to the Azure Portal
  2. Open the Azure Active Directory
  3. Select Security and choose Continuous Access Evaluation
  4. Enable the preview and click save.
Enable Continuous Access Evaluation

Enable Azure Portal Inactivity Timeout

In the Azure Portal, you can set an inactivity timeout for all the portal users (and admins). You will need to have Global Administrator rights to change the settings.

  1. Clear on the gear icon
  2. Select Configure directory level timeout
  3. Enable the idle timeout and set it to 30 minutes for example
Set Azure AD timout

Any portal user that is inactive for more than 30 minutes will get automatically signed out. I assume that your admins already have a proper habit of locking their device when they leave it unattended, but an extra security measure never hurts.

Enable Preset Security Policies in Exchange Online

Microsoft has created two preset security policies for Exchange Online, a standard, and a strict policy to secure your Office 365 mail. These templates contain policies to protect your Exchange Online environment against the latest attack trends.

The advantage of using one of these templates instead of creating the policies manually is that they will automatically update your settings with Microsoft’s latest recommendations.

You can find the policies in the Security and Complaince Center:

  1. Expand Threat Management and select Policy
  2. Click on Preset Security Policies
secure exchange online with preset security policy
  1. Edit the Standard Protection
  2. Add the condition The recipient’s domains are
  3. Add all the domains of your tenant
  4. Confirm the settings
Standard protection template to secure exchange online

In addition to the security policy template, also check the Configuration Analyzer. This will recommend changing some settings that are not covered by the standard template that you should adopt:

  • High confidence spam detection action
  • Phishing email detection action
  • Bulk email threshold
  • Quarantine retention period
  • Enable end-user spam notifications
  • Common Attachment Types Filter
mail security analyzer in Office 365

Enable External Email Tagging

A newly released feature in Exchange Online allows you to tag external emails. External email tagging is an extra security measure to make your users more aware of the origin of the email. We see often with phising mail attacks that the attackers spoof an internal email address.

By automatically tagging all external emails, we can make it more clear for the users that the email was send from outside the organization.

At the moment we need to use PowerShell to enable this new feature, if you want more information about it, then make sure you read this article where I explain more about email tagging.

# Connect to Exchange Online
Connect-ExchangeOnline

# Enable external email tagging
Set-ExternalInOutlook -Enabled $true

# Verify results
Get-ExternalInOutlook

# Result:
RunspaceId : 4b07eecc-34c5-4add-8ee4-80d25aa4aff4
Identity   : 11e55098-68ad-4992-aaf8-c5fdceb3b6da
Enabled    : True   # < External tagging enabled
AllowList  : {}

Besides tagging we can also add a custom warning to external emails with specific words or phrases in the subject or body. This way we can show a warning on suspicous phishing mails.

example warning external email

If you want to add these warnings to your tenant, then follow this guide.

Block Basic Authentication Protocols

Basic or Legacy Authentication Protocols allow you to connect to Exchange Online without the use of Modern Authentication. This means that an attacker only needs a username and password to connect, which they can get after a successful phishing mail attempt.

Microsoft will start in Q2 of 2021 by automatically disabling the basic protocols that you are not using to secure Office 365. The plan was to disable all protocols, but that is postponed due to the pandemic.

The best option is not to wait but to start with disabling the basic protocols, because they are actively used by attackers. Before you can disable them you will need to make sure that your users and business applications are not using any of the protocols.

  1. Open the Microsoft 365 Admin Center
  2. Select Reports -> Usages
  3. Click on View More under the Email Activity chart
  4. Select the Email app usage tab
Legacy protocol report office 365

If you hover over the user’s chart you can see how many users (or accounts) are using the different protocols. In the table, under the chart, you can choose the columns. Add the IMAP4, POP3, and SMTP columns. You can now see which users are using the basic protocols.

Another good resource is the sign-ins overview in the Azure Active Directory.

  1. Add a filter and select Client App
  2. Select all the Legacy Authentication Clients
  3. Also, add the column Client App
Find legacy protocol usage in Azure

The two overviews together will give you a nice overview of all the accounts that are still using legacy authentication protocols.

Users that are still using legacy protocols (older mail clients on mobile phones, or Apple Mail) should use the Microsoft Outlook app. Inform the users about the upcoming change and give them time to migrate before you turn off the protocols.

Blocking Basic Authentication Protocols

The best option is to block all the basic authentication protocols for all users. But in an existing tenant that is not always possible. Business applications may be still using legacy protocols like SMTP or IMAP, preventing you from disabling them for everybody.

If you still need to use IMAP, for example, then disable all the other authentication protocols that you don’t need in the Admin Center (which I will explain in a bit). For IMAP, we can block the protocol for all the users that don’t need it. We leave the protocol only turned on for those few mailboxes that really need it.

We start with the easiest option, blocking the protocols for all users is in the Microsoft 365 Admin Center:

  1. Expand Settings and select Org settings
  2. Select Modern Authentication
  3. Turn off all the basic authentication protocols that you are not using
secure office 365 with MFA

We can use PowerShell to disable the protocols per mailbox. Just to be clear, per mailbox you don’t disable the authentication protocol, but the protocol itself.

If you only need to leave it enabled for a few mailboxes, then the easiest approach is to disable it first for all the mailboxes with PowerShell, and then turn the protocol back on for only those mailboxes that really need it.

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName [email protected]

# Get all mailboxes with Basic Protocols enabled
Get-EXOCasMailbox | Select-Object Identity,ImapEnabled,PopEnabled | ft

# Disable for all existing mailboxes
Get-CasMailbox -Filter {ImapEnabled -eq $true -or PopEnabled -eq $true} | Set-CASMailbox -ImapEnabled $false -PopEnabled $false

# Disable SMTP Authentication per mailbox
Get-CASMailbox | where {$_.SmtpClientAuthenticationDisabled -ne $true} | Set-CASMailbox -SmtpClientAuthenticationDisabled $true
block basic authentication protocols

You also want to disable the legacy protocol for all the new mailboxes. We can do this by disabling the protocols on all the mailbox plans (you can have multiple plans, each corresponds with its own license type)

Get-CASMailboxPlan | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

Block Legacy Authentication for SharePoint

Some third-party apps in Office 365 don’t enforce multi-factor authentication and allow your users to connect to SharePoint without MFA, which is not really secure of course.

We can block the access of these app in the SharePoint Admin Center.

  1. Expand Policies and select Access Control
  2. Select Apps that don’t use..
  3. Block the access
secure office 365 by blocking legacy authentication SharePoint

Block Shared Mailbox Sign-in

If you create a Shared, Room, or Equipment Mailbox in Office 365, it will automatically also create an active user. This user doesn’t have a license, but you can sign-in with this user. All you need to have is the password.

There is really no need for a shared mailbox user to be able to sign in. Access to the shared mailbox is managed with permissions. So why leave the user account exposed?

What you should do is block the sign-in on all the Shared Mailbox accounts. You can do this in the Admin Center or with PowerShell.

  1. Select Active Users
  2. Filter the list on unlicensed users
  3. Select the Shared Mailbox and Resource user accounts
  4. Click on the eclipse and select Edit Sign-In Status
  5. Block the users from signing in
Block Shared Mailbox Sign-in

Disable the sign-in to shared mailboxes with PowerShell

# Connect to Exchange Online and Msol
Connect-ExchangeOnline
Connect-MsolService

# Get an overview of all Shared, Room and Equipment mailboxes
Get-EXOMailbox -Filter {(RecipientTypeDetails -eq "SharedMailbox") -or (RecipientTypeDetails -eq "RoomMailbox") -or (RecipientTypeDetails -eq "EquipmentMailbox")} | ft

# Disable the sign-in on the mailboxes
Get-EXOMailbox -Filter {(RecipientTypeDetails -eq "SharedMailbox") -or (RecipientTypeDetails -eq "RoomMailbox") -or (RecipientTypeDetails -eq "EquipmentMailbox")} | Foreach-object {Set-MsolUser -UserPrincipalName $_.UserPrincipalName -BlockCredential $true}

Block Auto-forwarding to External Domain

When attackers gain access to one of your users mailbox they can extract the mail by creating an auto-forward rule to their own (external) mailbox. Auto-forwarding to an external domain is normally not used, so you should block.

  1. Open the Exchange Admin Center
  2. Select Mail Flow
  3. Create a new rule and name it “Block auto-forward to external domain”
  4. Select More options at the bottom of the screen
  5. Configure the rule as follows:
    • Apply this rule if: The sender is locatedinside the organization
    • Add a condition: The recipient is located – outside the organization
    • Add a condition: The Message Properties – include the message type Auto-Forward
    • Do the following: Block the message – reject the message with the explanation – “Auto-forwarding to an external domain not allowed”
  6. Audit this rule with severity level: Medium
Block auto forward to external domain in Exchange Online

A new way attackers try to gain access to your data is by using Consent Phishing. Instead of stealing the credentials of your users, they will trick the users into granting them permission. To do this, they create a malicious app and register it in the app store.

With the permissions, they can read the user’s profile, send mail on behalf of the users, and have full access to the files that the user can access.

Microsoft has already taken action to secure Office 365 further by verifying apps. But that doesn’t stop malicious apps from entering the app store.

You can prevent the authorization of the unverified apps by disabling user consent in the Microsoft 365 Admin Center and setting up the custom app consent policies in Azure Active Directory.

  1. Open Microsoft 365 Admin Center
  2. Expand Settings and select Org Settings
  3. Select User consent to apps
  4. Turn off “Let users provide consent..”
disable user consent to apps

The next step is to set up the consent policies in Azure Active Directory:

  1. In Azure AD select Enterprise Applications
  2. Select Consent and permissions
  3. Select Allow user consent for apps from verified publishers and Do not allow group owner consent
secure office 365
  1. Click on Permission classifications
  2. Add the 5 low-risk permissions. (You can always add custom permissions if you need to)
Office 365 best practice
  1. Go back to the Enterprise applications and select User Settings
  2. Enable Users can request admin consent
  3. Add one or more admins for the request
Block user consent

Admins will get an email when a users has requested a consent. You can also see the requests under Enterprise Applications > Admin consent requests.

Block User Access to Azure Portal

Authenticated users have by default access to the Azure Portal and the Azure Active Directory. They only have read access, so they can’t change anything. In my opinion, there is really no need for a normal user to browse through your Azure AD settings.

We can block the access with a simple switch in Azure AD under User Settings

Block Azure AD Access

Block guest can invite access

Your users can invite guests to collaborate on a Word document or other resources, which is perfectly fine. But did you known that by default guests can also invite other guests?

You want to keep in control of who can access your data, so you should not allow guests to invite others.

In the Azure Active Directory, navigate to External Identies and select External collaboration settings. Make sure that Guests can invite is set to no.

disable guest can invite guest in Azure Active directory

You may also want to check if the one-time passcode is turned on. This allows guests to access shared documents with a one-time passcode instead of a Microsoft account.

Block Anonymous Users can join a Meeting

By default, anonymous users can join any Teams meeting if they have the link to the meeting. Depending on your organization’s needs, you should turn this off. If your company holds public meetings with customers where you send out an open invitation that any can join then you will need to leave this setting enabled.

But if all the meetings are only business to business or directly with known clients/customers then it’s better to turn the anonymous access off.

  1. Open the Teams Admin Center
  2. Expand Meetings and select Meeting Settings
  3. Turn off Anonymous users can join a meeting
Block Anonymous Users in Teams

Limit External Sharing in SharePoint

Sharing in SharePoint is really convinient for your users, they can create a link, and can share it with anyone they want. But that comes with a risk, by defualt, anyone who gets the link can access the shared item.

To secure office 365 you want is that only the person that you shared the link with can access the folder. Also it’s a good idea to add let the guest sign-in or atleast enter a verification code.

  1. Open the SharePoint Admin Center
  2. Navigate to Policies > Sharing
  3. Change Content can be shared with to New and existing guests (this way they need to verify)
  4. Expand More external sharing settings
  5. Enable Guest must sign in using the same account to which sharing invitations are sent
  6. Make sure that Allow guest to share items they don’t own is disabled
  7. And enable People who use a verification code… and set it to 30 days.
External sharing SharePoint

User Password Policies

With MFA enabled we can change some settings when it comes to our password policies. We can remove the password expiration policy. The latest studies showed that password expiration does more harm than good. Even Microsoft now recommends removing the password expiration requirements to further secure Office 365.

A compromised user account is pretty much always used immediately by the attackers. And users that need to change their password often tend to use a predictable pattern.

Set password expiration policy

If you are using AD Connect to sync your users and password, then the password expiration policy is taken over from your local group policy.

You can change the password expiration in the Microsoft Office 365 Admin Center:

  1. Select Settings and then Org Settings
  2. Choose Security & Privacy
  3. Select password expiration policy
  4. Make sure it’s turned off
Set password expiration

Enable Self-Service Password Reset

Allow your users to self reset their password when needed. By default is this disabled. Letting users self reset their password isn’t really a security improvement for Office 365, but it results in fewer tickets/calls to the helpdesk.

If you are using Azure AD Connect then you will need to have atleast Azure AD Premium P1 to enable password write-back. Without password write-back, you can’t use the SSRP.

What you do need to change are the requirements to reset the password.

  1. In Azure Portal select Users
  2. Choose Password reset
  3. Select Properties
  4. Enable it for all Users
Passwrod reset policy

Next, we need to set the authentication methods that are needed to change a password. By default, only one method is required and that can be email or mobile phone.

Give your users atleast the option to register multiple authentication methods, including Mobile app code. You can also increase the number of methods that are required to reset a password from one to two, but before you do that make sure your users have multiple methods registered.

Authentication methods

Get notified on password change

Select Notifications and make sure that users are notified when their password is changed. I also recommend enabling the admin notification alert. All admins in the tenant will get notified when other admins changed their passwords.

password reset nofitication

Allow Combined Security Information Registration 

If you have enabled self-service password reset (and of course you have enabled MFA), then you can make it your users a little bit easier by allowing the combined security information registration.

Without it, users will need to register the authentication methods separately for MFA and SSPR. This feature is enabled by default for new tenants that are registered after August 14th, 2020.

  1. Select Users
  2. Choose User Settings
  3. Click on Manage user feature preview settings
  4. Set User can use combined security information registration experience to All
user settings

Corporate branding of the login page

Branding your Microsoft 365 login screen doesn’t only look nice, it also helps you to secure Office 365. Adding your logo to the Microsoft 365 login screen can mitigate phishing attempts because your users can better recognize the malicious login screen.

I already had written a guide on how you can customize the login screen with some tips. You can find the article here. Make sure you customize it, it only takes a couple of minutes.

Wrapping Up

If you found this Microsoft 365 Best Practice guide useful then please share it. I will keep this guide updated with the latest recommendations.

An important part to keep Microsoft Office 365 secure is to regularly check the audit logs and keep up with the security recommendations in the Microsoft 365 Security Center.

If you have any questions, or recommendations that should be added to the guide, then please drop a comment below.

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

3 thoughts on “Best Practice to Secure Office 365”

  1. Would like to se some guides on Risky Sign-ins and the stepps that is recommended here. Love your work

  2. One more. By default, you can invite a person to access your SharePoint sites. But the user that accepts the invite can be anyone that finds the address link.

    To force the validation of the invited person you need to go here:
    https://tenantName-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/sharing
    Then expand the “More External Sharing Options”

    Check the
    – Guests must sign in using the same account to which sharing invitations are sent

    There are some other interesting option in this page also like the
    – Allow guests to share items they don’t own
    – Limit external sharing by domain

Leave a Comment

0 Shares
Tweet
Pin
Share
Share