Microsoft 365 Security

Best Practices For Microsoft 365 Security

Microsoft 365 security practices are often overlooked when managing an organization. In this guide we will look over and recommend several Microsoft security recommendations and how to implement them.

What is Microsoft 365? Microsoft 365 is a productivity suite for home, business, and enterprise users. It comes highly recommended by countless businesses and is s also one of the most popular software suites in the world, with an active user base of more than 340 million users.

Microsoft 365 has evolved over the years and securing your organization’s tenant can be daunting. Here are some Microsoft 365 security practices we recommend implementing.

Use Multi-factor Authentication Protocols

The most critical security factor for any software or application is the password. Despite its importance, most people tend to choose weak passwords that are easy to remember. While this is quite convenient for you, the user, it is very inconvenient for your computer’s security.

Easy passwords can be uncovered by hackers or cyber criminals who are always trying to steal your data. What’s more, some people even use the same password over and over again for multiple devices, software, and websites. In that case, a hacker would simply have to figure out the universal password to gain access to all your devices.

Seeing how easy it is to steal and misuse passwords, it would be a good idea to set up an extra layer of security for all your sign-ins. Luckily for you, you can use multi-factor authentication or MFA to increase your Microsoft 365 security.

How Does Multi-factor Authentication Work?

If you’re a Windows user, chances are you use the same password for everything. That’s because most of us don’t want to create and memorize multiple passwords when we can just use one. And most importantly, most people don’t even know how to add security layers without simply using a secondary password.

MFA adds an extra step during sign-up procedures, requiring you to use your primary password and then a secondary verification method. Rather than using an additional password that you can memorize, the process takes a more instinctive path. There are two ways to go about this.

Typically, MFA sends a verification code to your smartphone via SMS, which you must confirm by typing it into your computer. This code changes with each sign-in and never repeats itself, no matter how many tries. You On the other hand, you can also use a more secure method and verify using an authenticator app on your phone from Microsoft, Google, or Duo to name a few.

How Does Multi-factor Authentication Help?

Multi-factor authentication is extremely beneficial to those users who have a habit of keeping weak passwords. That’s because the process makes you use both your password and an extra verification method.

Suppose a hacker has gained access to your password and is now planning to use it to log into all your accounts. In this scenario, the hacker might get through the first sign-up stage but won’t get through the second. That’s because the MFA protocol automatically sends a sign-up prompt to your phone that the hacker will not have access to.

Since the hacker doesn’t have access to your phone or your fingerprints, he won’t be able to get far. So, by removing dependency on a single test, the MFA protocol boosts security and ensures that only you can sign into your accounts.

Safeguard Your Admin Account

The very first account you create for Microsoft 365 automatically becomes your global administrator account. Being a global admin means having full control of all other accounts and settings. As you can imagine, this is a juicy opportunity for hackers to attack because securing this one account will give them access to everything. It is in your best interest to always safeguard the global admin account.

Create Other Accounts

The simplest measure to overcome this issue is to create different accounts for your use. After all, you don’t need to use the admin account every day. You can easily do your work via a secondary account instead and only use the admin account to change your settings.

Alternatively, you could also create a separate admin account that can function on an emergency basis. If something happens to your original admin account, for example, it got hacked, you can always switch to the secondary admin account. Don’t forget to use MFA on your admin accounts either!

Use Preset Security Policies

Your Microsoft 365 subscription will typically come with security policies that the software itself has preset. These include useful settings for anti-malware, anti-phishing, and anti-spamg protection. Although 365 has a set of default built-in preferences, we recommend switching it over to something more particular.

It’s important to know that security presets are not the same as default settings. They are both different from each other and cannot be used as the same thing. Microsoft 365 typically lets you set a default setting first and then any added preset security policy you desire.

What’s Included In Preset Microsoft 365 Security Policies?

You can choose several types of preset security policies, each with its own distinct features. The type of profile you select will determine how strict or lenient your security is. Choosing policies will make 365 focus on the theme or subject matter and change its settings to suit the requirements.

Some policies include anti-phishing, anti-spam, impersonation protection, spoof settings, etc. Finally, policy settings will determine if you use the setting for a single user, group, or multiple domains.

  • Standard Protection – This is the protection level recommended for most businesses and enterprises. This profile is most suitable for anti-malware, anti-phishing, and other similar settings.
  • Strict Protection – This profile includes everything you can find in standard protection and some added benefits. It uses the same base settings as the previous profile but adds strict measures and a more accurate authentication process. It is the perfect option for businesses that must meet tough security regulations. Most businesses use strict protection to safeguard their valued clients and most essential data.
  • Built-In Protection – This profile offers security and protection from dangerous emails. It successfully deals with any malware or risky links in the email and provides prompt notifications and warnings regarding the danger inside.
  • Custom Security Policies –Microsoft 365 also allows you to create your custom security policy and tune it according to your needs. You can use the quick start guide to understand this better and build custom policies tackling anything from spam to phishing-related issues.

How To Assign A Preset Security Policy To Users?

  • The first thing you want to do is head over to the Microsoft 365 Defender Portal. The official address is Sign in with your account once you’ve reached the website.
  • Locate the Email & Collaboration section and head inside to the Policies & Rules area. Inside, you will find a section for threat policies; head further into a section named templated policies. Locate the preset security policies.
  • You will now face two sections; standard protection and strict protection. Go into either one of these two, and locate and select the option to manage protection settings.
  • The wizard box of your selected option will pop up. Now, locate the ‘EOP protections apply to’ option and apply the policy to what you want: users, groups, or domains.
  • You will find a box where you can type in the value you want. Keep repeating this until you have found the correct value. Alternatively, you can select the remove option next to the value section to remove a pre-existing value. Click next when finished.
  • Find the page that says ‘Defender for Office 365 protections apply to’ and choose which user to apply the policy on. Click next when finished.
  • You will be brought to the review page, where you can cross-check and confirm all your changes. Select confirm after you’re done.

How Do Preset Security Policies Help?

Having presets for your security policies helps tweak the security settings to tackle a specific threat. By choosing from a string of options, you can always ensure that your computer has the right protection for the right situation.

For example, choosing the anti-phishing policy will make your emails, domains, and networks become increasingly alert against phishing-related mail. Microsoft 365 security will be able to detect such emails faster and promptly notify you of their existence. You can either delete such threats or simply move them into the spam folder.

Prevent Email Forwarding

Whatever you do, do NOT activate auto-forwarding for your mailbox. Hackers use this sneaky trick to steal data by configuring the settings so that every mail gets automatically forwarded to them. And the worse part? You won’t even know that it’s happening because you’ll rarely get notifications for it. By the time you realize what happened, they will have stolen a great chunk of your personal data.

Preventing this will ensure that attackers can’t take advantage of your automated mail-forwarding features. To do this, simply configure your mailboxes to not allow auto-forwarding. It’s also recommended to create an alert for the admin account if a rule is created for forwarding email.

Use The Safe Attachments Feature

Most people don’t know this, but Microsoft 365 security has a safe attachments feature that can detect even the most advanced ransomware attacks. What are ransomware attacks? Well, that’s when a hacker locks you out of your own data by encrypting valuable files or by rendering your computer screen black. This usually follows with a massive ransom demand in exchange for your precious data, which is currently being held, hostage.

Enabling the safe attachments feature ensures that you don’t open any emails containing trojan horses that take over your system. It ensures overall safety and introduces preventive measures when dealing with such scenarios.

Disable or Delete Unused Accounts

We can’t stress this step enough. We highly recommend disabling or deleting unused accounts. Not only does it add to your organization’s overall clutter, but it also leaves an exposed weak point that hackers could take advantage of. Be sure to review your organization’s active users frequently.

An unused, but active email account can cause severe problems if you aren’t careful. Hackers might gain access to the passwords of such accounts and start using them without your knowledge. It’s also possible for rogue employees to take advantage of an account that was never disabled.

These attackers might use your forgotten email account for nefarious purposes, which might get traced back to you. So, always take away this option from hackers, and disable any unused accounts you might still have floating about.

Enable Alert Policies

Your computer presents tons of notifications for various reasons every day. These could range from anything to emails, completed downloads, update reminders, etc. With so many notifications floating about, it could get difficult for you to understand which one is important and which one is a waste of time. Or worse, you could become complacent with all the notifications and overcome something alarming.

Enabling Microsoft 365’s alert policies makes sure you’re never confused about important notifications. Each threat will present itself with an eye-catching notification that will draw your attention to it. Depending on the severity of the threat, 365 might alert you using different colors as well. It’s a great way to keep your eyes wide and your mind aware of what’s going on.

Microsoft 365 Security Conclusion

Securing your organization’s Microsoft 365 tenant can be overwhelming. The recommendations above are just a few of the policies we recommend implementing. If you need assistance securing Microsoft 365 for your business, please contact us for a free consultation and see how can help with Microsoft 365 security.