Securing your organization’s data has never been more critical in the digital age, especially when using comprehensive solutions like Microsoft 365 (M365). While M365 offers various
productivity tools and features tailored for business efficiency, its widespread usage also makes it a potential target for cyber threats. Below are 15 actionable tips designed to enhance the security of your Microsoft 365 environment, ensuring your data remains protected. Please note that the availability of these features may vary depending on your M365 subscription.
1. Create a Break-Glass Admin Account
A break-glass account is an emergency administrator account with high privileges created for use in scenarios where regular admin accounts are inaccessible. Ensure this account does not have access to email to minimize its attack surface.
2. Require MFA for All Admins
Multi-factor authentication (MFA) adds an extra layer of security. Ensuring all administrators use MFA can significantly reduce the risk of unauthorized access.
3. Enforce MFA for All Users
Don’t limit MFA to just admins. Requiring it for all users increases your security posture immensely, protecting against compromised user credentials.
4. Enable Conditional Access
With Conditional Access policies, you can define conditions for users to access M365 services. A good starting point is blocking logins from foreign countries if that suits your organization’s profile.
5. Block Unapproved Device Types
Limit access to your M365 data by allowing only approved device types (e.g., PC, phones,
tablets). This can help prevent unauthorized devices from accessing sensitive information.
6. Block Unused Operating Systems
Similar to blocking device types, restricting access from operating systems your organization does not use minimizes the risk from older or less secure platforms. (e.g., Linux, Android, macOS)
7. Enable an App Protection Policy
App Protection Policies (APP) help manage and secure corporate data within apps. This is
crucial for organizations adopting a Bring Your Own Device (BYOD) policy.
8. Block Legacy Authentication
Older authentication methods are generally less secure. Blocking legacy authentication protocols, such as simple usernames and passwords, can protect against certain types of attacks, such as password spray or credential stuffing attacks.
9. Disable Persistent Browser Sessions
By disabling persistent browsing sessions, you force users to re-authenticate after closing their web browsers, reducing the risk of unauthorized access from shared or public computers by ending the logged-in session.
10. Disable SMS (text) MFA
While SMS-based MFA is better than no MFA, it’s susceptible to SIM swapping and phishing attacks. Use app-based or hardware token MFA methods instead.
11. Enable App Consent
Manage which third-party apps can access your M365 data. Enabling admin consent for app integrations can prevent malicious apps from getting data access.
12. Change the Default SharePoint Sharing Settings
Restrict external sharing within SharePoint to prevent sensitive data from being unintentionally shared outside your organization.
13. Protect All Users with a User Risk Policy
This Azure AD Identity Protection feature allows you to define responses to detected user risk levels, such as requiring password changes or enforcing MFA.
14. Protect All Users with a Sign-In Risk Policy
Sign-in risk policies evaluate the riskiness of sign-in attempts in real-time and can enforce
adaptive authentication measures, further securing your environment.
15. Monitor Your M365 Environment for Suspicious Activity
Regularly review sign-in logs, audit logs, and alerts within the Microsoft 365 security center. Staying vigilant helps you respond quickly to potential threats.
By implementing these 15 tips, you’ll significantly improve the security posture of your
Microsoft 365 environment. Cybersecurity is an ongoing process, and staying informed about
best practices is critical to safeguarding your organization’s data.
Lastly, if you need help, contact your IT person or IT support provider and ask them to show you these steps have been implemented. If they have not been implemented, make sure to get it done right away!
Prevention is cheaper than remediation!