Blog

typing on a computer

10 Office 365 Security Best Practices

Microsoft Office 365 is foundational to the way many organizations do business. The software suite, featuring popular tools like Word, PowerPoint, Excel, and Outlook, powers communication and collaboration across virtually every department of an organization. 

However, as one of the most popular software platforms in the world, Office 365 is an attractive target for cyber criminals looking to attack and exploit organizations. Microsoft has a wide range of cybersecurity measures in place, but ultimately, it’s the responsibility of individual cybersecurity leaders to ensure their organization’s internal environment is as secure as possible. 

The rapid acceleration of remote work has presented a new range of challenges for cybersecurity professionals to deal with. Employees now primarily access business systems from less secure home networks, and conduct far more business online, using an array of SaaS tools that many organizations rushed to set up at the beginning of the pandemic. At the same time, the incidence of phishing and social engineering attacks has increased dramatically. 

In response, the team at Tech Heads partnered with Microsoft to develop a playbook of best practices that would help organizations improve their Office 365 security posture. Recently, Zane Smith, Director of Technical Services at Tech Heads, caught up with Matt Sosman, Security Architect at Microsoft, to share these best practices. In this article, we’ll summarize the 10 best practices for Office 365 security that they discussed. 

#1 Cybersecurity Awareness Training

Employees are the first line of defence against any cyber attacks. By conducting cybersecurity awareness training, organizations can ensure that––in cybersecurity terms––their employees are an asset, not a vulnerability. 

It only takes one employee to fall for a phishing scam for the security of the whole organization to be thrown into jeopardy. That’s why it’s so important to mandate cybersecurity training and educate employees about their responsibilities.

Focus on making the training accessible and easily digestible for your employees. At Tech Heads, we’ve partnered with KnowBe4 to offer engaging online training courses that cover the key elements of cybersecurity awareness in a series of short modules. 

Related: A Guide to Cybersecurity Training and Awareness

#2 Set Up and Enforce Multi-Factor Authentication

One of the most important steps cybersecurity leaders can take to secure their Office365 environment is to set up and enforce Multi-Factor Authentication (MFA). By doing so, organizations are better protected against a range of password and phishing attacks. 

Ensure that all key systems, like Outlook and OneDrive, require MFA. This means that even if a user’s credentials are compromised, attackers would also need to compromise additional authentication layers to gain access, making attacks exponentially more difficult. 

There are a variety of ways that organizations can deploy MFA – from texting users confirmation codes to requiring an additional hardware device, such as a USB key that employees must plug into their device to access certain systems. 

#3 Configure Email Security Settings

Office 365 comes with a wide range of email security settings built in, but it’s important that cybersecurity leaders also configure additional settings that make sense for their own organization. There are three key measures organizations should take:

Configure Spoofing Filter Rule

Spoofing filter rules better protect employees from phishing emails. To create a rule, set the Spam Confidence Level to 9 if the following conditions are met:

  • Sender address belongs to a valid organizational domain
  • The message is received from ‘outside the organization’

This ensures that any attackers who are impersonating a company domain will struggle to land phishing emails in the inboxes of employees. 

Set Up DMARC, SPF, and DKIM Records

All organizations should set up and validate DMARC (Domain-Based Message Authentication, Reporting, and Conformance), with SPF (Sender Policy Framework) and DKIM (Domainkeys Identified Mail). These play the following roles in hardening email security:

  • DMARC – verifies the email sender against the owner of the sending domain. DMARC settings also specify how the system should treat emails that fail SPF or DKIM checks, for example, routing them to a quarantined inbox.
  • SPF – defines which IP addresses are authorized to send emails within the organization’s domains. This ensures attackers spoofing an official domain will struggle to deliver emails to employees.
  • DKIM – adds an identifiable digital signature to each email’s header information. 

Anti-Phishing Protection

Phishing scams tend to follow a predictable pattern, and consequently, it’s possible for cybersecurity leaders to implement measures that protect employees. One technique is to use Exchange Online Protection to apply flags to suspicious emails. This helps employees to better identify potentially dangerous emails and modify their behavior accordingly.

#4 Enable Audit Logging 

No cybersecurity environment is completely impenetrable. With that in mind, it’s important that organizations develop the capability to detect and diagnose security events. 

By enabling audit logging, security teams can access event data and better understand attacks. This feature must be manually enabled by administrators, and should be set up to automatically route all data to a Security Information and Event Management (SIEM) tool that enables organizations to quickly detect and respond to any attacks. It may make sense to work with a Managed Cyber Security Service to ensure optimal configuration of the SIEM.

#5 Set Up Mailbox Auditing

In addition to audit logging, organizations should also activate mailbox auditing, which tracks mailbox access activity across the organization. This isn’t auto-enabled in Office 365, so it’s important that administrators manually enable this to ensure they’re able to access mailbox activity log data in the event of an attack. 

Take the additional step of enabling the ‘UpdateInboxRules’ setting. A common strategy for attackers is to set up email auto-forwarding, giving them access to a user’s emails even after password changes. Cybersecurity leaders should audit these rules, paying particular attention to forwarding rules that route emails outside of the organization. 

#6 Role-Based Access Control for Administrators

By assigning role-based access controls for system administrators, organizations can closely manage access. Ensure employees are only able to access the systems needed for their job. 

Administrator accounts have high access privileges to key systems, and are attractive to attackers, so take extra steps to secure these accounts. Administrators should only use these accounts when absolutely necessary. Generally, the less accounts are used, the less vulnerable they are.

#7 Configure Alert Policies

Office 365 has pre-configured alert policies that enable administrators to track user activities and receive alerts in the event of security incidents. In addition to these, organizations should also implement alert policies of their own. These might track for malware incidents or other suspicious activities that are specific to the existing security infrastructure of the organization. 

Generally, event data that arises from an organization’s alert policies should be routed to an SIEM platform for analysis. This ensures data is always available in the event of a security incident, and enables organizations to embrace managed detection and response strategies

#8 Block Legacy Authentication Protocols

Legacy authentication protocols enable users to access secured systems without using two-factor authentication. If your organization still has legacy protocols enabled, it’s significantly easier for an attacker to successfully breach your IT infrastructure.

An example of a common legacy protocol would be older email clients installed on employee smartphones. Before you block these protocols, make sure that nobody is currently using them, and if they are, give users time to migrate to more advanced authentication protocols used by the rest of the organization. 

#9 Define Clear Password Policies

Organizations should embrace a clearly-defined set of secure cybersecurity password management policies. In all, 80% of data breaches are caused by stolen credentials, so it’s crucial that employees understand the importance of properly securing and updating their passwords. 

Consider requiring employees to use a password manager. Additionally, make password management a key focus of cybersecurity awareness training. Educate employees on the most common types of password attacks and teach them how to identify and respond to potential threats. 

#10 Restrict User Access to Azure Portal

By default, all authenticated users have read access to the Azure Portal, which acts as the central hub for IT teams to manage their Office 365 systems. While users––and any hackers who have gained access to users accounts––cannot change anything, there isn’t any scenario where this level of access is valuable to regular employees. 

Restrict access to the Azure portal is restricted for all employees outside of the core IT team. This ensures potential attackers will be unable to view this important element of your system.

Get the TechHeads Microsoft Office 365 Best Practices Playbook 

These best practices are a valuable first step in securing your organization’s Office 365 system against attackers, but clearly, a more detailed approach is necessary to drive higher levels of protection.

Tech Heads is proud to offer a managed Microsoft 365 security service that enables organizations to protect, detect, and respond to any threats to their Office 365 infrastructure. As a Microsoft Partner, we offer IT consulting services that harden your internal environments and ensure your organization is protected against the latest cyber threats. 


To learn more, schedule a call with an expert consultant.