office 365 admin best practices

Your users can invite guests to collaborate on a Word document or other resources, which is perfectly fine. A simple dialog box, like the one pictured below, belies the complexity of configuring password management, and what roles can affect users. ignite microsoft yousef khalidi schnoll scott practices office Instead of stealing the credentials of your users, they will trick the users into granting them permission. We can block the access with a simple switch in Azure AD under User Settings. It is the best practice to regularly review these settings and adjust them to your company policies and/or new features released by Microsoft. Your IT provider hooked you up with Office 365, butyoure notsureeverything is set up as it should be. If you have any questions, or recommendations that should be added to the guide, then please drop a comment below. SPF is a good first step, but you really need DKIM as a minimum to prevent spoofing. Lets now take a look at the functionality around administering and managing M365.

But did you known that by default guests can also invite other guests? What you should do is block the sign-in on all the Shared Mailbox accounts. By default, you can invite a person to access your SharePoint sites. governance To secure office 365 you want is that only the person that you shared the link with can access the folder. If you are using AD Connect to sync your users and password, then the password expiration policy is taken over from your local group policy. The two overviews together will give you a nice overview of all the accounts that are still using legacy authentication protocols. The mailbox audit log is enabled by default, but you also want to enable the Unified Audit Log. To prevent data loss I also recommend that you create a new alert that is triggered when a Team is deleted. When an organization adopts any new services, security teams really should be reviewing defaults and determining whats right for them and whether there needs to be a tightening down of access rights for human and/or machine accounts. Before you can disable them you will need to make sure that your users and business applications are not using any of the protocols. Azure cloud identities and privileged access, cloud infrastructure entitlements management (CIEM), Understanding Security and Privileged Access in Azure Active Directory. Love your work. As soon as you have your tenant up and ready you should jump into the Office 365 Security & Compliance Admin Center> Search > Audit log search, to ensure that auditing has been enabled for your organization. Now, SPF is required to send any mail from a custom domain in Office 365. Tim has managed product across the security spectrum including Security, Compliance, IAM and GRC for a variety of companies and in a few different countries, including a 5 year stint in Munich, Germany! For some metrics, you will get an immediate fix and for others, you will get a detailed checklist on how you can remedy this potential problem. Store the password in a safe place to which multiple authorized people have access. If you dont want to use the security defaults and you dont have Conditional Access, then your only option is to enable MFA for each user manually. But most dont have DKIM and DMARC configured. This allows guests to access shared documents with a one-time passcode instead of a Microsoft account. For SharePoint you should also periodically check who are the owners ofa particular site collection and for Office 365 Groups and Teams who are the owners of these groups. Text messages or app passwords cant be used with security defaults enabled. All you need to have is the password. Email phishing attacks are causing billions of dollars in lost revenue for companies each year. You can now add number matching and additional context (location and app) to the MFA request notification. The latest studies showed that password expiration does more harm than good. Attackers can easily spoof your mail domain if you havent configured SPF, DKIM and DMARC. Unfortunately, this is not a safe assumption. You can also subscribe without commenting. The plan was to disable all protocols, but that is postponed due to the pandemic. We can do this by disabling the protocols on all the mailbox plans (you can have multiple plans, each corresponds with its own license type). End Users love to store important documents to their Desktop or My Documents folder and IT departments have struggled with this situation for a long time. Helpdesk employees dont need to have Global Administrator access, for example, they could probably do their job with only the Helpdesk and User administrator role. I have updated the article. There are multiple methods of how users can authenticate, including a mobile app, text messaging or calling. The Wipro State of Cybersecurity Report 2020 found that the number of discreet entitlements has grown exponentially, to more than 40,000 permissions. Disable the sign-in to shared mailboxes with PowerShell. Microsoft will start in Q2 of 2021 by automatically disabling the basic protocols that you are not using to secure Office 365. TrySysKit Pointforeasy toreadreports that help check access to critical admin sections. If you dont use conditional access policies, then one emergency account excluded from MFA is enough. IT can enforce redirection of these folders to OneDrive using Group Policy. Any portal user that is inactive for more than 30 minutes will get automatically signed out. You also want to disable the legacy protocol for all the new mailboxes. Some third-party apps in Office 365 dont enforce multi-factor authentication and allow your users to connect to SharePoint without MFA, which is not really secure of course. For instance, Microsoft Teams allows team owners to invite external guests to attend meetings and collaborate within Teams channels. Make sure you take a look at these new features (released mid nov 2021). Next, we need to set the authentication methods that are needed to change a password. Learn more in the OneDrive Admin Center > Device Access. For example, a mobile phone network outage that prevents you from approving the MFA request or the sudden leave of the only Global Administrator. Allow guests to share items they dont own Just to be clear, per mailbox you dont disable the authentication protocol, but the protocol itself. On the other hand, nothing changes for the end user. You can prevent the authorization of the unverified apps by disabling user consent in the Microsoft 365 Admin Center and setting up the custom app consent policies in Azure Active Directory. In the Azure Active Directory, navigate to External Identities and select External collaboration settings. If your company holds public meetings with customers where you send out an open invitation that any can join then you will need to leave this setting enabled. I have written this guide for you to use as a baseline to secure your Microsoft Office 365 tenant. IT, Office365, Smart Home, PowerShell and Blogging Tips. A good option is to inform your users about MFA and give them a two-week period to enable MFA themself. If you have enabled self-service password reset (and of course you have enabled MFA), then you can make it your users a little bit easier by allowing the combined security information registration. Existing tenants however will need to keep up with the new security features and enable them manually to secure Office 365. It protects your accounts against phishing attacks and password sprays. In Office 365 you can enable and further enforce MFA for your users. Control access to features in the OneDrive and SharePoint mobile apps, Manage sharing in OneDrive and SharePoint, Office 365 Security & Compliance Admin Center, Search the audit log in the Security & Compliance Center, SysKit Point boosts your operations with powerful insights into Power BI and Microsoft Teams Shared Channels, SysKit launches features that save admins weeks of work on Microsoft 365 administration and governance, Enterprise Content Management in Microsoft 365: A Complete Guide. If you click on the policy you will be redirected to the old Security and Compliance center where you can view all the policies. Gain visibility into entitlements to pinpoint privilege sprawl and ensure privileges are managed and right-sized. Prior to BeyondTrust, Tim was serving as the Director of Product Management for Identity and Access Management at Micro Focus. Jump into the OneDrive or SharePoint Admin Center to adjust settings for your tenant. With the permissions, they can read the users profile, send mail on behalf of the users, and have full access to the files that the user can access. Microsoft has created two preset security policies for Exchange Online, a standard, and a strict policy to secure your Office 365 mail. We can use PowerShell to enable the Unified Audit Log. With these mobile device management policies, you can control how filesare synced toyour mobile apps. Multi-factor authentication should be enabled for all admin and user accounts. I hate spam to, so you can unsubscribe at any time. To enable or disable Security Defaults you will have to login into the Azure Active Directory Admin Center: If you need to disable security defaults, then make sure you atleast enabled MFA for all the admins and users where possible and block all legacy protocols (per user). Azure AD is at the core of security for M365, Azure VMs, Storage, and much more.

Redirect and move Windows known folders to OneDrive. So you cant disable MFA for one user or turn on the SMTP Authentication Protocol if you need it for a specific business application. All rights reserved. Office 365 multi-factor authentication adds one additional layer of security as it is increasingly more difficult for an attacker to compromise multiple authentication factors. Branding your Microsoft 365 login screen doesnt only look nice, it also helps you to secure Office 365. We see often phishing mail attacks that the attackers spoof an internal email address. External email tagging is an extra security measure to make your users more aware of the origin of the email. At the moment we need to use PowerShell to enable this new feature, if you want more information about it, then make sure you read this article where I explain more about email tagging. Business applications may be still using legacy protocols like SMTP or IMAP, preventing you from disabling them for everybody. Recently, I have found one small tool very useful in measuring the maturity of your organization and its users. Basic or Legacy Authentication Protocols allow you to connect to Exchange Online without the use of Modern Authentication. You can do this in the Admin Center or with PowerShell. Users can enable MFA through the following link https://aka.ms/mfasetup. The best practice is to make sure all your privileged users have MFA enabled, and this also includes Global Admins. To learn more navigate to: Search the audit log in the Security & Compliance Center. Top 10 Office 365 Best Practices Every Admin Should Know. For service accounts that only need to read user accounts from the Azure Active Directory, you could use the Directory Reader role. As a Windows administrator, seeing Active Directory, Office, and other technologies feels like you should be able to get a handle on security. Besides securing your Office 365 tenant, its also important to protect your mail domain. The best way to implement MFA is based on conditional access. Users that are still using legacy protocols (older mail clients on mobile phones, or Apple Mail) should use the Microsoft Outlook app. Make sure you customize it, it only takes a couple of minutes. You get this when you use the security defaults, but if you dont want to or cant use security defaults, then you will need Azure Premium Plan 1 for this. Also, you can only use the Microsoft Authenticator app using notifications for multi-factor authentication. Access to the shared mailbox is managed with permissions. Add the IMAP4, POP3, and SMTP columns.

NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report This familiarity provides a level of comfort. It might take up to a couple of days until the logs start appearing in the UI, so make sure you have done this way before there is a business request for you to look into some logs. Index link to User Password Policies section is incorrect: When the user, for example, changes from network location, then the conditional access policies are only triggered when the token is renewed. One way to approach this and ease the burden is to adopt the principle of least privilege and apply a default of very limited (or no) access. Another good resource is the sign-ins overview in the Azure Active Directory. Also, its a good idea to add let the guest sign in or atleast enter a verification code. A compromised user account is pretty much always used immediately by the attackers. There are a couple of things you should consider before enabling MFA. A new way attackers try to gain access to your data is by using Consent Phishing. These tokens authorize the user to access the services, for example when a user opens Outlook or logs into SharePoint. One more. Without it, users will need to register the authentication methods separately for MFA and SSPR. Both OneDrive and SharePoint include a very handy feature that allows end-users to easily share documents with a user that is not part of your organization, and if permitted, even with fully anonymous users. Dont use these accounts on a daily basis, only when you lost access to Azure AD with your normal global admin account. These policies help you to track user and admin activities, and alert you in case of threats or data loss incidents. You can also increase the number of methods that are required to reset a password from one to two, but before you do that make sure your users have multiple methods registered. Subscribe to our blog and stay updated! Long-time MS Office and Windows users and admins will recognize some technologies and terminology across M365. The problem with this token lifetime of an hour is that any changes in the users authorization are only detected after an hour at most. Sharing in SharePoint is really convenient for your users, they can create a link, and can share it with anyone they want. How it works: Azure Multi-Factor Authentication, Add branding to your organizations Azure Active Directory sign-in. Can you please update screenshots for Continuous Access Evaluation (CAE) ? Auto-forwarding to an external domain is normally not used, so you should block it. In practice, this seeming familiarity conveys a false, and potentially dangerous, sense of security. These accounts prevent you from being locked out of your Azure Active Directory in case of an unforeseen circumstance. Enforce least privilege across Windows, Mac, Linux, and Unix endpoints. In this blog, we will look at some of the SaaS security implications of M365 (based in Azure) versus the traditional Microsoft Office, which resides on the end users desktop. But that comes with a risk, by default, anyone who gets the link can access the shared item. These best practices are primarily focusedon SharePoint, OneDrive, Groups, and Microsoft Teams workloads, so they may differ if you are primarily using one of the other workloads in Office 365. https://lazyadmin.nl/wp-admin/post.php?post=4322&action=edit#password-policy. By default, anonymous users can join any Teams meeting if they have the link to the meeting. In the table, under the chart, you can choose the columns. These logs are comprehensive and cover various workloads including but not limited to Exchange, SharePoint, and OneDrive activities. This, of course, includes members of the Global Administrators role, but also specific workloads administrators like Exchange administrators, SharePoint administrators and User management administrators. To learn more navigate to:Add branding to your organizations Azure Active Directory sign-in. If you allow everyone to create as many groups as they want this will very soon become unmanageable chaos, and it takes so little to prevent it. Get the latest news, ideas, and tactics from BeyondTrust. If you need to keep the entries longer then you will need an E5 license for your users. All the security features can be enabled without the need for additional add-on products like Advanced Thread Protection, Defender for Office 365, or Azure Premium P1 or P2. Guests must sign in using the same account to which sharing invitations are sent, There are some other interesting option in this page also like the To do this, they create a malicious app and register it in the app store. Before you enable security defaults in Office 365 you should keep a few things in mind. Discover, manage, audit, and monitor privileged accounts and credentials. I will keep this guide updated with the latest recommendations. Even Microsoft now recommends removing the password expiration requirements to further secure Office 365. Authentication in Office 365 is based on OAuth 2.0 access tokens. If you only need to leave it enabled for a few mailboxes, then the easiest approach is to disable it first for all the mailboxes with PowerShell, and then turn the protocol back on for only those mailboxes that really need it. For IMAP, we can block the protocol for all the users that dont need it. This way we can show a warning on suspicious phishing emails. Tim enjoys travelling around the world and exploring new cultures and engage with locals wherever he goes. In this guide we are going to configure the following security settings: Security Defaults in Microsoft Office 365 are preconfigured security settings that help you to secure your Office 365 data against common threats. Office 365 administrators should periodically check who are the users that have privileged access to the Office 365 system. Here are some simple best practices to avoid this mess: Want to read more posts from us? It also allows you to create alerts based on events that happen. You cant make any exceptions to the policies. The best option is not to wait but to start with disabling the basic protocols, because they are actively used by attackers. Centrally manage remote access for service desks, vendors, and operators.

There have been a number of disruptions in the last 12 months so you need to monitor the status of Office 365 services closely to ensure the system is up and running.

Dear reader, this is the functionality of our former product, SysKit Security Manager. If you create a Shared, Room, or Equipment Mailbox in Office 365, it will automatically also create an active user. This allows the application to read all the user accounts. Copyright 1999 2022 BeyondTrust Corporation. We can block the access of these apps in the SharePoint Admin Center. its really very nice and helpful, thank you so much Rudy for your time and efforts. To enable MFA, navigate to theMicrosoft 365 Admin Center> Users > Active Users, click on one of the users and click on Manage multi-factor authentication on the user properties screen. Here are the top 10 Office 365 best practices every Office 365 administrator should know. While this feature is probably great for many organizations it is still advisable you spend some time thinking and configuring External Sharing settings for Office 365 workloads. Notify me of followup comments via e-mail.

Tim has been in Product Management for over 20 years. Inform the users about the upcoming change and give them time to migrate before you turn off the protocols. CAE is now part of Conditional Access Policies and is auto-enabled as part of a policy. Other trademarks identified on this page are owned by their respective owners. Letting users self reset their password isnt really a security improvement for Office 365, but it results in fewer tickets/calls to the helpdesk. You may unsubscribe at any time. The advantage of using one of these templates instead of creating the policies manually is that they will automatically update your settings with Microsofts latest recommendations. Each entry in the Unified Audit Log is kept for 90 days by default. An important part to keep Microsoft Office 365 secure is to regularly check the audit logs and keep up with the security recommendations in the Microsoft 365 Security Center. Thanks. You can change the password expiration in the Microsoft Office 365 Admin Center: Allow your users to self reset their password when needed. Ive spoken with many adopters of M365, Teams, and other cloud offerings from Microsoft. Microsoft Office 365 comes with a lot of features to protect your data against todays threats. I assume that your admins already have a proper habit of locking their device when they leave it unattended, but an extra security measure never hurts. Automate the management of identities and assets across your multicloud footprint.

MFA works flawlessly with Microsoft Office, web browsers and you can even use it when connecting to Office 365 from code or PowerShell. https://tenantName-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/sharing You want to keep in control of who can access your data, so you should not allow guests to invite others. For the general M365 community of users, security and protecting their data is, at most, an afterthought. Thanks for the research and time invested in this article. This is a no-brainer for every install and is something that is not turned on by default. We will also provide 9 best practices for ensuring proper governance and security around Microsoft 365 admin accounts. With each new service introduced, a collection of new entitlements is provided with default setting. Get more product guides, webinar transcripts, and news from the Office 365 and SharePoint world! They can still usetheir folders exactly astheyre used to, while in the background the OneDrive client will sync the files with the cloud. You will find the policies Microsoft 365 Compliance under Policies. If you found this Microsoft 365 Best Practice guide useful then please share it. Besides tagging, we can also add a custom warning to external emails with specific words or phrases in the subject or body. But I find it easier to do this through the Azure Active Directory: You can also view all the roles and the assigned users under Roles and administrator in the Azure Active Directory. Learn more in our External Sharing blog postor in the official documentation Manage sharing in OneDrive and SharePoint. Auto-inject the credentials to initiate a session to ensure they are never revealed to the end user, Provide an unimpeachable audit trail of the entire session in which the credentials were used, Alert when a session using the M365 credentials has been initiated and when it ends, Host a locked down web interface that is used only for M365, Implement an access control list (ACL) to only allow administrative access to O365 from trusted sources, For all connectivity, enforce 2FA regardless of password management and hardening, Create a break glass O365 administrative account, with a highly complex password. Very helpfull. This tool monitors your users mailboxes and alerts you when a phishing mail slipped through the Exchange Online security. Your support helps running this website and I genuinely appreciate it. Integrate with ITSM tools to layer on additional governance around the usage of M365 admin accounts, and with SIEM solutions for advanced threat analytics.

Trying to get a handle on that privileged access sprawl can induce panic or dread in the most staid of IT security practitioners.

Sitemap 12

office 365 admin best practices