Microsoft 365 Security / Necessities / Checklist

Microsoft 365 is often considered safe, as it’s always up-to-date and maintained by Microsoft.

Unfortunately, this is not true. Well, at least some parts aren’t. There are quite some settings that should be configured and products that can be implemented, to limit risks and exposure.

Treat Actors (TAs), often target finance or accounting users, and once compromised, send out changed invoices to existing customers with different account details. Financial and reputational damages can run up high depending on the type of business. We’ve seen damages up to $100.000 for one single invoice.

These are some examples of recent high-value breaches where TAs gained access to a user account. Both could’ve easily been prevented with the mitigations outlined in this blog.
The Hague Gemeente warns of fake emails sent out on 25 September – The Hague Online
All Dutch police officers’ contact details stolen in cyberattack – POLITICO

Regular MFA does not protect against these modern attacks, TAs use malicious apps and specially designed servers to record user sessions which includes the MFA token (MITM Attacks), bypassing this considered secure security measure.

Several basic security settings should be set in every environment, and most risks can be mitigated entirely by implementing Microsoft 365 with Intune device management, as it results in a phish-resistant environment. In this post, I’m outlining the most important security settings and products, everyone should implement.

You can also request the status of these settings from your IT partner, or have them verified by an independent advisor.

1. Enable FIDO Security Keys. This new technique is phish-resistant sign-in method, and a huge improvement. Use it or require it wherever you can. You can enable it in Entra ID > Security > Authentication Settings
   
2. Entra ID App Registrations. If not configured correctly, threat actors can use App Registrations from their own tenant to lure end users to approve access rights in your tenant. From there, they can access the environment without the user knowing, from another location.
   Resume: App Registrations should be limited to Admins, auto approval can be set for low-risk rights.
   
3. CSS Phishing Protection. Although not a Microsoft product, it does provide alerting to user when they attempt to sign into a phishing site. Our solution is available for free for everyone. Read more in our blog: Platform Upgrade: Microsoft 365 agentless CSS phishing protection – Prof-IT Services
   
4. Configure Guest Access restrictions. By default, guest access can query the directory for all kinds of information, basically recon the environment, find out who the admins are, find other users, etc.
   
5. Limit Guest Invite restrictions. You don’t want everyone to be able to invite users to your organization. Create a process and limit this access to a group of people.
   
6. Company Branding. Some phishing sites are easy to spot, but some look close to the real thing. Customize your sign-in page with your logo and background, so generic phish sign-in pages jump out.
   
7. Privilege Identity Management. You don’t want your admin accounts to have Global Admin rights permanently activated. Use PIM to create a process, optionally with secondary approvers.
   
8. Exchange MailFlow Remote Domains. Turn NDR off. It is sometimes used to verify if email addresses are valid to be used in phishing attacks.
   
9. Spam, Fish & Safe Links. Ensure all important options are enabled, they aren’t always by default.
   • “Anti-spam inbound policy (Default)”, on most tenants, all options can be enabled.
     https://security.microsoft.com/antispam
   • “Office365 AntiPhish Default (Default)”, enable domain impersonation for owned domains, and all impersonations options, and apply suitable actions.
     https://security.microsoft.com/antiphishing
   • Antimalware Default Policy, Configure common attachments filter and zero-hour purge
     https://security.microsoft.com/antimalwarev2
   • Safe Attachments, create a new policy and enable preview
     https://security.microsoft.com/safeattachmentv2
   • Safe Links, create a new policy and enable all options, do not configure “Do not rewrite URLs”
     https://security.microsoft.com/safelinksv2
     
10. Exchange Email Security. SPF, DKIM and DMARC. This not only protects unauthenticated sender from sending email from your domain, but also decreases the risk of your email being delivered into Junk Folders. Optionally, configure BIMI.
    Note: These configurations need to be set in your DNS hosting provider, and it’s advisable to use a third-party DMARC Analyze tool.
    
11. Exchange Attachments. Block HTML and HTM attachments, they can contain malware and are often not detected.
    
12. Entra ID Join all your computers. This will enhance your SSO experience and increase security with Windows Hello For Business and Intune Device Management.
    
13. Enable PowerApp Tenant Isolation. This is a risk in every tenant, even if PowerApps are not used. Users can connect their M365 account to their personal powerapps bypassing CA rules, DLP, and AIP.
    More information here: Power Platform & Tenant isolation: why everyone should have a look at it? | Thibault Joubert (thijoubert.com)
    
14. Conditional Access Rules. This will enforce MFA, or requires your device to be compliant and managed. Correct implementation will result in a phish-resistant environment.
    • Require compliant devices for Modern Applications
    • Require compliant devices or App Protection Policies for Mobile Devices
    • Require MFA for all
    • Require MFA for EntraID Machine Join Context
    • Require strong MFA for browser sessions
    • Configure a short browser short session time-out for non-Entra ID joined devices
    • Bock Basic Authentition
    • Block Windows Phones
      
15. Intune settings – Required for best, phish-resistant security.
    • Enforce Windows Update to auto-install with a deadline
    • Enforce Edge Update to auto-install with a 1 or 2 day deadline
    • Configure App Protection Policies to require a minimum OS level and Defender Score
    • Require Windows Devices to a minimum Defender Score
    • Require Bitlocker, Windows Firewall, EDR, Attack Surface Reduction Rules, SmartScreen, etc.
    • Enable Defender Cloud Protection.
    • Redirect Known Folders to OneDrive
      
16. Microsoft Sentinel. This is a great Log Analytics product, which analyzes and alerts on malicious and high severity activity (if configured correctly). Different data sources can be connected such as M365, Intune, Defender, etc. It is deployed in an Azure subscription and costs averages about $1 per user per month.
    Some examples of what we alert for with Sentinel for can be found in this blog: Microsoft Sentinel VS Blackpoint Cyber Response – Prof-IT Services
    
17. Defender For Cloud Apps. An under-rated product. Often catches malicious files and activity before there is any impact. Malicious files on OneDrive for example, or unexpected data exfiltration to a new cloud service. It does require an extra license.
    
18. Microsoft 365 Backup. File versioning is not the same as a backup. It is still best practice to implement a third-party off-platform backup.

Conclusion

As you can see, there is a lot that can and should be done to increase the security of your Microsoft 365 tenant. Some of these products such as Intune require an additional license. For most companies, a Business Premium license is sufficient, the licenses below contain the required products.

1. Microsoft 365 Business Premium (up to 300 users, $22 per user per month)
2. Microsoft 365 F3
3. Microsoft 365 E3
4. Microsoft 365 E5
5. Microsoft 365 G3
6. Microsoft 365 G5

Of course, your security scope should not be limited to this list (ours isn’t), but it’s a good start! Feel free to contact us if you need help with your environment. Our standardized Modern Workplace Intune environment can be deployed in several days, and costs much less than an average breach.

View our Modern Workplace Service page for more information!