Active Directory & Office 365 Reporting Tool

Office 365 Security Best Practices: Secure Your Office 365. As an Office 365 admin, are you looking to implement the best Office 365 security practices and create a secure Office 365 environment? In this article, we outline the steps you take to enhance the security of your Microsoft 365 infrastructure.

Firstly, I briefly overview the Microsoft 365 service and their potential security risks.

Security Risks of Microsoft 365: An Eye-Opening Overview

Microsoft 365 offers a suite of subscription cloud-based services. Additionally, Microsoft 365 intentionally builds these services with many security and information protection capabilities to help you build Zero Trust into your environment.

However, service consumers still face risks as they access these services online.

To help mitigate these risks, you must be aware of the potential security vulnerabilities of Microsoft 365. You can then take appropriate measures to address them and implement Office 365 security best practices to secure your Microsoft 365 environment.

To help you understand the potential security risks to your Office 365 services, I have discussed some of them below. Specifically, I will highlight the five most common security risks in your Office 365 environment.

1. Phishing, Account Compromises and Unauthorized Access

Phishing scammers primarily target Microsoft 365 through email- that appear legitimate. Besides phishing, scammers spoof emails to make it appear like you sent an email to yourself. 

To limit the compromise of the security of Office 365 to users through these malicious activities use the built-in tools in Microsoft 365 to mitigate phishing and spoofing, avoiding account compromises and unauthorized access.

2. Attempting to Access High-privilege Accounts

When hackers compromise a non-admin account, they attempt to access high-privilege accounts, such as those with global admin privileges. This is because lower privilege user accounts do not have the permissions to harm your Microsoft 365 infrastructure.

To stop this, take 2 actions: first, reduce the number of users with global admin privileges. Second, enable multi factor authentication for higher privilege accounts to make it harder for them to be compromised.

3. Managed Devices (endpoints) Security Risks

Every managed device (endpoint) in a Microsoft 365 environment exposes the network to a potential attack. To secure the devices, admins must use the available tools in Intune Endpoint Security.

Your end users not only connect these devices to your Microsoft 365 network but also use them at home and may connect them to other networks, including public Wi-Fi. Potential virus attacks or physical theft compromises your organization’s data when devices are exposed to these risks.

Configure features in Microsoft Intune to secure these devices. However, the features available to your Office 365 tenant depend on your organization’s subscription. 

For instance, Microsoft 365 Business Basic, and Standard, offer multi-factor authentication (MFA). However, to access MFA and other advanced features like threat and vulnerability management and attack surface reduction in Microsoft Defender for Business, you must sign up for Microsoft 365 Business Premium.

4. OneDrive and SharePoint File-Sharing Breaches

Microsoft 365 is built to enhance collaboration and productivity, allowing Office 365 users to share files through SharePoint, OneDrive, and Microsoft Teams. However, this ease of file sharing also risks organizations’ data.

Microsoft 365 SharePoint Portal allows admins to configure Sharing and Access Control policies to mitigate this risk. 

5. Leakage of Sensitive Information and Data Loss

Moreover, Microsoft 365 is also susceptible to other forms of data leaks, including data loss. A network break by a hacker or a virus attack causes data loss, for instance. The biggest security threat to Office 365 environments is data compromise, which not only involves losing sensitive data but also violates regulatory and data privacy requirements.

So, Microsoft 365 provides tools to empower admins to secure their infrastructure against these threats, similar to the other risks identified above.

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.

Secure Your Microsoft 365 Environment:

7 Best Office 365 Security Best Practices

Microsoft 365 environments are vulnerable to a variety of security risks, including phishing, account compromises, and unauthorized access, among others. This section explores 7 best Office 365 security practices to help you secure your Microsoft 365. 

1. Implement Multi-factor Authentication (MFA)

Admins shall use multifactor authentication (MFA) for Microsoft 365 to force users to confirm their identity with a second method besides their password. Enabling MFA or 2FA in Microsoft 365 or Office 365 provides extra security and protects your Office 365 environment against password compromise. Users verify their identity via text messages, phone calls, or authentication apps when you enable MFA.

Enable MFA in Office 365 by using security defaults. Alternatively, configure per-user MFA, but Microsoft does not recommend this approach. Additionally, Microsoft offers other advanced 2FA configurations, such as Conditional Access policies, where user accesses accounts based on criteria like group membership and apps.

However, subscribe to specific licenses to access advanced features. 

Enable MFA by enabling security defaults:

1. Sign in to portal.azure.com as a global, security, or Conditional Access admin. 
2. Navigate to Azure Active Directory -> Properties and click “Manage security defaults.” If the “Access management for Azure resources” switch is Off, flip it On. 

2. Then, on the Security defaults flyout, click the “Security defaults” and select Enable.

If you receive the message that you enabled Classic policies – 

a) search and open “Azure AD Conditional Access.” 
b) Click “Classic policies” on the menu. 
c) Finally, click all available classic policies and disable them. 

Now return to step 2 and enable Security defaults.

2. Protect and Limit Access to Admin Accounts

1. Admins must use admin accounts exclusively for admin tasks. So, non-admin must have non-admin account to perform regular tasks. 
2. Limit the number of users assigned to your organization’s global admin role
3. Close out all unrelated browser sessions and apps before using admin accounts. Also avoid password caching by using private or incognito browser windows.
4. Use Azure AD Conditional Access policies to enable idle timeout and MFA for users in admin roles. 

To create conditional access policies, you must disable security defaults first. Then, sign in to portal.azure.com, search for ‘Azure AD conditional access’ feature and click on it.

After that, click + create new policy

On the New Conditional Access policy page, configure the following: 

a) give the policy an identifiable name. 
b) click Users, and on the “Include” tab, select the “Select users and groups” open. Next, check the “Directory roles” checkbox. 

Finally, click the “0 selected”  drop-down and check all the admin roles you want to enforce this policy

c) click “Grant” under Access controls. Then, on the flyout, “Grant” is selected by default. 

Check the “Require multifactor authentication” and click Select

d) click “Cloud apps or actions” and select All cloud apps on the Include tab. You receive a warning to avid locking your account out. Select the “Exclude current user,” option. 

Next click “Sessions” under Access controls. On the Sessions flyout, check the “Persistent browser session” checkbox. 

Finally, on the Persistent browser session drop-down, select “Never Persistent” and click Select.

Finally, at the bottom, in the “Enable policy” section, select On (to enable the policy) and click Create

3. Implement Security Policies for Managed Devices (Endpoints)

Secure your environment and reduce the vulnerability of your Microsoft 365 devices by applying Office 365 security best practices to all devices: 

1. Create a BitLocker policy for Windows devices with Intune by signing in to endpoint.microsoft.com and clicking Endpoint security on the left menu.

Next, click + Create Policy after selecting “Disk encryption.” On the “Create a profile” flyout, choose “Windows 10 or later” from drop-down. Then, select “BitLocker” from the Profile drop-down and click “Create” to complete the process.

2. Use security baselines to configure Windows devices in Intune. Deploy predefined security settings in Microsoft Intune to secure your Microsoft 365-managed devices. 

However, customizing the available security baselines to enforce only the required settings and values is also possible.

If so, follow these steps: First, sign in to endpoint.microsoft.com. Next, click on Endpoint security and select ‘Security baselines.’

3. Configure additional endpoint security policies: to apply extra security to your Office 365 endpoints, configure policies such as “Attack surface reduction,” “Device compliance,” “Firewall,” “Account protection,” and “Conditional access.”

Locate these policies in the “Menu” section of “Endpoint security.”

4. To improve your business endpoint security, set up ‘Microsoft Defender for Endpoints.’ This tool helps prevent, detect, investigate, and respond to advanced threats in enterprise networks.

To get started, access the ‘Endpoint security’ node in the Intune portal and set up ‘Microsoft Defender for Endpoints’ according to your organization’s security policies.

4. Implement Policies to Monitor /Control OneDrive and SharePoint File Sharing

Earlier, I mentioned that file sharing on OneDrive and SharePoint is another potential vulnerability for your Microsoft 365 infrastructure. Thus, apply these Microsoft 365 security best practices to mitigate this risk.

1. Configure organization-level file external sharing policy. Open the Sharing page in the SharePoint admin center and sign in as a Global or SharePoint Admin. 

Then, configure how your organization’s users share files with people outside your Office 365 in the “External sharing” section. Additionally, scroll down the page to configure additional file sharing for OneDrive and SharePoint.

2. Configure the access control settings for users in SharePoint and OneDrive. Click on the “Access Control” node on the Policies menu. 

On the ‘Access Control’ settings page, configure policies for ‘Unmanaged devices,’ ‘Idle session sign-out,’ ‘Network location,’ and ‘Apps that don’t use modern authentication‘ settings. Do so according to your organization’s security policy for maximum protection of your Office 365 environment.

3. Turn on Information Rights Management (IRM) in SharePoint. IRM provides protection for Excel and Microsoft Word files, as well as Exchange Online and SharePoint Online.

However, to enable IRM in SharePoint or Exchange Online, first activate the Azure rights management feature, as detailed in point 5 below.

5. Encrypt Sensitive Information Both at Rest and in Transit

Activate the Azure Rights Management feature to minimize the risks of data loss and sensitive information leakage. The only way is through PowerShell as of May 2023.

Unless your subscription includes Azure Rights Management or Azure Information Protection already.

However, a Global admin may have deactivated this service. To check the status of Azure Rights Management, I show you how to do so.

Avoid activating the Azure protection service, if your organization uses Active Directory Rights Management Services (AD RMS). Instead, utilize AD RMS to secure your sensitive information.

Activating the Azure protection service in this scenario may lead to conflicts and potential security risks.

To activate this feature and protect your Office 365 environment, follow these steps using PowerShell.

1. Open PowerShell as an admin, search for the app and click ‘Run as Administrator.’ Then, enable the execution of modules downloaded online by opening another PowerShell instance with the command below:.

					powershell.exe -ExecutionPolicy RemoteSigned

2. Then, install the AIPService PowerShell module, run the following command. Afterward, to import the module into your current session, run the second command.

					Install-Module -Name AIPService
Import-Module -Name AIPService

3. To proceed, connect to the Azure Information Protection tenant by running…


When prompted to connect to Azure Information Protection using PowerShell, enter your Microsoft 365 Global Admin account credentials. If the connection is successful, PowerShell displays, ‘A connection to the Azure Information Protection service was opened.’

3. To confirm the protection service is activated, run the command Get-AipService. A status of ‘Enabled’ confirms activation, while ‘Disabled’ means it is deactivated.

If disabled, run the Enable-AipService to activate it. 


6. Conduct Regular Security Awareness Training for Employees

According to Usecure, a study by IBM, human error is responsible for 95% of cybersecurity breaches. Therefore, it is crucial to provide your employees with regular training and awareness campaigns on Microsoft 365 security best practices to secure your Office 365 environment.

Some ideas of what to include in your training:

1. Email best practices
2. File Sharing best practices.
3. Managed device usage best practice.

7. Regularly Monitor and Audit Your Microsoft 365 Environment

Regardless, monitoring and auditing the infrastructure is also essential. Please consider the following guidelines for your Office 365 environment:

1. Firstly, to proactively identify and address security vulnerabilities or potential threats, use the Azure AD audit log. This log helps to detect potential threats before they occur.

By leveraging the Azure AD audit log, you ensure optimal security of your Office 365 environment.

2. Secondly, perform regular maintenance tasks for your Microsoft 365 environment. For example, you need to add new users that join your organization. 

Additionally, delete users that leave and reset their devices to factory settings. 

3. Thirdly, use the compliance portal to monitor compliance. By doing so, you measure its security score

Then, review the “Recommended actions” tab to take remedial actions. 

Office 365 Security Best Practices: Secure Your Office 365 Conclusion

In conclusion, securing your Office 365 environment is critical to safeguarding your organization’s data and privacy. Many potential security risks to Microsoft 365 require careful consideration and mitigation.

To achieve this, implementing the seven best Office 365 security practices we shared is essential. For instance, you reduce the risk of a security breach by implementing MFA and encrypting sensitive information.

Additionally, it is crucial to regularly monitor and audit your Microsoft 365 environment and conduct security awareness training for your employees. By following these best practices, you ensure that your Microsoft 365 environment is secure, and your organization is well-protected.


Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Victor Ashiedu

Victor Ashiedu

Victor is an IT pro based in Manchester, UK. With over 22 years of experience managing Windows Server, Active Directory, and Powershell, and 7 years of expertise in Azure AD and Office 365, he's a seasoned expert in his field. When he's not working, he loves spending time with his family - a wife and a 5-year-old. Victor is passionate about helping businesses succeed in today's fast-changing tech landscape.

Leave a comment

Your email address will not be published. Required fields are marked *