19 best practices to boost Microsoft 365 security in 2023
Microsoft 365 continues to be one of the most popular office suites out there, used by over a million companies across the globe. Office 365 applications, including Outlook, OneDrive, Word, Excel, PowerPoint, OneNote, SharePoint, and Microsoft Teams, hold some 46% of the global office software package market. Unfortunately, this popularity has also turned Microsoft 365 into a hacker favorite.
In a 2020 study, Kaspersky Lab found that more than 70% of all attacks targeted Microsoft Office. Another report by SonicWall confirmed that Office files had overtaken PDF documents as a preferred delivery mechanism for malware. In 2022, news broke that cyber criminals were increasingly using compromised employee emails to slide into Microsoft Teams meetings and drop malicious executable files.
Of course, this doesn’t mean you should start shopping around for another office suite subscription just yet. There are tons of built-in tools and mechanisms to make Office 365 a secure and productive place to work. In this article, we’ve collected nineteen Office 365 security best practices, from idle session timeout configuration to using safe links and attachments as protection from phishing attacks.
1. Switch to multi-factor authentication
With Office 365 MFA enabled, the application will ask users to provide additional verification beyond their password, such as a text message sent to their phone, before access is granted. According to Microsoft, multi-factor authentication can reduce the risk of compromised passwords, data identity thefts and account takeovers by up to 99.9%, and is near-essential to boost Microsoft Office 365 security for hybrid workers when signing in.
2. Keep admin accounts safe and separate
With great power comes great responsibility – and much unwanted attention from malicious attackers. Make sure to use admin credentials to manage accounts and devices only and create a separate user account for your day-to-day use of Microsoft 365 applications. It’s also important that you familiarize yourself with the different admin roles included in your subscription and assign the right users the right permissions.
3. Set up emergency access accounts
To further strengthen Microsoft 365 security within your organization, it’s a good idea to create at least two emergency access accounts to rely on in break-glass scenarios. For example, when an administrator can’t complete the multi-factor authentication process due to a cell network outage and the only two authentication mechanisms registered for their devices are phone calls and text messages.
4. Turn off automatic email forwarding
Redirecting your email messages might come in handy when you want someone else to take care of your mailbox while you’re away. But in the wrong hands it can easily become an attack surface, allowing hackers to auto-forward confidential or proprietary information to outside addresses. Check and adjust your outbound spam filter policies to control automatic forwarding to external recipients.
5. Configure idle session timeout
Change your Microsoft 365 inactivity timeout settings to better protect your company networks and resources from unauthorized access while users leave their devices unattended without logging off. For example, requirement 8.1.8 of the Payment Card Industry Data Security Standard, or PCI DSS, prescribes that users re-authenticate themselves after 15 minutes of inactivity to resume their session.
6. Disable basic authentication protocols
As opposed to multifactor authentication, which is a layered approach to securing data when users are accessing online accounts, applications or VPNs, basic authentication only requires them to enter their username and password to sign in. Turning it off and switching to a more advanced verification method can secure Microsoft 365 – and your organization – against brute force or password spray attacks.
7. Block legacy authentication for SharePoint
Going off of our previous point, blocking legacy authentication is a simple step with great impact on Azure and Microsoft 365 security. Alex Weinert, director of identity security at Microsoft, also pointed out that blocking legacy authentication is crucial for MFA to be effective. As protocols like POP, SMTP, IMAP, and MAPI can't enforce MFA, they might just be the entry point hackers need to launch a cyber attack.
8. Manage sharing in SharePoint and OneDrive
Misconfigured SharePoint and OneDrive settings can be bad news for your Office 365 security efforts. Check and, if needed, change organization-level file, folder and site sharing settings to one of the more restrictive options. As an administrator, you can turn off external sharing completely or decide to allow sharing only with existing guests (meaning guests who are already in your directory).
9. Go for restricted SharePoint access control
Limit access to a SharePoint site by Microsoft 365 group membership to prevent oversharing among users. SharePoint administrators can grant access to members of the Microsoft 365 group associated with a specific SharePoint site and deny or revoke access from those outside the group, even if they previously had site access permissions to a file as anadded layer of security in Office 365.
10. Prevent specific file types from syncing
You can handpick the types of files you don’t want users to upload to shared drives, such as EXE or MP3 files, under Settings in the SharePoint admin center. Keep in mind that this setting only blocks certain file types from being uploaded but not downloaded. Meaning that if there are any blocked file types in a user’s OneDrive, they will sync to their computer. The changes they make on their computer, however, won't be uploaded.
11. Don’t let anonymous users join meetings
Use Teams meetings settings to block anonymous users from all meetings scheduled by users in your organization. WIth the explosion of video conferencing platforms during the pandemic, hackers quickly found a new and efficient way to drop malware: through innocent-looking gifs sent via chat in Team meetings. This can easily lead to criminals taking over Teams accounts and launching a spread attack, warns the Infosec Institute.
12. Tighten your user password policies
Microsoft offers detailed guidelines for administrators on how to maintain password hygiene across their organizations. These practices fall into three categories: fending off common attacks by defining what type of password users should choose and where to enter them, containing successful breaches by limiting their trickle-down effect, and understanding and managing the human factor of password security.
13. Rethink your password expiration policy
By default, Microsoft 365 passwords are set to never expire for your organization. As an admin, you can change that – but you shouldn’t. Asking users to periodically create new passwords actually does more harm than good, Microsoft offers, as they often resort to small and predictable changes or forget the new password altogether. Instead, consider alternatives such as enforcing banned-password lists or multi-factor authentication.
14. Get notified of password changes
Install Microsoft’s Password Change Notification Service", PCNS for short, on the domain controllers to enable synchronization of passwords by MIM to other systems, such as a vendor’s directory server. PCNS simplifies password management in organizations with multiple user Digital identity repositories. For password synchronization, you must install the service on each domain controller server.
15. Protect against phishing attacks with Safe Links
Safe Links, a feature in Microsoft Defender for Office 365, provides URL scanning of inbound email messages in mail flow, and time-of-click verification of URLs and links in email and Teams messages and in other locations. Use Safe Links to safeguard users against malicious links used in phishing attacks, which account for a whopping 90% of data breaches, according to CISCO’s 2021 Cybersecurity threat trends report.
16. Deploy Safe Attachments in Microsoft Defender
Compressed files, Office documents, spreadsheets or presentations ISO files, installers, EXE files – these are the most common file types that can hide nasty surprises for whoever opens them. Think viruses, worms, Trojans, and the like. As an extra layer of security, Safe Attachments in Microsoft Defender for Office 365 uses a virtual environment to check attachments in email messages before they're delivered.
17. Make the most of Azure Conditional Access
Gone are the days when organizations’ resources and data assets were all safely tucked away behind a corporate firewall and only users with access to the corporate network and devices had a way in. Conditional Access allows you to benefit from an identity-driven control plane that uses identity-related signals to make access control decisions and enforce organizational policies for a more secure Office 356 environment.
18. Follow the data with Azure Information Protection
Azure Information Protection allows you to secure email, documents, and sensitive data that’s shared with external collaborators. You can classify, label, and safeguard data based on its sensitivity, define who can access it and what they can do with it as well as track what happens to shared files and revoke access if necessary. Users benefit from in-product notifications such as recommended classification.
19. Get Azure Identity Protection
Similarly to Azure Conditional Access, Azure Identity Protection uses a signal-processing approach to spotting risks such as anonymous IP address use, malware-linked IP address, unfamiliar sign-in properties, or password spray risk. Risk signal detections may be reviewed and handled manually or automatically trigger remediation efforts such as requiring users to perform MFA or password reset.
When only the safest is safe enough: Tresorit integration for Microsoft 365
These best practices are guaranteed to help people in your organization stay connected, productive and shielded from the most common cyber threats. But you can do better. When storing and sharing confidential content, such as financial reports, health information, or legal documents, you should take stronger safety precautions or risk damaging your revenue and reputation.
Integrated with Microsoft 365, Tresorit adds an extra layer of security to keep your most precious data assets safe with none of the hassle. This includes:
- End-to-end encrypted storage
- Worry-free internal and external file sharing
- Admin and user control features in one place
- Encrypt your emails easily in Outlook
- Compliance with the strictest privacy rules
- Easy integration through SIEM or SSO
- Flexible and secure on-premises alternative
Keep your data in an ultra secure cloud environment protected by zero-knowledge end-to-end encryption. Integrate Tresorit directly into Microsoft Teams and store, share, and sign your most confidential documents in the Teams application without disrupting your workflow.
Use secure encrypted links to exchange files with colleagues, clients or vendors securely, even if they don’t have a Tresorit account.
Manage users, security policies and file activities as well as who has access to what data through a single interface.
Share confidential information and attachments securely with a single click or even without clicking. Secure your emails in the familiar environment of Microsoft Outlook, using your existing email address.
Strengthen and simplify your GDPR, CCPA, HIPAA, TISAX, FINRA, and ITAR compliance efforts with client-side end-to-end encryption technology.
Connect Tresorit to your organization’s Azure Active Directory via single sign-on or enable SIEM integration with Microsoft Sentinel.
Combine the control and security offered by on-premises systems with the convenience and scalability of cloud environments.
Intrigued? Learn more and download Tresorit for Microsoft 365 below.