Securing M365 is important to many organisations that use Microsoft at the core of their business. Microsoft is making a serious bid to dominate the enterprise with a combination of M365 productivity suite, Power Platform, Azure and Dynamics.
Securing M365 is foundational to ensure the organisation is well-integrated, and secure.
Some quick steps to achieve this are:
- Establish a M365 cybersecurity task force focused on addressing known concerns with Microsoft 365. A specialised team or vendor to support the business on Microsoft 365 cybersecurity.
- Review Microsoft documentation which is an extensive library that documents security vulnerabilities, configuration issues. The task force should regularly review the library.
- Enable and use DMARC, SPF and DKIM to reduce the risk of spoofing and phishing. Use Microsoft Exchange as your email service provider in this configuration.
- Enable multifactor authentication (MFA) by default, at the very least for administrator accounts and, ideally, for all accounts. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) report noted that MFA for administrator accounts isn’t enabled by default, yet Azure Active Directory (AD) global administrators in a Microsoft 365 environment have the highest level of administrator privileges at the tenant level. This is an essential step to ensuring security.
- Determine if password sync is required. By default, Azure AD Connect integrates on-premises environments with Azure AD when customers migrate to Microsoft 365. In this scenario, the on-premises password overwrites the password in Azure AD. Therefore, if the on-premises AD identity is compromised, then an attacker could move laterally to the cloud when the sync occurs. If password sync is required, the team should carefully think through the implications of a premises-based attack on cloud systems, or vice versa.
- Avoid legacy protocols. Several protocols, including Post Office Protocol 3 and Internet Mail Access Protocol 4, don’t effectively support authentication methods such as MFA. CISA recommended moving away from all legacy protocols.
- Upgrade all software and OSes prior to migration. Earlier versions of Microsoft software, such as Office 2007, have known security vulnerabilities and weaker protection thresholds. Upgrade all software to current versions prior to migrating to Microsoft 365.
- Test all third-party integrations into Microsoft 365. If you are using Microsoft 365 in conjunction with third-party applications — developed in-house or by outside companies — be sure you conduct solid cybersecurity testing before integrating them with Microsoft 365.
- Develop and implement a backup and business continuity plan. Although Microsoft 365 is cloud-based, it uses replication rather than traditional data backup methods. Microsoft can’t guarantee an organization’s files will remain available if files are compromised through ransomware or accidental deletion.
- Implement cloud-based single sign-on (SSO). Known vulnerabilities in Microsoft 365’s security protocols involve using cross-domain authentication to bypass federated domains.
- Assess your Microsoft Secure Score and Compliance Score. Microsoft has developed two registries for Microsoft 365: Secure Score and Compliance Score.