Strong authentication is the primary concern when organizations are looking to secure their Office 365 tenants, and Microsoft gives us many ways to implement MFA, set conditional access policies, and block suspicious sign-ins – but nearly every offering within Office 365 can be hardened in one way or another.
If you’re using default settings for your tenant (find out more about that here), or just haven’t reviewed your settings in years (we’ve covered this, too)—then there’s no telling what you’re missing. It would be a GREAT idea to take a good look around and make sure you’re as secure as you think!
Microsoft Teams has been around for a while, but the Teams Admin Center is a place regularly ignored and avoided by most administrators. The default settings might be perfect for your organization, but you should ask yourself some simple questions:
Who is allowed to communicate with us on Teams?
Do we want to only allow internal communications? Only specific trusted domains?
Do we want to block communications from personal accounts and Skype?
Who is allowed to control a meeting?
Can anyone share their screen and allow remote control from external users?
SharePoint & OneDrive
Similarly, SharePoint and OneDrive should be audited, and the settings should reflect your needs as an organization. Keep in mind, even if you have never fully implemented either of these for your users—the default setting for both SharePoint and OneDrive is that all users can create public links to files. This may be a significant security concern! Ask yourself:
Should users be sharing OneDrive/SharePoint files publicly?
If you have many SharePoint sites, are the permissions appropriate for each?
Other Office 365 Security Considerations…
Outside of these applications, there are a slew of other often ignored settings which can be tweaked to harden the overall security of your environment—Do you know the answers to these questions?
Are end users allowed to consent to apps which require permissions to their account?
Is Customer Lockbox enabled to prevent Microsoft Support from acting without your permission?
Are Office 365 Web App sessions configured to have an idle timeout?
Are you taking advantage of Office 365 Self-Service-Password-Reset?
Can end users invite guests to your tenant? Are guests required to use MFA?
Who are your admin role-holders? Are their admin accounts separate from their primary accounts?
Are you using Exchange transport rules to maximum effect?
That’s a lot to take in, isn’t it? Considering Office 365 has such a large attack surface area, it only makes sense that there’s so much ground to cover – but it should never be overlooked. Our Layered Security Strategy can help you break it down if you don’t know where to start or need help getting a grip on things. Or, feel free to contact us by using the information below.
Mirazon is a company of trusted IT advisors for organizations large and small. Founded in 2000 in Louisville, Kentucky, Mirazon focused on providing world-class technology consulting to local businesses. Decades later, we specialize in Microsoft, Wi-Fi, networking, cloud computing, and desktop support. While we hang our hats in Louisville, we travel the world to serve our clients from small, local businesses all the way up to Fortune 500 companies.