Thinking Outside the Box – Security Considerations with Office 365

overhead shot of three individuals working on a laptop, tablet and calculator to unlock the security system

May 17, 2023 by Kyle Haas

Strong authentication is the primary concern when organizations are looking to secure their Office 365 tenants, and Microsoft gives us many ways to implement MFA, set conditional access policies, and block suspicious sign-ins – but nearly every offering within Office 365 can be hardened in one way or another.

If you’re using default settings for your tenant (find out more about that here), or just haven’t reviewed your settings in years (we’ve covered this, too)—then there’s no telling what you’re missing. It would be a GREAT idea to take a good look around and make sure you’re as secure as you think!

Microsoft Teams

Microsoft Teams

Microsoft Teams has been around for a while, but the Teams Admin Center is a place regularly ignored and avoided by most administrators. The default settings might be perfect for your organization, but you should ask yourself some simple questions:

  • Who is allowed to communicate with us on Teams?
    • Do we want to only allow internal communications? Only specific trusted domains?
    • Do we want to block communications from personal accounts and Skype?
  • Who is allowed to control a meeting?
    • Can anyone share their screen and allow remote control from external users?

SharePoint & OneDrive


Similarly, SharePoint and OneDrive should be audited, and the settings should reflect your needs as an organization. Keep in mind, even if you have never fully implemented either of these for your users—the default setting for both SharePoint and OneDrive is that all users can create public links to files. This may be a significant security concern! Ask yourself:

  • Should users be sharing OneDrive/SharePoint files publicly?
  • If you have many SharePoint sites, are the permissions appropriate for each?

Other Office 365 Security Considerations…

Outside of these applications, there are a slew of other often ignored settings which can be tweaked to harden the overall security of your environment—Do you know the answers to these questions?

  • Are end users allowed to consent to apps which require permissions to their account?
  • Is Customer Lockbox enabled to prevent Microsoft Support from acting without your permission?
  • Are Office 365 Web App sessions configured to have an idle timeout?
  • Are you taking advantage of Office 365 Self-Service-Password-Reset?
  • Can end users invite guests to your tenant? Are guests required to use MFA?
  • Who are your admin role-holders? Are their admin accounts separate from their primary accounts?
  • Are you using Exchange transport rules to maximum effect?

That’s a lot to take in, isn’t it? Considering Office 365 has such a large attack surface area, it only makes sense that there’s so much ground to cover – but it should never be overlooked. Our Layered Security Strategy can help you break it down if you don’t know where to start or need help getting a grip on things. Or, feel free to contact us by using the information below.

If you’d like to learn more about this, please contact us and call 502-240-0404 or email us at

Press enter to search