Microsoft 365 Security Best Practices and Recommendations 2024

Micorosft 365 is a business-critical cloud environment that contains terabytes of sensitive information. Protecting this environment from multiple threats is one of the key tasks of the IT security team and MSO administrators. In this article, we discuss Microsoft 365 Security best practices and recommendations for 2024.

Importance of Microsoft 365 security in today’s digital landscape

Microsoft 365 is considered the most secure cloud office, that’s why many large enterprises use it for their business operations. Despite its security, the attack pressure on MSO 365 services is constantly increasing.

Many hackers and cyber gangs are constantly looking for ways to breach into MSO 365 environments aiming to profit from data theft and blackmailing.

Apart from outside threats, Microsoft 365 is susceptible to inside risks. These include human error, misconfigurations, unauthorized access, data loss, data leaks, and malicious insiders.

Microsoft 365 has a shared responsibility model. This model stipulates that Microsoft shares responsibility for security breaches with the client. The client is responsible for incidents related to the errors or intentionally harmful actions of their users and Admins. Microsoft secures the environment from outages, hacker attacks (except ransomware and zero-day attacks), program bugs, etc.

Most security incidents happen due to the actions taken by users or Admins.

Comprehensive Security Features in Microsoft 365

Microsoft 365 has many inbuild security features to help you protect your cloud from breaches and unauthorized access. In addition to this, it has several centers that provide advanced security functionality. The two main ones are Microsoft Defender and Microsoft Purview.

Microsoft Defender

Previously known as Advanced Threat Protection, Microsoft Defender is a unified center with robust security features for defending your Microsoft 365 environment from multiple threats. 

Microsoft Defender is available as part of the Office 365 Enterprise E5 subscription. However, tenants can purchase this service for other subscriptions.

The service is used to secure endpoints, cloud applications, and email. It has reporting and threat analytics that provide a bird’s eye view of the security posture. Microsoft Defender can automate incident investigation and provide customized alerts. 

Admins can set up basic and customary policies to control data, applications, and emails. Finally, the Microsoft Defender XDR enables IT security teams to investigate users individually to identify potential malicious insiders.

Microsoft Purview

Previously known as Azure Purview, Microsoft Purview is a compliance portal that helps your organization meet the laws, regulations, and unique requirements across your services and users. Similarly to Microsoft Defender, it requires a separate subscription. However, the price highly depends on multiple factors like data, endpoints, licenses, etc.

Microsoft Purview has two main categories of features. The first one enables Administrators to achieve compliance in Microsoft 365. This includes compliance analytics, and creating custom and basic compliance policies. The second category is data governance. It includes data classification and data retention.

This being said, we want to emphasize that native MSO 365 features aren’t enough to defend your cloud data in this environment and you need an extra layer of security in Microsoft 365.

Implementing Robust Access Control

Access control in cloud environments is pivotal for an organization’s security. Cloud perimeters are porous, and people can get into these environments using credentials. Guessing credentials is not so hard and several programs enable hackers to automate this process.

Document sharing is another vulnerability of cloud offices. Unauthorized access to files from outside or within the organization can have a drastic impact on the business.

Microsoft 365 has a number of features that can help Administrators set up access control that matches the requirements and policies of their organization.

Let’s take a look at these features.

Multi-factor Authentication

MFA adds an extra layer of security when users access your Microsoft 365 environment. Employees are required to use another device when they sign in to confirm their identity.

The available verification methods include:

• Phone call
• Text message to phone (SMS)
• Mobile app notification
• Verification code from a mobile app or hardware token

Admins can ease the pressure of MFA by assigning trusted IP addresses or trusted devices (with time limitations).

Sharing settings

The modern zero-trust approach stipulates that a user needs minimal access to data. In fact, they only need to be able to open files that are absolutely necessary to perform their work tasks. The type of access must also fit this principle. If a person doesn’t need to edit a particular file, they shouldn’t be granted such rights.

Sharing configurations in MSO 365 include:

• Guest control
• SharePoint access control
• OneDrive sharing
• Creating security groups
• Link sharing
• File copying and downloading
• Emailing a file

Data Protection

Data protection in the cloud office suites rests on two pillars: protection against loss and leakage prevention. Data loss protection requires cloud-to-cloud backup and data retention. Data leak prevention is based on access control, zero-day attack prevention, and ransomware. In this section, we’ll focus on data loss protection.

Backup

Microsoft 365 doesn’t have a native backup solution. However, it’s critical for organizations to back up their MSO 365 data on a regular basis.

Most Microsoft 365 tenants opt for third-party cloud-to-cloud backup solutions. We suggest SpinBackup for several reasons:

• Automated and manual snapshots
• Unlimited storage
• Backup to GCP, Azure, AWS, or data center of your choice
• Ability to choose a data center location
• Granular recovery
• SLA 99.9%

Data Retention

Data retention enables you to set up the storage period for different types of data. Data retention is part of data governance. To implement data retention you need to label all the types of data contained within MSO 365.

You can assign Data Retention Policies in Microsoft Purview. The functionality is available for the following services:

• Exchange
• Sharepoint
• OneDrive
• Teams
• Skype for business
• Yammer

The retention options include the period of retention (up to forever), the item’s age and the action after the period is over or the item reaches a certain age.

Email Security and Protection Against Phishing

There are two main types of threats that are associated with email: data leakage and social engineering. To protect against these threats, Microsoft 365 offers several solutions.

Email encryption

Encryption prevents data leakage as sensitive information within the sent email will only be seen by the recipient. Microsoft 365 provides several encryption options to meet the unique security needs of each organization. 

The first option is Microsoft Purview advanced message encryption. It enables admins to create unique encryption rules for different types of emails as well as create security policies to identify when sensitive data is shared outside and inside the organization.

The second option is Secure/Multipurpose Internet Mail Extensions. This feature enables users to encrypt emails and digitally sign them. It ensures that the message will not be changed before getting into the mailbox. It also ensures the sender’s identity and eliminates the possibility of a hacker pretending to be the sender.

The third option is Active Directory Rights Management Services (AD RMS). This functionality assigns the control rights over the sent email to the user. It means that the sender can control what actions the recipients of the email can or cannot make. For example, it bans the following email to other people.

Additionally, Microsoft uses Transport Layer Security to protect the connection via the network between different services.

Keep in mind that adding several encryption options to one email can cause problems with its opening in certain email clients.

Antiphishing and anti-spam

Social engineering is arguably the most efficient cyber attack vector in modern days. The prevailing low levels of cybersecurity awareness coupled with stress and distraction factors make people a perfect target for hackers. In 2022, approximately 49% of emails contained spam (~162B per day). For an employee, it’s hard to discern important emails from unimportant or dangerous ones.

Microsoft Defender provides several policies to reduce the chances of spam and phishing emails as well as emails containing malware or unsafe links to get to the mailboxes of your users.

DLP policies

One of the most efficient ways to leak Microsoft 365 data is by sending it via email. It’s also one of the most widespread ways. Your employees can send sensitive information by mistake (e.g., copypasting a CCN number), upon being conned by social engineers, or by malicious intent.

Microsoft Purview allows Administrators to create custom rules and prevent users from sending various types of sensitive data. These types depend on the geographical location of users and legislation in place in that region.

Ransomware protection

Microsoft 365 doesn’t have a native ransomware protection solution. However, this environment is highly vulnerable to ransomware attacks. Modern ransomware acts and disguises as a legitimate SaaS application. It requires OAuth login by a user and enabling editing permissions. OAuth provides ransomware access to the MSO 365 environment, and editing permissions enable the malware to encrypt all the data within such an environment.

Most ransomware protection tools use signatures of studied ransomware strains. Unfortunately, dozens of new strains appear each year. That’s why these tools cannot keep up with the fast-paced ransomware market.

We suggest acquiring Spin ransomware protection that utilizes AI to identify a ransomware attack. AI doesn’t depend on historical data about past ransomware trends. Instead, it studies data behavior and identifies regular patterns. 

Ransomware attack changes these patterns as the malware tries to encrypt as many files as it can in the shortest period of time before it’s detected by humans. The AI identifies this abnormal data behavior as well as the source application that causes it. 

Next, the program notifies the Administrators and simultaneously revokes the access of the app to the MSO 365 environment. Once the attack is stopped Spin begins the recovery of the encrypted files. The whole process takes less than an hour.

Try Spin Ransomware Detection for MSO 365

FAQ