Home»Microsoft Office 365 Backup»How to Protect Office 365: 12 Security Best Practices

How to Protect Office 365: 12 Security Best Practices

Cloud is a safe place to work, and yes, we know you’ve heard otherwise. Cloud collaboration services like Office 365 invest millions of dollars in security upgrades. Developers are continually implementing enhanced protection in response to incessant new threats.

However, to get the most out of Microsoft security capabilities you must implement some Office 365 security best practices. The range of threats is extensive: a million types of malware, data leakages, and losses take place every minute. How to Secure Office 365 then?

As an expert in the field of data protection solutions, here we want to provide you with Office 365 security best practices. You definitely should take these into account in your work. Let’s start with your main responsibilities as an administrator in the Office 365 organization.

4 Pillars of Office 365 Security

These are the fundamental pillars on which you can build security for your corporate data.

  1. Security management. To ensure that the organization is protecting those components properly, you need to have security management in place.
  2. Threat protection. It’s also your responsibility to defend your company data against different kinds of malware, ransomware, and brute-force attacks.
  3. Identity and access management. You must ensure that only authorized users can reach specific information.
  4. Information protection. You have to protect company information from losses and leaks and ensure that it won’t be modified, revealed, or deleted.

Microsoft Office 365 Security Best Practices for 2021

This list is built depending on previously mentioned 4 pillars and best practices our clients use to protect their data. It will help you customize your Office 365 security & compliance and, therefore, boost it 10x!

  1. Control your Security Score
  2. Back Up your Data
  3. Enforce Ransomware Protection
  4. Encrypt Office Messages
  5. Configure Rights Management
  6. Manage Data on Corporate Devices
  7. Detect Suspicious Activity and Risky Apps
  8. Set up Active Directory
  9. Use Multi-factor Authentication
  10. Set Up a Strong Password Policy
  11. Restrict OneDrive for Business Sync
  12. Educate your Employees

Now let’s proceed to details.

Control your Security Score 

Microsoft has its baseline of security for businesses. To measure whether or not your company meets those basic security requirements, you can use its inbuilt analytics tool, Microsoft Secure Score.

It analyses the protection state of your data, apps, infrastructure, devices, and makes suggestions on how you can improve security.


Back Up your Data  

Microsoft ensures the availability of their service, yet protecting your data is your own responsibility. Microsoft’s SA even contains a recommendation to back up your data regularly. To back up your data, you can opt to use third-party services that keep your data protected due to:

  • Automated daily backup to an unlimited secure cloud storage
  • Accurate point-in-time restore of data using the same hierarchy of folders
  • Centralized admin panel to monitor the status of all data
  • Ability to migrate data from one O365 account to another
  • Weekly reports and fast search for your backed up items.

To learn more about what features the O365 backup tool must have, check out our guide.

Or, you can try our backup service SpinBackup for 14 days –

Backup Your O365 For Free

Enforce Ransomware Protection

Ransomware encrypts your files and demands money in exchange for access to the encrypted files. You can ‘catch’ ransomware by clicking on the wrong link or opening an infected attachment in your email. Downtime is the biggest concern related to attacks. Existing endpoint protection is not effective, so it’s no longer IF; it’s already WHEN.

That’s why planning your defenses is critical. Your anti-ransomware strategy needs to include:

  • Preventing an attack (including anti-phishing)
  • Detecting an attack
  • Blocking a source
  • Recovering damaged data

Learn about the easy way to protect your MS Office 365 data from ransomware in this article.

Encrypt Office Messages

If you are like everyone else, you probably use email to exchange some sensitive information. It could be a contract, payment details, marketing plans, confidential data about your product.

Given that, at some point, your mailbox turns into the storage of highly valuable data. It makes your mailboxes a desirable target for cybercriminals and creates a massive threat in the case of misdelivery.

Office 365 has a lot of inbuilt security features, and encryption is one of them. You can easily configure the conditions for encryption. For example, you can encrypt all messages to a concrete person or messages that contain some words in them. You can also forbid copying or printing these messages.

To read this message recipient must be logged in their Outlook. If they use another email platform like Gmail, they get a notification with a link in it. They need to click on it and sign in to their Office account or request a one-time passcode to read the email.

Configure Rights Management

To ensure that only intended users can open and modify some documents, you need to configure document sharing settings. These settings encrypt documents and protect them from outside interference. It works the same as with Google documents: you point a user or a group of them and let them only read, or read and change some files.

In this case, even if you accidentally misdeliver this document to the wrong users, they won’t be able to read or change the document. You can also revoke access to files remotely, which gives you full control over the documents.

But note, that shared documents can still be deleted or infected with malware. The user account with management rights can be brute-force attacked by cybercriminals, or a leaving employee may have malicious intentions. So you must always have your company data backed up beforehand to avoid troubles!

Another vital aspect of access management is configuring roles and permissions in the Security and Compliance Center.

Manage Data on Corporate Devices

We all use our smartphones for work. Either your employees need to check their Outlook or make edits in their Excel table, they may use their phones or tablets for this purpose.

To allow your employees to use their devices for work and make this process secure, you need to register all employees’ devices as ‘Corporate compliant’. In this case, you’ll be able to manage access, see changes, and remove access to corporate data if needed.

Detect Suspicious Activity and Risky Apps with Cloud App Security For Office 365

This Microsoft tool helps you to monitor data migration, detect abnormal behavior, catch sensitive data sharings, and assess if your cloud apps meet relevant compliance. You can define a policy to alert you in case of any suspicious user activity or cyber threat to your Office 365 cloud app security.

Set Up Active Directory

Active directory best practices checklist

You can use Active Directory to detect and block any attempt to access data from an unusual place. Let’s say, your assistant always works from the office in Chicago, but suddenly she is trying to reach corporate data from London. You can configure settings to inform you every time something similar happens, to be able to block the unusual access attempt.

Use Multi-factor Authentication

No matter how good your password is, it is still not enough for proper protection. By enforcing a Multi-Factor Authentication, you configure the system to conduct another test before logging a user in. You can authenticate users by a phone call that requires pressing a digit to confirm logging in or a text message with a one-time code user needs to type in a field. This makes access almost 100% secure.

Set Up a Strong Password Policy 

Brute-force attacks are no joke. Especially for big companies. Especially in superior or privileged accounts with access to sensitive information. 

The password is the first-line defense. The fewer characters user passwords contain, the easier it is to brute-force them.

Your company must set up a password policy with clear rules:

  1. Password must contain at least 8 characters;
  2. It must consist of uppercase letters, lowercase letters, and digits;
  3. Forbid obvious passwords. For example: “asdqwe123”, “abcdefg”, “123456”, “password”, “1111111”, etc. It is also not enough to add some digits or letters to these passwords since the password cracking mechanisms can still calculate them;
  4. Forbid using the same password for multiple accounts and services;
  5. Implement an expiration policy. Passwords must have their expiration date and be revisioned every 6 months or less.


Restrict OneDrive for Business Sync

Your employees may need to synchronize their OneDrive files with their computers. It enhances mobility and lets them work on their documents wherever it is comfortable for them. To do so, they can use OneDrive for Business Sync. It is part of Office 365, but you can also install it as a stand-alone client.

As an administrator, you can determine in which devices this app will synchronize. Only authorized users must be able to synchronize their local computer with OneDrive for Business. To guarantee it, set up the restriction that allows synchronization only for users joined to your domain. 

Educate your Employees

Cyber security course preview

Human error is a more dangerous threat to your company than cyberattacks. However, in contrast with cyberattacks, human errors can be easily prevented. Therefore, mandatory security awareness training for employees is everything.

When a new employee joins your ranks, they always must undergo security training and pass the test. Only then they can start using company devices and interact with sensitive data.

Training will create keen security awareness among users and prevent them from making silly mistakes with notorious consequences.

More information for you:

Office 365 Security: A Checklist for Admins

Dmitry Dmitry Dontov CEO and Founder
About Author

Dmitry is the Founder and CEO of Spin.AI, a SaaS data protection company based in Palo Alto, California, and a former CEO of Optimum Web Outsourcing, a software development company from Eastern Europe. Dmitry is a tech entrepreneur and cybersecurity expert with over 20 years of experience in cybersecurity and team management. Dmitry has a strong engineering background in cybersecurity and cloud data protection, making him an expert in SaaS data security who has an ability to influence teams. Author of 2 patents. Member of Forbes Business Council.