Today’s blog is all about elevating your security level in Microsoft 365. As we all know, security is of utmost importance in today’s world and it is crucial to take the necessary measures to protect your data and information.
I’ll guide you through a few essential settings that will help you enhance your security level within your Microsoft 365 tenant. These settings are based on best practices and must-haves to ensure maximum protection.
By implementing these changes, you’ll increase your confidence in the security of your Microsoft 365 environment. So, sit tight, as we delve into the world of security and explore the ways to make your environment more secure.
Enabling Multi-Factor Authentication with Azure Conditional Access
To ensure maximum security for all accounts within the Microsoft 365 tenant, we will set up Multi-Factor Authentication (MFA) using the Conditional Access feature in Azure Active Directory. This feature allows organizations to enforce security policies and ensure that only authorized users have access to the resources they need to perform their jobs, based on various conditions such as user identity, device state, location, and sign-in risk.
An Azure AD premium P1 license is required.
Follow these steps to set up MFA using Azure Conditional Access:
- Go to https://portal.azure.com
- Open Azure Active Directory
- Open Security, then Conditional Access
- Click on New Policy
When creating the policy, you have several options to choose from, including trusted locations, trusted devices, and accounts. However, it’s recommended to minimize exceptions and enable MFA for all accounts under all circumstances.
In a future post, I’ll delve deeper into Conditional Access and its best practices, and explain the significance of naming conventions.
- Fill in a descriptive policy name, such as [All Cloud Apps] All Users – Force Multi Factor Authentication
- Choose “All Users” for “Users“
- Choose “All Cloud Apps” for “Cloud apps“
- Choose “Require Multi Factor Authentication” for “Grant“
- Turn the policy on by switching “Enable Policy” to ON“
With this setup, all accounts within the Microsoft 365 tenant will now be required to use MFA when accessing cloud apps.
Restrict access to Azure AD resources
By default, read access to the Azure AD administration portal is granted to all users, which is not ideal. Only administrators should have the privileges to access the portal.
There are various ways to restrict access to this portal, such as using Conditional Access or Microsoft’s default options. For this purpose, we will utilize Microsoft’s default option.
By implementing these settings, normal users will be prevented from accessing the portal and preventing them from managing their own resources.
Restrict access to Azure AD portal
- Go to https://portal.azure.com
- Open Azure Active Directory
- Open User Settings and switch Restrict access to Azure AD to Yes
Restrict non-admin users from creating tenants
By default, normal users have the ability to create tenants within the Azure AD administration portal, which may not be desirable. To prevent this, we can utilize the following settings.
- Switch under User Settings Restrict tenant creation to Yes
Restrict users to register applications
Allowing users to register app registrations can potentially lead to security risks, such as the creation of rogue applications with access to sensitive data. By restricting app registration to authorized administrators, the security of the Azure environment can be better managed and monitored. To prevent this, we can utilize the following settings.
- Switch under User Settings App registrations to No.
Implement Least Privileged Administrator Roles
Implementing Least Privileged Administrator Roles within Azure Active Directory is a crucial step in ensuring the security and stability of your organization’s IT infrastructure.
By providing administrators with only the permissions necessary to perform their specific job functions, you can reduce the risk of accidental or intentional harm to your systems, applications, and data.
This approach, known as the principle of least privilege, is a best practice for controlling access and minimizing the attack surface of your environment.
To create custom roles an Azure AD premium P1 license is required.
- Go to https://portal.azure.com
- Open Azure Active Directory
- Open Roles and administrators
In the Roles and Administrators screen, you will see that Microsoft has already provided a significant number of default roles, which are easily assignable. If a role is not sufficient, you can also create a custom role.
- In this example, we will modify a user from having global administrator rights to just Intune administrator rights.
- Open the Global Administrator role
- Select the relevant user and choose ‘Remove Assignment‘ in the options.
- Navigate back to the Roles and Administrators screen and open the Intune Administrator role.
- Choose Add assignment and select the relevant user.
The user now only has administrator rights within Intune from now on.
Best practice is to use the principle of least privilege in combination with Privileged Identity Management. Users can then request eligible privileges themselves through an automated authentication process.
Enhance Guest Sharing Security
The advent of SharePoint and Teams has made it easier to share documents and files with external contacts. However, it’s important to be aware that the default settings are quite open. For example, it’s standard for a public link of a file to be shared that can be viewed by anyone who possesses this link. This, in itself, is already a potential security risk. Below, I’ll guide you through the default settings. Keep in mind, this is a minimal basic setup. Ultimately, you want to ensure that your business files can only be opened in a secure environment.
- Go to Sharepoint Admin Center
- Open Policies, then Sharing
On the right side of the screen, you’ll find the default settings for sharing with external parties. As you can see, by default, anyone can access the file without the need for logging in. So, we’ll be modifying these settings to enhance security. - Adjust the settings for SharePoint and OneDrive at a minimum to ‘New and Existing Guests‘ access.
External guests will now be granted a guest account that they must log in to in order to access the shared document. - By collapsing the ‘More External Sharing Settings‘. you even have the option to either expire guest access or require guest users to reauthenticate after a specified number of days tenant widely.
That concludes my basic setup for enhancing the security of Microsoft 365 with a few simple steps. Thank you for reading my blog. Please feel free to share it and reach out to me with any questions or comments.
Great and practical post, this is part of my go to in securing my clients too, may I also recommend the following:
Turn on user and admin auditing (gives logs for 1 year rather than 7 days)
Password protection to stop brute forcing.
Thanks
Thanks James! Sounds good!