Microsoft 365 Security Best Practices Project
What’s involved in securing your Microsoft 365 Tenant?
Below is our extensive list of what is involved in making sure your tenant is as secure as can be. Each step has a brief description of why these steps must be taken and how it helps keep you, your team and your data safe.
Have any further questions? Reach out to Infinite Edge using the enquiry form or give the team a call! We’re here to help, educate and guide you in the right direction with all things Microsoft 365.
Multifactor Authentication
Enable Multi-Factor Authentication for all users
Set-up LastPass Accounts
Admin Centre (Back-End)
Enable Microsoft 365 audit log search
Audit Log has only recently been changed to be automatically activated for new tenants, all existing tenant will need to activate it to be able to start collecting data.
Set all mailboxes to a maximum of 30 days for deleted items
By default, deleted items are only recoverable for the 14 days following deletion. This can be extended to 30 days to allow for more time to recover accidentally deleted emails.
Disable all mailbox forwarding
If a hacker were to gain access to your email, a common trick they would do is to set up an auto-forward of all your emails while still leaving a copy in your inbox. Auto-forwarding can be disabled for all mailboxes so that this scenario cannot occur.
Disable Exchange POP3 and IMAP
Attackers targeting accounts can use legacy IMAP/POP/SMTP protocols in order to brute-force the account when using common variations on usernames and passwords exposed in large credentialed dumps. You can disable the use of POP3 and IMAP so that this cannot be done on your accounts.
Enable archive mailboxes for all eligible users
Archive mailboxes can be activated and used to ensure emails are kept but in a folder out of the way of the inbox.
Enable auto-expanding archiving for the organisation
Enabling auto-expanding archive mailboxes ensures that users never run out of space within their mailboxes as it will expand as users add more to their archive folder.
Enable modern authentication for Exchange Online
Block Basic authentication for Exchange Online
Implement recommended SPAM Filter settings and MALWARE Filter settings
Microsoft has some hardy spam and malware filters by default but these can be tweaked to be even stronger to keep even more junk out of the junk box.
Disable user’s ability to add apps to their environment
Set Anonymous SharePoint and OneDrive Links to expire after 30 days
When sharing a document from your OneDrive or SharePoint libraries, if staff share the link with “Anyone” the link won’t expire. We highly recommend ensuring link with no intended recipient expire after 30 days to ensure there are limited data entry points.
Prevent download of infected files from SharePoint Online
Files uploaded or shared from an infected computer can transfer the malware with it, so you can completely block staff from being able to download a potentially infected file if it’s detected as such by SharePoint online.
Set SharePoint and OneDrive idle time outs
As your team may handle sensitive information or it may be stored in your OneDrive/SharePoint, adding idle time outs to your sessions will log staff out after a certain period of time. This is important in shared offices to make sure your data is safe when staff walk away. We recommend you be warned after 45 minutes and signed out after an hour.
Protect users from Phishing via an Anti-Phishing policy
We recommend implementing an anti-phishing policy for the organisation that is stricter than the default policy put in place when the accounts were created. This however may result in a slightly higher percentage of false-positive emails being quarantined.
Enable our standard Office 365 best practice alerts
We can activate a wide range of Office 365 Alerts that will monitor all accounts and report on anything that may be deemed suspicious or should be on your radar.
Forward Office365 alerts to a designated email address
Alerts created by Microsoft are stored within the Security and Protection Admin centre but these can be forwarded to a designated email address so that they are monitored closely.
Enable Data Leakage Prevention (DLP) in reporting mode
DLP can be activated to keep track of many types of sensitive data that your team may be sending. Data such as Personal Identifying Information or Personal Financial Data can be tracked, traced and blocked from being sent outside the organisation if required.
Branding of the login page
When signing into Microsoft Online, after you have entered your email the portal can change to have your company logo instead of the Microsoft logo. This can be used by your team to ensure they are always logging into a legitimate Microsoft Portal as many phishing emails that ask you to sign in to the portal will look incredibly accurate but will lack your logo.
Set Tenant to Targeted App mode
MFA for Admin accounts
Any and all admin accounts that have access to your Microsoft 365 tenant should have Multi-Factor Authentication added. This includes the separate Global Admin account that we recommend your company has.
Disable Office 365 Password Expiry
With the addition of MFA and changing to a more complex password, the need to change passwords is less so you can remove the password expiry requirement.
Increase OneDrive for Businesses storage from 1TB to 5TB (per user)*
Mailboxes start out as 1TB but can be expanded to be 5TB in size. The size of your mailbox however is dependent on your license allowance.
Configure and apply all relevant conditional access policies
Extend the mailbox audit log beyond the default 90 days to 180 days*
Enable litigation hold mailboxes for all eligible users*
Enable ATP SafeLinks per best practice*
Enable ATP-safe attachments
Setup Cloud App Security*
Run Antivirus & Malware scan on computers
Domain Checks
Turn on DKIM and DMARC on the domain#
Check SPF Records#
*The items require a certain type of license to be completed. Most of these settings can only be completed with certain licenses. You need at least M365 F3, however, we generally recommend Microsoft 365 Business Premium.
#We will require access to your Domain Hosting Records for this task to be completed and may need to make changes