The Best things to do with Microsoft 365
Access and Authentication - WST

We continue our series on basic and helpful security tips for your Microsoft 365 instance. Keep in mind, some of these tips require 365 Business Premium or Enterprise subscriptions, and can be configured in multiple locations, including Conditional Access policies.

Multi-factor Authentication

MFA is the single-most impactful thing you can do to improve the security posture of ANY application accessed by users. It doesn’t matter if it’s hosted internally, in the cloud, only accessible from your domain, or open to the web. If it’s got NPI in it, it should be secured in the best manner possible, and that’s with MFA.

As we descend from our soapbox, we do realize that mitigating controls exist, and sometimes MFA is not an option. And, clearly, MFA is not fool proof, as it can sometimes be bypassed by a highly skilled threat actor, and there are some forms of MFA (SMS text and callback) that are less secure than others. But come on, it’s 2021 - we as IT professionals can and should be pushing our vendors for extra layers of security like MFA anywhere and everywhere we can, because right now, it is the best option. At the very least, we should apply improved monitoring and logging principles to the resources that don’t support MFA.

That brings us to Microsoft 365. If you’ve exposed your Exchange instance to the web (OWA), or SharePoint, or OneDrive, or Teams, etc., then you should have Microsoft Modern Authentication configured, or ADFS with some other third-party tool, like Okta, Duo, Symantec VIP, etc. If you don’t, you’re likely only one phish away from declaring an incident.

There are a few ways to manage MFA in 365. Use https://learn.microsoft.com/en-us/ to read and learn about how MFA works in 365, and where to make changes in Azure or the 365 Admin Center.

Conditional Access

Microsoft has implemented security controls throughout the 365 environment, and there can be a lot of overlap. If you started out as an Office 365 customer and then gradually migrated to Microsoft 365 and/or Azure, you’re likely very aware of this. And you’re also probably aware that Microsoft is moving and consolidating stuff all the time. A lot of security found in 365 admin portals and Azure blades can be configured and consolidated within Azure AD Conditional Access (CA) policies. If you have access to CA policies through Azure AD Premium or Microsoft 365 E3 or E5 subscriptions (for example), this should be your first stop when trying to implement security controls. For any existing controls, consider recreating them as a CA policy. Before implementing new CA policies remember to alpha test, beta test, QA test, and test some more. CA policies are very powerful – especially the “block” feature – so be careful not to lock yourself out.

Use Azure Active Directory Conditional Access policies

Use this very powerful tool to control access to your data and resources. Enlist the following concepts when configuring Conditional Access policies. It may be necessary to combine these concepts in the policies, and in some cases, overlap the concepts across many different policies.

• Require MFA for everyone, all the time (excluding that break-glass account).
• Block guest invites and guest access. IT administrators should be the only user base allowing pre-vetted access, and only with MFA.
• Configure locations and limit access based on location. Consider not allowing connections from foreign countries where you aren’t doing business or supporting users.
• Only allow preapproved apps to connect to institution and customer data.
• Don’t let non-compliant devices connect to your instance, and don’t let unmanaged devices download data.
• Block all legacy protocols. According to Microsoft, 99% of password spray attacks and 97% of password stuffing attacks use protocols like POP, SMTP, IMAP, and MAPI.

Look for more Microsoft 356 tips in the coming weeks!

Authored by: Mike Smith, AWS-CCP