The best things to do with Microsoft 365
Other Security Controls - WST

We continue our series on basic and helpful security tips for your Microsoft 365 instance. Keep in mind, some of these tips require 365 Business Premium or Enterprise subscriptions, and can be configured in multiple locations, including Conditional Access policies.

Understand logging

We’ve talked about Multi-factor Authentication (MFA), and how important it is to add that additional layer of security to 365 applications for user-owned accounts and the NPI contained therein.

Take some time to understand and tune logging in 365, and understand what alerts are important and what is informational. Managing and monitoring the amount of log data can be like drinking from a fire hose, but it is manageable and can provide administrators with insight into what potential or actual threats are within the instance. Better yet, forward those logs to your SIEM and manage them like any other logs within your institution. Certain log information is logged by default, like Exchange Admin activities. However, certain information is not logged by default – and in some cases is not available for logging (e.g., Group mailbox auditing) – so, know which is which and what you must manually configure.

Disable PowerShell Online for all non-admin users

PowerShell is very…powerful. There’s no reason any normal, non-privileged, non-IT related personnel should be allowed access to PowerShell Online, just like they should be blocked from launching PowerShell within your LAN or WAN infrastructure. Sure, there are mitigating controls. Email forwarding exploits are still very popular with threat actors, even though Microsoft has improved logging and reporting on such activities. All it takes are stolen credentials that aren’t MFA protected, and even MFA isn’t perfect, as we have seen recently with hacks like Solorigate. A layered security approach is the best approach.

Configure Company Branding

This is an easy win. Consider configuring company branding images for login pages. This way your users will have confidence that they are logging into your 365 instance, and not some phishing site designed to fool your users. Change that image on a regular basis, like every quarter, and communicate that change to the users

Restrict guests from inviting other guests

If you do have a legitimate reason to allow employees to invite guests to your 365 instance, limit the guest’s ability to invite other guests. This can be easily accomplished with the flip of a switch in the admin portal.

One more tip in this series to go! Look it in the coming weeks!

Authored by: Mike Smith, AWS-CCP