5 Microsoft 365 Security Tips to Protect IT Infrastructure
It’s not enough anymore to have complex passwords to the things that are important to you and your business. A Microsoft 365 account has multiple entryways that a hacker can use to infiltrate and steal your information. In fact, as more employees are logging in from various places, bad actors have taken full advantage of this disruption - with data breaches up by 775% since 2017! Because of this, Microsoft has implemented a security score to help users identify where they are secure, and where they’re not. The score exists on a percentage range between 0% and 100%. The higher your Microsoft secure score percentage, the more protected your data is.
Today’s challenge is knowing where to start when securing the information that lives in the Microsoft environment. Our tools identify over 100 security checks that ensure your account will be protected against the most common cyber security attacks, but for now we will be focusing on the top 5 most critical security checks for Microsoft 365. Ensuring these checks are in place to start will increase your Microsoft secure score and decrease your chances of a breach.
It is important to note that a few of these checks are only available on the Microsoft Premium tier.
Security Check #1: MFA (admin and user)
Minimum MS License: M365 Basic
It is more uncommon these days that a service doesn’t require MFA, and for good reason. Netflix, Amazon, bank accounts, and even social networking services are smartening up to the idea that a password is simply not enough to secure information. Requiring multi-factor authentication (MFA) for all user and admin accounts helps protect devices and data that are accessible to these users. Adding more authentication methods, such as a phone token or a badge, increases the level of protection in the event that one factor is compromised. Similarly, requiring multi-factor authentication (MFA) for all Azure Active Directory accounts with privileged roles (admin) makes it harder for attackers to access accounts. If any of those accounts are breached, essential devices and data will be vulnerable to attacks.
Security Check #2: Block sign-in on shared mailboxes
Minimum MS License: M365 Basic
A shared mailbox in Microsoft 365 is a mailbox that multiple users can access to read and send email messages. It’s most used where several people need to manage and respond to emails sent to a common address, such as “support”, “sales” or “info”. If this sounds familiar to your business, It is best practice to block sign-in on shared mailbox accounts, as recommended by Microsoft, to avoid an attacker from being able to authenticate and log in to such accounts. You can authorize specific users to access these mailboxes and block direct sign-in. Think of your shared mailbox like a home; you’re effectively locking the side door to the house while still allowing those with a key to get into the front.
Security Check #3: Risky Country Policy
Minimum MS License: M365 Premium
The location condition is often utilized to block access from regions where your organization expects no legitimate traffic. Defining a conditional access policy for high-risk countries reduces the number of attacks users face. This can be achieved by requiring additional steps for access from certain countries or by completely blocking access. For example, if your business operates out of the United States and Canada, you can block sign-in for all countries except for the US and Canada. Should your business expand to other countries or staff want to access company data while traveling outside the designated countries, you can always temporarily disable country blocking from that destination; just remember to turn it back on upon your safe return!
Security Check #4: Login Portal Branding
Minimum MS License: M365 Premium
Login portal branding allows you to Use your organization's logo and custom color schemes to provide a consistent look-and-feel on your Azure Active Directory (Azure AD) sign-in pages. Your sign-in landing page comes up when users sign in to your company’s web apps, such as Microsoft 365.This serves as a visual cue for your staff to know if a link they click on to log into their portal is legitimate. For example, if someone sends you a link to review an excel spreadsheet in Sharepoint and you have to log into Microsoft to see it; if you don’t spot the company logo on the screen, there’s a good chance the link is nefarious.
Security Check #5: PowerShell Access for Non-admins in Your IT Infrastructure
Minimum MC License: M365 Basic
Exchange Online PowerShell enables you to manage your Exchange Online organization from the command line, making it a powerful tool for controlling aspects of your IT infrastructure. By default, all accounts you create in Microsoft 365 are allowed to use Exchange Online PowerShell. Attackers can utilize this tool to run malicious commands and access the file system, registry, and more. Ransomware can move quickly across networks using PowerShell. To increase security, non-admin users who do not need this functionality should have it disabled. PowerShell is an extremely powerful interface to perform various administrative tasks such as managing mailboxes, controlling user permissions, and automating large-scale tasks. This tool should be delegated with discretion.
These security checkpoints are simply the beginning and should not be viewed as a comprehensive list. Securing your Microsoft 365 environment is a vital step in safeguarding your IT infrastructure against the ever-evolving landscape of cyber threats. While implementing these essential checks is crucial, it's equally important to adopt a holistic approach to IT management. This is where our Solve iT team excels. With extensive expertise in IT management, we not only help you identify and address security gaps in Microsoft 365 but also provide ongoing support to enhance the overall security posture of your entire IT infrastructure. From automating security across all 100 checkpoints to implementing best practices tailored to your organization's needs, Solve iT is dedicated to ensuring your systems remain resilient and secure. Start here when looking to plug any security gaps for Microsoft 365, and let us guide you in fortifying your IT infrastructure for the future.