Aug 13 2020

How to Keep Microsoft 365 Collaboration Safe in the Cloud

Reduce the security risks of virtual workplaces with these best practices.

As agencies adapt or change enterprise collaboration capabilities to meet remote requirements at unprecedented speeds, IT leaders must consider the security issues that come with basing collaboration tools on cloud platforms.

Simple best practices can improve security in Microsoft 365 and reduce the likelihood that hackers could compromise sensitive accounts or move laterally from on-premises networks to the cloud.

The first step: Enable passwordless authentication or multifactor authentication. Passwords are a security risk, and Microsoft has been pushing passwordless authentication for several years. This method replaces passwords with a combination of something you have, such as a security key, plus something you are or you know, such as a fingerprint or a PIN.

Agencies can choose from FIDO2 security keys, the Microsoft Authenticator app, SMS and Windows Hello for Business when implementing passwordless authentication in Microsoft 365.

Each method has its pros and cons. FIDO2 security keys are preferred for workers who log in to multiple devices, whereas Windows Hello is better for those assigned a permanent workstation.

The Microsoft Authenticator app can also protect passwords with multifactor authentication, which requires users to provide something in addition to their password, such as a one-time passcode or a biometric gesture.

Account passwords protected by MFA are much less likely to be hacked, but passwordless authentication is a better solution if you can implement it.

Agencies should enforce MFA or passwordless authentication for all admin accounts, which are routinely targeted by hackers because of the access they have to Microsoft 365 tenants. Once a hacker has access to an admin account, they control your tenant and can perform any action.

Turn On Mailbox Auditing; Turn Off Old Protocols

The next step: Turn on mailbox and unified auditing. The Unified Audit Log in Microsoft 365 is turned off by default. The U.S. Computer Emergency Readiness Team (US-CERT) recommends enabling the log, which records user and admin activity from Exchange Online, SharePoint Online, OneDrive, Azure Active Directory (Azure AD), Microsoft Teams, PowerBI and other Microsoft 365 services for up to one year depending on the license assigned to users.

Before admins can run queries in the Office 365 Security and Compliance Center, the Unified Audit Log must be enabled by a user who is assigned the Audit Logs role (assigned to the Compliance Management and Organization Management role groups by default). Agencies that provisioned a Microsoft 365 tenant before January 2019 should also enable mailbox auditing.

Another tip: If email clients don’t require legacy Exchange Server protocols such as Post Office Protocol (POP3), Internet Message Access Protocol (IMAP) and Simple Mail Transport Protocol (SMTP), disable them; these don’t support MFA. Agencies using Outlook and newer Office desktop apps should be able to safely disable legacy protocol support.

To check for legacy protocols, apply a filter in the Sign-ins section of Azure AD in the Azure management portal. Add a filter that shows only client apps using legacy protocols to better identify which users can be safely denied access to the protocols.

Legacy protocols can be disabled by blocking Basic Authentication for all or selected protocols; if protocols aren’t specified when creating a new authentication policy, Basic Authentication is blocked for all Exchange Online client protocols.

Another approach is to use Azure AD Conditional Access, which allows agencies to create a policy that blocks Exchange ActiveSync clients and “Other clients” to prevent use of legacy protocols.

MORE FROM FEDTECH: Find out how agencies can secure data from cloud collaboration tools once users leave. 

Assign Passwords and Privileges with Care

In addition, agencies that have extended their Windows Server Active Directory to Azure AD should make sure admin passwords are not synced to Azure AD. Azure AD Connect can be used to sync on-premises AD accounts to Azure AD and optionally overwrite passwords in Azure AD.

If a Windows Server AD admin account password is compromised and it is synced to or matched with an existing Azure AD account, then the hacker can get access to an agency’s Microsoft 365 tenant.

Starting in October 2018, Azure AD Connect stopped syncing passwords for Windows Server AD accounts by default where the isCriticalSystemObject attribute is set to “true.”

Password syncing enables single sign-on for users and simplifies password management. But password syncing should be carefully planned to make sure compromised on-premises accounts don’t provide privileged access to Microsoft 365.

Finally, when managing Microsoft 365, agencies should take note of how privileges are assigned. The first account in a Microsoft 365 tenant is assigned Global Admin privileges, which means it has the highest level of access possible.

When managing Microsoft 365, agencies should create additional accounts and assign administrator roles using Role-Based Access Control to limit the level of access according to role.

Microsoft 365 identity management is powered by Azure AD, which has many built-in admin roles that can be assigned to avoid granting accounts Global Admin privileges. For example, the Billing Reader role provides access to billing information without any other admin rights.

Implementing the principle of least privilege in Microsoft 365 can significantly reduce the risks associated with admin accounts.

Andrey Suslov/Getty Images