Turn On Mailbox Auditing; Turn Off Old Protocols
The next step: Turn on mailbox and unified auditing. The Unified Audit Log in Microsoft 365 is turned off by default. The U.S. Computer Emergency Readiness Team (US-CERT) recommends enabling the log, which records user and admin activity from Exchange Online, SharePoint Online, OneDrive, Azure Active Directory (Azure AD), Microsoft Teams, PowerBI and other Microsoft 365 services for up to one year depending on the license assigned to users.
Before admins can run queries in the Office 365 Security and Compliance Center, the Unified Audit Log must be enabled by a user who is assigned the Audit Logs role (assigned to the Compliance Management and Organization Management role groups by default). Agencies that provisioned a Microsoft 365 tenant before January 2019 should also enable mailbox auditing.
Another tip: If email clients don’t require legacy Exchange Server protocols such as Post Office Protocol (POP3), Internet Message Access Protocol (IMAP) and Simple Mail Transport Protocol (SMTP), disable them; these don’t support MFA. Agencies using Outlook and newer Office desktop apps should be able to safely disable legacy protocol support.
To check for legacy protocols, apply a filter in the Sign-ins section of Azure AD in the Azure management portal. Add a filter that shows only client apps using legacy protocols to better identify which users can be safely denied access to the protocols.
Legacy protocols can be disabled by blocking Basic Authentication for all or selected protocols; if protocols aren’t specified when creating a new authentication policy, Basic Authentication is blocked for all Exchange Online client protocols.
Another approach is to use Azure AD Conditional Access, which allows agencies to create a policy that blocks Exchange ActiveSync clients and “Other clients” to prevent use of legacy protocols.
Assign Passwords and Privileges with Care
In addition, agencies that have extended their Windows Server Active Directory to Azure AD should make sure admin passwords are not synced to Azure AD. Azure AD Connect can be used to sync on-premises AD accounts to Azure AD and optionally overwrite passwords in Azure AD.
If a Windows Server AD admin account password is compromised and it is synced to or matched with an existing Azure AD account, then the hacker can get access to an agency’s Microsoft 365 tenant.
Starting in October 2018, Azure AD Connect stopped syncing passwords for Windows Server AD accounts by default where the isCriticalSystemObject attribute is set to “true.”
Password syncing enables single sign-on for users and simplifies password management. But password syncing should be carefully planned to make sure compromised on-premises accounts don’t provide privileged access to Microsoft 365.
Finally, when managing Microsoft 365, agencies should take note of how privileges are assigned. The first account in a Microsoft 365 tenant is assigned Global Admin privileges, which means it has the highest level of access possible.
When managing Microsoft 365, agencies should create additional accounts and assign administrator roles using Role-Based Access Control to limit the level of access according to role.
Microsoft 365 identity management is powered by Azure AD, which has many built-in admin roles that can be assigned to avoid granting accounts Global Admin privileges. For example, the Billing Reader role provides access to billing information without any other admin rights.
Implementing the principle of least privilege in Microsoft 365 can significantly reduce the risks associated with admin accounts.