Authentication Can Come in Multiple Forms
Agencies can choose from FIDO2 security keys, SMS, the Microsoft Authenticator app or Windows Hello for Business when implementing passwordless authentication in Microsoft 365.
Each method has its pros and cons. FIDO2 security keys are better for those who log in to multiple devices, whereas Windows Hello works for those with a permanent workstation. The Microsoft Authenticator app can also protect passwords with multifactor authentication, which requires users to provide something in addition to their password, such as a one-time passcode or a biometric gesture.
Account passwords protected by MFA are much less likely to be hacked, but passwordless authentication is a better solution if you can implement it.
Agencies should enforce MFA or passwordless authentication for all admin accounts, which are routinely targeted by hackers because of the access they have to Microsoft 365 tenants. Once a hacker has access to an admin account, they control your tenant and can perform any action.
EXPLORE: Read our roundtable discussion on how federal agencies are approaching zero trust.
IT Leaders Should Turn Off Legacy Protocols
The next step: Turn on mailbox and unified auditing. The Unified Audit Log in Microsoft 365 is turned off by default. The U.S. Computer Emergency Readiness Team (US-CERT) recommends enabling the log, which records user and admin activity from Exchange Online, SharePoint Online, OneDrive, Azure Active Directory (Azure AD), Microsoft Teams, PowerBI and other Microsoft 365 services for up to one year depending on the license assigned to users.
Before admins can run queries in the Office 365 Security and Compliance Center, the Unified Audit Log must be enabled by a user who is assigned the Audit Logs role (assigned to the Compliance Management and Organization Management role groups by default). Agencies that provisioned a Microsoft 365 tenant before January 2019 should also enable mailbox auditing.