Manoharan Mudaliar

Cyber Security Consultant

Microsoft Office 365 security best practice and recommendation

Microsoft Office 365 security best practice and recommendation

U.S. Govt Issues O365 Security Practice and Recommendation


The majority of businesses are shifting to Microsoft Office 365 and other cloud services to amp up collaborations within their departments to fulfill the “telework” requirements. However, due to the rapid deployment of these cloud services, organizations may be ignoring the security factor associated with these third-party platforms.


There are various security best practices and recommendations available to deploy. I strongly recommend to fine-tuning based on the deployment and design architecture, and never one size fits for all. Due to COVID-19 current situation and becoming a new normal for every organization and most of the works are carried from home “WHF.”

Microsoft O365 provides cloud-based email capabilities, also, chat and other various cloud applications. While the abrupt shift to work-from-home may necessitate the rapid deployment of cloud collaboration services, such as O365, hasty deployment can lead to oversights in security configurations and undermine a sound O365-specific security strategy.

The below mentioned are the few best practice for O365 deployment;

Best Practices for O365 Deployment

Enable Multi-Factor Authentication for Administrator Accounts

Azure subscribers are, by default, assigned to the role of Global Administrator. These administrators have the highest privileges that permit them to modify every setting in your Azure Active Directory (AD) in an Office 365 environment. They can add new usernames and modify the old ones, assign tasks, reset passwords, manage licenses, and domain names. In an on-premise Active Directory environment, this is similar to the role of a domain administrator.

The Azure Global Administrator accounts are created before any other account so that they can start with tenant configuration and user migration. These Global Administrator accounts aren’t granted multi-factor authentication by default. Even the new feature “secure by default” also needs to be enabled by the subscriber first. This feature helps with effectuating administrators’ usage of Multi-factor Authentication. The Global Administrator accounts are open to the internet because they are cloud-based. Lack of security can make these accounts vulnerable to online attackers, and they can hack into customers’ accounts during user migration to Microsoft Office 365.

Assign Administrator Roles Using Role-Based Access Control (RBAC):

Given the privileges assigned to the Global Administrator’s role, these accounts should only be used when required. It’s best to use specified administrator roles for Azure Active Directory (AD) such as application administrator, application developer, authentication administrator, and others to avoid or at least minimize the assigning of high-level privileges.

Shifting to the less-privileged rule can minimize the risks of a data breach if any account of administrator is attacked. Administrators must be assigned permissions limited to their roles and tasks.

Enable the Unified Audit Log (UAL):

Unified Audit Log is a logging feature in Microsoft Office 365 that comprises events and data related to Exchange Online, Azure Activity Drive (AD), SharePoint, OneDrive, Power Bi, and other online services offered by O365. This event log allows administrators to keep an eye on any malicious activities or actions against organizational policies. To ensure maximum data protection, the Security and Compliance Center is allowed access to the Unified Audit Log.

While all users don’t have permissive privileges in an Office 365 environment, they can still access information that can be damaging for a business if retrieved by unauthorized personnel. Also, cybercriminals can breach into unauthorized user accounts via phishing emails. They can further breach into other organizations’ cloud system via the applications and features that the hacked user account has access to.

Disable Legacy Protocol Authentication When Appropriate

Azure Activity Directory (AD) is a feature that Office 365 uses to corroborate with its email service, Exchange Online. It is linked to a variety of devised protocols including:

  • Post Office Protocol (POP3)
  • Simple Mail Transport Protocol (SMTP)
  • Internet Message Access Protocol (IMAP)

However, these protocols do not support the modern multi-factor authentication features because they are used with the senior email clients. Subscribers and users have access to disable the legacy mail protocols at any given time. However, if senior email clients are necessary for a business, the legacy protocols won’t be deactivated if a tenant or user tries to disable it. This leaves email accounts with only a password and username as the principal method for authentication and increases the risk of internet attacks.

One way of handling this security issue is to create a log of all the user email accounts that still require the use of legacy protocol and only authorize those accounts to access the protocols. Using the policies of Conditional Access in Azure Active Directory can help minimize the number of users allowed to access and authenticate with the legacy mail protocols. Taking these measures will significantly decrease an organization’s risk of cyberattacks.

Enable Alerts for Suspicious Activity

Enabling alerts and Unified Activity Log (UAL) in a Microsoft Office 365 environment can largely enhance an organization’s effectiveness in pinpointing malicious activities happening within their cloud. It will alert the Security and Compliance Center whenever an abnormal event is identified. It’s advised for the organizations to at least enable alerts for suspicious logins, such as those from unrecognized IP addresses and user accounts that have exceeded the benchmark set for sent emails.

Incorporate Microsoft Secure Score

Microsoft also offers a built-in feature called the Microsoft Secure Score, which measures an organization’s security condition relative to the Office 365 services it uses and offers recommendations for improvements and upgrades.

Though the recommendations offered by this tool do not provide information on all aspects of security configuration, it’s still beneficial for organizations because Office 365 keeps upgrading and adding to its offerings. Microsoft Secure Score provides a centralized dashboard to organizations for timely tracking of activities and enhancing compliance and security within the Office 365 environment.

Combine Audit Logs With Current Security Information and Event Management (SIEM) Tool:

Organizations must integrate their existing log management and tracking solutions with their O365 Unified Audit Log (UAL). It will further enhance their ability to identify abnormal activities on-premises and correlate them with potential malicious activities in the Office 365 environment.  This will ensure that you can detect unusual activity in your environment and correlate it with any potential anomalous activity in O365.

It’s highly recommended that organizations practice the following measures:

  • Enabling multi-factor authentication (MFA). This is one of the most effective mitigations to eliminate the risk of credential theft of administrators and users in the O365 environment.
  • Securing Azure AD Global Administrators from cyberattacks and following the rule of “Least Privilege.”
  • Authenticating Unified Audit Log (UAL) in the Security and Compliance Center.
  • Enabling alerts for proactive actions against malicious logins and emails.
  • Integrate with organizational SIEM solutions.
  • Disable legacy email protocols, if not required, or limit their use to specific users.

Manoharan Mudaliar

Leave a Comment