Skip to main content

Microsoft Office 365 comes with a lot of features to protect your data against today’s threats. If you create a new tenant, some but not all of these security features are enabled by default. Existing tenants however will need to keep up with the new security features and enable them manually to secure Office 365.

I have written this guide for you to use as a baseline to secure your Microsoft Office 365 tenant. All the security features can be enabled without the need for additional add-on products like Advanced Thread Protection, Defender for Office 365, or Azure Premium P1 or P2.

Last updated: dec 2021added SPF, DKIM, DMARC

In this guide we are going to configure the following security settings:

  • Configure and check Multi-Factor Authentication (users and admins)
  • Create an emergency access admin account
  • Assign Role-Based Access Control (RBAC) for admins
  • Enable Unified Audit Log
  • Enable Alert Policies
  • Enable Continuous Access Evaluation
  • Enable Azure Portal Inactivity timeout
  • Enable Preset Security Policies in Exchange Online
  • Enable External Email Tagging
  • Block Legacy Authentication Protocols
  • Block SharePoint Legacy Authentication
  • Block Shared mailbox sign-in
  • Block Auto-forward to External Domain
  • Block User consent to apps
  • Block User access to Azure Portal
  • Block Guest can invite access
  • Block Anonymous users can join a meeting
  • Limit External Sharing in SharePoint
  • User Password Policies
  • Corporate branding of the login page
  • Configure SPF, DKIM and DMARC

Office 365 Security Defaults

Security Defaults in Microsoft Office 365 are preconfigured security settings that help you to secure your Office 365 data against common threats. These settings include:

  • Enable multi-factor authentication (MFA) for all users and admins
  • Blocking legacy authentication protocols
  • Require users to use MFA when necessary (risky sign-in events)
  • Block user access to Azure Portal

If your tenant was created after October 21, 2019, then it’s possible that the security defaults setting is enabled for your tenant.

Before you enable security defaults in Office 365 you should keep a few things in mind. You can’t make any exceptions to the policies. So you can’t disable MFA for one user or turn on the SMTP Authentication Protocol if you need it for a specific business application.

Also, you can only use the Microsoft Authenticator app using notifications for multi-factor authentication. Text messages or app passwords can’t be used with security defaults enabled.

To enable or disable Security Defaults you will have to login into the Azure Active Directory Admin Center:

  1. Log in at aad.portal.azure.com
  2. Click on Azure Active Directory and select Properties
  3. Select Manage Security Defaults
  4. Enable Security Defaults

If you need to disable security defaults, then make sure you atleast enabled MFA for all the admins and users where possible and block all legacy protocols (per user).

Configure Multi-factor Authentication

Enabling multi-factor authentication (MFA) is the most recommended security measure to secure Office 365. It protects your accounts against phishing attacks and password sprays. Multi-factor authentication should be enabled for all admin and user accounts.

First, we are going to check the default multi-factor authentication settings.

  1. Log in at aad.portal.azure.com
  2. Select Users and click Multi-Factor Authentication
  1. Do not allow users to create app passwords. App passwords are needed for apps that don’t support modern authentication. You should avoid the use of these kinds of apps in your tenant.
  2. Disable the Call to phone and text message verification methods. These are known to be less secure. The mobile app is the preferred method to use.
  3. Set trusted devices to 90 days. This will lower the frequency that the users need to verify which helps to prevent them from unintentionally approving the MFA request. If they get the request too often then they will get too much used to it and maybe approve it without performing a sign-in action themself.

You can now add number matching and additional context (location and app) to the MFA request notification. This really helps with identifying who made the MFA request. Make sure you take a look at these new features (released mid nov 2021)

Enabling MFA for your users

The best way to implement MFA is based on conditional access. You get this when you use the security defaults, but if you don’t want to or can’t use security defaults, then you will need Azure Premium Plan 1 for this.

If you don’t want to use the security defaults and you don’t have Conditional Access, then your only option is to enable MFA for each user manually.

A good option is to inform your users about MFA and give them a two-week period to enable MFA themself. Users can enable MFA through the following link https://aka.ms/mfasetup.

Next, you can use this PowerShell script to get all the users that don’t have MFA enabled yet, and even enable it per user with the following script.

Create an emergency access Admin Account

Microsoft recommends that you create two emergency admin accounts. The idea behind this is that these accounts are excluded from multi-factor authentication and conditional access policies. If you don’t use conditional access policies, then one emergency account excluded from MFA is enough.

These accounts prevent you from being locked out of your Azure Active Directory in case of an unforeseen circumstance. For example, a mobile phone network outage that prevents you from approving the MFA request or the sudden leave of the only Global Administrator.

Don’t use these accounts on a daily basis, only when you lost access to Azure AD with your normal global admin account.

You can create the admin account in the Office 365 admin center under Users > Active Users > Add a user.

You don’t need to assign a product license to the user, only make sure you give the account Global Administrator access under the optional settings.

Write down the temporary password and change the password to a strong and very long randomly generated password. Store the password in a safe place to which multiple authorized people have access.

Make sure you exclude one account from the Conditional Access policies (if you use them) and exclude the other account from multi-factor authentication.

You can find more information about the emergency admin account here in the Azure AD documentation.

Assign Role-Based Access Control (RBAC) for admins

Role-based access control for admins is based on the principle of least privilege (POLP). User (admin) accounts should always have the minimum privilege level that is needed to do their job.

Helpdesk employees don’t need to have Global Administrator access, for example, they could probably do their job with only the Helpdesk and User administrator role.

For service accounts that only need to read user accounts from the Azure Active Directory, you could use the Directory Reader role. This allows the application to read all the user accounts.

You can assign the roles in the Microsoft Office 365 Admin Center. But I find it easier to do this through the Azure Active Directory:

  1. Select Users and the user you want to change
  2. Click on Assigned Roles
  3. Click Add assignments
  4. Select the appropriate role(s) and click on Add

You can also view all the roles and the assigned users under Roles and administrator in the Azure Active Directory.

Enable Unified Audit Log

While we need to do everything to prevent unauthorized access and to secure our Office 365 tenant, we also need to plan ahead in case someone gained access to our systems. Logging allows you to trace back when what and maybe even how a breach happened.

The mailbox audit log is enabled by default, but you also want to enable the Unified Audit Log. This allows you to collect all the logs in the Microsoft 365 Compliance Center, which makes it easier to search through them. It also allows you to create alerts based on events that happen.

Each entry in the Unified Audit Log is kept for 90 days by default. If you need to keep the entries longer then you will need an E5 license for your users.

We can use PowerShell to enable the Unified Audit Log. Make sure you are connected to Exchange Online and run the following cmdlet:

1.  # Get the current Unified Audit Log status<font></font>
2.  Get-AdminAuditLogConfig | select UnifiedAuditLogIngestionEnabled<font></font>
3.  <font></font>
4.  # Enable Unified Audit Log<font></font>
5.  Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

You can also enable it in the Compliance Center.

  1. Open the Compliance Center
  2. Click Show All in the sidebar
  3. Select Audit
  4. Click on Start recording user and admin activity

Enable Alert Policies

Alert Policies are enabled by default in your Microsoft Office 365 Tenant. These policies help you to track user and admin activities, and alert you in case of threats or data loss incidents. You will find the policies Microsoft 365 Compliance under Policies. They are listed as Office 365 Alert.

If you click on the policy you will be redirected to the old Security and Compliance center where you can view all the policies. Check if all the system type policies are enabled by filtering the list on Status – Off.

To prevent data loss I also recommend that you create a new alert that is triggered when a Team is deleted. When a Team owner deletes a Team from the list with Teams then this can also result in deletion of the SharePoint site and all the data.

Enable Continuous Access Evaluation

Authentication in Office 365 is based on OAuth 2.0 access tokens. These tokens authorize the user to access the services, for example when a user opens Outlook or logs into SharePoint. By default, the token is valid for one hour and refreshes automatically in the background when it’s expired.

The problem with this token lifetime of an hour is that any changes in the user’s authorization are only detected after an hour at most. When the user, for example, changes from network location, then the conditional access policies are only triggered when the token is renewed.

By enabling Continuous Access Evaluation (CAE) we can shorten this period to nearly real-time, with a max of 15 minutes due to event propagation time.

Note: Microsoft has move CAE to Conditional Access, which requires atleast an Azure Premium P1 plan. Continuous Access Evaluation is auto enabled as part of an conditional access policy. You can fine tune CAE under the Session setting of a Conditional Access Policy.

Enable Azure Portal Inactivity Timeout

In the Azure Portal, you can set an inactivity timeout for all the portal users (and admins). You will need to have Global Administrator rights to change the settings.

  1. Clear on the gear icon
  2. Select Configure directory level timeout
  3. Enable the idle timeout and set it to 30 minutes for example

Any portal user that is inactive for more than 30 minutes will get automatically signed out. I assume that your admins already have a proper habit of locking their device when they leave it unattended, but an extra security measure never hurts.

Enable Preset Security Policies in Exchange Online

Microsoft has created two preset security policies for Exchange Online, a standard, and a strict policy to secure your Office 365 mail. These templates contain policies to protect your Exchange Online environment against the latest attack trends.

The advantage of using one of these templates instead of creating the policies manually is that they will automatically update your settings with Microsoft’s latest recommendations.

You can find the policies in the Security and Compliance Center:

  1. Expand Threat Management and select Policy
  2. Click on Preset Security Policies
  1. Edit the Standard Protection
  2. Add the condition The recipient’s domains are
  3. Add all the domains of your tenant
  4. Confirm the settings

In addition to the security policy template, also check the Configuration Analyzer. This will recommend changing some settings that are not covered by the standard template that you should adopt:

  • High confidence spam detection action
  • Phishing email detection action
  • Bulk email threshold
  • Quarantine retention period
  • Enable end-user spam notifications
  • Common Attachment Types Filter

I also recommend using the free 365 Threat Monitor from Hornetsecurity. This tool monitors your user’s mailboxes and alerts you when a phishing mail slipped through the Exchange Online security. This is a great way to see how good (or bad) your policies are working.

Enable External Email Tagging

A newly released feature in Exchange Online allows you to tag external emails. External email tagging is an extra security measure to make your users more aware of the origin of the email. We see often phishing mail attacks that the attackers spoof an internal email address.

By automatically tagging all external emails, we can make it more clear for the users that the email was sent from outside the organization.

At the moment we need to use PowerShell to enable this new feature, if you want more information about it, then make sure you read this article where I explain more about email tagging.

1.  # Connect to Exchange Online<font></font>
2.  Connect-ExchangeOnline<font></font>
3.  <font></font>
4.  # Enable external email tagging<font></font>
5.  Set-ExternalInOutlook -Enabled $true<font></font>
6.  <font></font>
7.  # Verify results<font></font>
8.  Get-ExternalInOutlook<font></font>
9.  <font></font>
10. # Result:<font></font>
11. RunspaceId : 4b07eecc-34c5-4add-8ee4-80d25aa4aff4<font></font>
12. Identity   : 11e55098-68ad-4992-aaf8-c5fdceb3b6da<font></font>
13. Enabled    : True   # < External tagging enabled<font></font>
14. AllowList  : {}

Besides tagging, we can also add a custom warning to external emails with specific words or phrases in the subject or body. This way we can show a warning on suspicious phishing emails.

If you want to add these warnings to your tenant, then follow this guide.

Block Basic Authentication Protocols

Basic or Legacy Authentication Protocols allow you to connect to Exchange Online without the use of Modern Authentication. This means that an attacker only needs a username and password to connect, which they can get after a successful phishing mail attempt.

Microsoft will start in Q2 of 2021 by automatically disabling the basic protocols that you are not using to secure Office 365. The plan was to disable all protocols, but that is postponed due to the pandemic.

The best option is not to wait but to start with disabling the basic protocols, because they are actively used by attackers. Before you can disable them you will need to make sure that your users and business applications are not using any of the protocols.

  1. Open the Microsoft 365 Admin Center
  2. Select Reports -> Usages
  3. Click on View More under the Email Activity chart
  4. Select the Email app usage tab

If you hover over the user’s chart you can see how many users (or accounts) are using the different protocols. In the table, under the chart, you can choose the columns. Add the IMAP4, POP3, and SMTP columns. You can now see which users are using the basic protocols.

Another good resource is the sign-ins overview in the Azure Active Directory.

  1. Add a filter and select Client App
  2. Select all the Legacy Authentication Clients
  3. Also, add the column Client App

The two overviews together will give you a nice overview of all the accounts that are still using legacy authentication protocols.

Users that are still using legacy protocols (older mail clients on mobile phones, or Apple Mail) should use the Microsoft Outlook app. Inform the users about the upcoming change and give them time to migrate before you turn off the protocols.

Blocking Basic Authentication Protocols

The best option is to block all the basic authentication protocols for all users. But in an existing tenant that is not always possible. Business applications may be still using legacy protocols like SMTP or IMAP, preventing you from disabling them for everybody.

If you still need to use IMAP, for example, then disable all the other authentication protocols that you don’t need in the Admin Center (which I will explain in a bit). For IMAP, we can block the protocol for all the users that don’t need it. We leave the protocol only turned on for those few mailboxes that really need it.

We start with the easiest option, blocking the protocols for all users is in the Microsoft 365 Admin Center:

  1. Expand Settings and select Org settings
  2. Select Modern Authentication
  3. Turn off all the basic authentication protocols that you are not using

We can use PowerShell to disable the protocols per mailbox. Just to be clear, per mailbox you don’t disable the authentication protocol, but the protocol itself.

If you only need to leave it enabled for a few mailboxes, then the easiest approach is to disable it first for all the mailboxes with PowerShell, and then turn the protocol back on for only those mailboxes that really need it.

1.  # Connect to Exchange Online<font></font>
2.  Connect-ExchangeOnline -UserPrincipalName tenantadmin@contoso.com<font></font>
3.  <font></font>
4.  # Get all mailboxes with Basic Protocols enabled<font></font>
5.  Get-EXOCasMailbox | Select-Object Identity,ImapEnabled,PopEnabled | ft<font></font>
6.  <font></font>
7.  # Disable for all existing mailboxes<font></font>
8.  Get-CasMailbox -Filter {ImapEnabled -eq $true -or PopEnabled -eq $true} | Set-CASMailbox -ImapEnabled $false -PopEnabled $false<font></font>
9.  <font></font>
10. # Disable SMTP Authentication per mailbox<font></font>
11. Get-CASMailbox | where {$_.SmtpClientAuthenticationDisabled -ne $true} | Set-CASMailbox -SmtpClientAuthenticationDisabled $true

You also want to disable the legacy protocol for all the new mailboxes. We can do this by disabling the protocols on all the mailbox plans (you can have multiple plans, each corresponds with its own license type)

1.  Get-CASMailboxPlan | Set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

Block Legacy Authentication for SharePoint

Some third-party apps in Office 365 don’t enforce multi-factor authentication and allow your users to connect to SharePoint without MFA, which is not really secure of course.

We can block the access of these apps in the SharePoint Admin Center.

  1. Expand Policies and select Access Control
  2. Select Apps that don’t use..
  3. Block the access

Block Shared Mailbox Sign-in

If you create a Shared, Room, or Equipment Mailbox in Office 365, it will automatically also create an active user. This user doesn’t have a license, but you can sign in with this user. All you need to have is the password.

There is really no need for a shared mailbox user to be able to sign in. Access to the shared mailbox is managed with permissions. So why leave the user account exposed?

What you should do is block the sign-in on all the Shared Mailbox accounts. You can do this in the Admin Center or with PowerShell.

  1. Select Active Users
  2. Filter the list on unlicensed users
  3. Select the Shared Mailbox and Resource user accounts
  4. Click on the eclipse and select Edit Sign-In Status
  5. Block the users from signing in

Disable the sign-in to shared mailboxes with PowerShell

1.  # Connect to Exchange Online and Msol<font></font>
2.  Connect-ExchangeOnline<font></font>
3.  Connect-MsolService<font></font>
4.  <font></font>
5.  # Get an overview of all Shared, Room and Equipment mailboxes<font></font>
6.  Get-EXOMailbox -Filter {(RecipientTypeDetails -eq "SharedMailbox") -or (RecipientTypeDetails -eq "RoomMailbox") -or (RecipientTypeDetails -eq "EquipmentMailbox")} | ft<font></font>
7.  <font></font>
8.  # Disable the sign-in on the mailboxes<font></font>
9.  Get-EXOMailbox -Filter {(RecipientTypeDetails -eq "SharedMailbox") -or (RecipientTypeDetails -eq "RoomMailbox") -or (RecipientTypeDetails -eq "EquipmentMailbox")} | Foreach-object {Set-MsolUser -UserPrincipalName $_.UserPrincipalName -BlockCredential $true}

Block Auto-forwarding to External Domain

When attackers gain access to one of your user’s mailboxes they can extract the mail by creating an auto-forward rule to their own (external) mailbox. Auto-forwarding to an external domain is normally not used, so you should block it.

  1. Open the Exchange Admin Center
  2. Select Mail Flow
  3. Create a new rule and name it “Block auto-forward to external domain”
  4. Select More options at the bottom of the screen
  5. Configure the rule as follows:
    • Apply this rule if: The sender is located – inside the organization
    • Add a condition: The recipient is located – outside the organization
    • Add a condition: The Message Properties – include the message type – Auto-Forward
    • Do the following: Block the message – reject the message with the explanation – “Auto-forwarding to an external domain not allowed”
  6. Audit this rule with severity levelMedium

A new way attackers try to gain access to your data is by using Consent Phishing. Instead of stealing the credentials of your users, they will trick the users into granting them permission. To do this, they create a malicious app and register it in the app store.

With the permissions, they can read the user’s profile, send mail on behalf of the users, and have full access to the files that the user can access.

Microsoft has already taken action to secure Office 365 further by verifying apps. But that doesn’t stop malicious apps from entering the app store.

You can prevent the authorization of the unverified apps by disabling user consent in the Microsoft 365 Admin Center and setting up the custom app consent policies in Azure Active Directory.

  1. Open Microsoft 365 Admin Center
  2. Expand Settings and select Org Settings
  3. Select User consent to apps
  4. Turn off “Let users provide consent..”

The next step is to set up the consent policies in Azure Active Directory:

  1. In Azure AD select Enterprise Applications
  2. Select Consent and permissions
  3. Select Allow user consent for apps from verified publishers and Do not allow group owner consent
  1. Click on Permission classifications
  2. Add the 5 low-risk permissions. (You can always add custom permissions if you need to)
  1. Go back to the Enterprise applications and select User Settings
  2. Enable Users can request admin consent
  3. Add one or more admins for the request

Admins will get an email when a user has requested consent. You can also see the requests under Enterprise Applications > Admin consent requests.

Block User Access to Azure Portal

Authenticated users have by default access to the Azure Portal and the Azure Active Directory. They only have read access, so they can’t change anything. In my opinion, there is really no need for a normal user to browse through your Azure AD settings.

We can block the access with a simple switch in Azure AD under User Settings

Block guest can invite access

Your users can invite guests to collaborate on a Word document or other resources, which is perfectly fine. But did you known that by default guests can also invite other guests?

You want to keep in control of who can access your data, so you should not allow guests to invite others.

In the Azure Active Directory, navigate to External Identities and select External collaboration settings. Make sure that Guests can invite is set to no.

You may also want to check if the one-time passcode is turned on. This allows guests to access shared documents with a one-time passcode instead of a Microsoft account.

Block Anonymous Users can join a Meeting

By default, anonymous users can join any Teams meeting if they have the link to the meeting. Depending on your organization’s needs, you should turn this off. If your company holds public meetings with customers where you send out an open invitation that any can join then you will need to leave this setting enabled.

But if all the meetings are only business to business or directly with known clients/customers then it’s better to turn the anonymous access off.

  1. Open the Teams Admin Center
  2. Expand Meetings and select Meeting Settings
  3. Turn off Anonymous users can join a meeting

Limit External Sharing in SharePoint

Sharing in SharePoint is really convenient for your users, they can create a link, and can share it with anyone they want. But that comes with a risk, by default, anyone who gets the link can access the shared item.

To secure office 365 you want is that only the person that you shared the link with can access the folder. Also, it’s a good idea to add let the guest sign in or atleast enter a verification code.

  1. Open the SharePoint Admin Center
  2. Navigate to Policies Sharing
  3. Change Content can be shared with to New and existing guests (this way they need to verify)
  4. Expand More external sharing settings
  5. Enable Guest must sign in using the same account to which sharing invitations are sent
  6. Make sure that Allow guest to share items they don’t own is disabled
  7. And enable People who use a verification code… and set it to 30 days.

User Password Policies

With MFA enabled we can change some settings when it comes to our password policies. We can remove the password expiration policy. The latest studies showed that password expiration does more harm than good. Even Microsoft now recommends removing the password expiration requirements to further secure Office 365.

A compromised user account is pretty much always used immediately by the attackers. And users that need to change their password often tend to use a predictable pattern.

Set password expiration policy

If you are using AD Connect to sync your users and password, then the password expiration policy is taken over from your local group policy.

You can change the password expiration in the Microsoft Office 365 Admin Center:

  1. Select Settings and then Org Settings
  2. Choose Security & Privacy
  3. Select password expiration policy
  4. Make sure it’s turned off

Enable Self-Service Password Reset

Allow your users to self reset their password when needed. By default is this disabled. Letting users self reset their password isn’t really a security improvement for Office 365, but it results in fewer tickets/calls to the helpdesk.

If you are using Azure AD Connect then you will need to have atleast Azure AD Premium P1 to enable password write-back. Without password write-back, you can’t use the SSRP.

What you do need to change are the requirements to reset the password.

  1. In Azure Portal select Users
  2. Choose Password reset
  3. Select Properties
  4. Enable it for all Users

Next, we need to set the authentication methods that are needed to change a password. By default, only one method is required and that can be email or mobile phone.

Give your users atleast the option to register multiple authentication methods, including Mobile app code. You can also increase the number of methods that are required to reset a password from one to two, but before you do that make sure your users have multiple methods registered.

Get notified on password change

Select Notifications and make sure that users are notified when their password is changed. I also recommend enabling the admin notification alert. All admins in the tenant will get notified when other admins change their passwords.

Allow Combined Security Information Registration 

If you have enabled self-service password reset (and of course you have enabled MFA), then you can make it your users a little bit easier by allowing the combined security information registration.

Without it, users will need to register the authentication methods separately for MFA and SSPR. This feature is enabled by default for new tenants that are registered after August 14th, 2020.

  1. Select Users
  2. Choose User Settings
  3. Click on Manage user feature preview settings
  4. Set User can use combined security information registration experience to All

Corporate branding of the login page

Branding your Microsoft 365 login screen doesn’t only look nice, it also helps you to secure Office 365. Adding your logo to the Microsoft 365 login screen can mitigate phishing attempts because your users can better recognize the malicious login screen.

I already had written a guide on how you can customize the login screen with some tips. You can find the article here. Make sure you customize it, it only takes a couple of minutes.

Configure SPF, DKIM and DMARC

Besides securing your Office 365 tenant, it’s also important to protect your mail domain. Attackers can easily spoof your mail domain if you haven’t configured SPF, DKIM and DMARC. Now, SPF is required to send any mail from a custom domain in Office 365. So you probably have that configured already.

But most don’t have DKIM and DMARC configured. SPF is a good first step, but you really need DKIM as a minimum to prevent spoofing. DMARC is a bit harder to configure, but nevertheless important as well.

Wrapping Up

If you found this Microsoft 365 Best Practice guide useful then please share it. I will keep this guide updated with the latest recommendations.

An important part to keep Microsoft Office 365 secure is to regularly check the audit logs and keep up with the security recommendations in the Microsoft 365 Security Center.

If you have any questions, or recommendations that should be added to the guide, then please drop a comment below.