Top 10 security best practices in M365 you should have already implemented.
A long overdue post. I had a dream I was David Letterman, doing a Top 10 Microsoft 365 security best practices. With over a decade in the practice, I spent a considerable amount of time focused on security and remediation. The gaps I saw across many client environments were shocking and staggering. Do what you can to not make the front news as a huge public breach. It is up to you the IT Pro to take a proactive stance against unwanted attacks and breaches.
10. Pet peeve. Delete the alias from the sandbox .onmicrosoft.com., from all active production users. This not only shows the knowledge gap from admin but is a huge come attack me banner. If this simple step was overlooked to offer clean email to external customers, partners, and users what else did you fail to set up in your security profile. Yes, you Mr. big name insurance company that sends my account update by way of " on behalf of xxxxxx@.onmicrosoft.com."
9. Minimize Global Admin users and ensure they make the user's name. Do yourself a favor and do not create general access accounts like Admin@company.com with the user set to Admin Admin. This is not the best practice and will only create verification issues if you are severely compromised.
8. Scan your resource mailboxes in Exchange Admin Center and Azure mail-enabled users for @yahoo.com or @gmail.com anything that does not look correct, authorized, or indicator of foreign breach by an unauthorized user with enhanced access rights.
7. Standardize company policies on content sharing and access. Eliminate third-party disparate personal storage or consumer chat for corporate assets.
6. Set up multi-factor authentication (MFA)
5. Use Microsoft 365 ATP (Advanced Threat Protection)
➡️ Scanning email attachments for malware with ATP Safe Attachments
➡️ Scanning web addresses (URLs) in email messages and Office documents with ATP Safe Links
➡️ Identifying and blocking malicious files in libraries of SharePoint, OneDrive, and Teams
➡️ Checking email messages for unauthorized spoofing with spoof intelligence
➡️ Detecting impersonation of users and domains with ATP anti-phishing capabilities
➡️ Office 365 ATP is included in subscriptions, such as Microsoft 365 Enterprise, Microsoft.
4. Enable auto track recorder to ensure "popcorn or bread trail" of all user's activities. Very helpful to remedy a breach and or research activity of a rogue employee or any other situation with compromised assets.
3. Configure the mail flow rule to block your company domain from coming into your network from outside sources. This eliminates most social engineering and phishing attempts using spoofed alias.
2. Run Secure Score self-audit to get a baseline assessment of gaps in security profile across all workloads.
Que drum roll please . . . . .
1. Train your users. Microsoft 365 from the beginning was designed to offer enterprise productivity tools to anyone, anyone regardless of skill set and knowledge. Enable productivity safely and watch the digital nervous system connect all the users in a collaborative symphony.
Above all else, users are the single most vulnerable point of failure.