Hardening Microsoft 365: Security Best Practices Checklist

Introduction

Safeguarding sensitive information is non-negotiable, especially for organizations relying on Microsoft 365 (formerly Office 365). At IntegriCom we often see all or most of the focus on securing the more traditional infrastructure (Servers, Workstations, Network Devices) but forget to address where most the of the client’s most valuable data is (in the cloud). As the threat landscape evolves, beefing up security measures and best practices for Microsoft 365 is a priority. This article is a practical guide, diving into essential best practices for hardening Microsoft 365. Whether you’re an IT pro or just looking to bolster your organization’s defenses, our checklist will help you strengthen your digital security and safeguard your assets against evolving cyber threats.

What is Microsoft 365 Hardening?

Microsoft 365 hardening is the process of implementing security measures and best practices to protect your organization’s data and infrastructure within the Microsoft 365 environment. This involves securing identities, access, and various Microsoft 365 components to mitigate the risk of cyber threats.

Why is Hardening Microsoft 365 Important?

In an era of increasing cyber threats, hardening Microsoft 365 is crucial to prevent unauthorized access, data breaches, and potential business disruptions. So often we see bad actors completely ignore the companies’ computers and server over the more enticing and less protected M365 environments. By implementing security best practices, organizations can fortify their digital defenses and maintain a secure computing environment.

What’s Your Microsoft Secure Score?

Before delving into the checklist, it’s essential to understand your Microsoft Secure Score—a metric provided by Microsoft that measures your organization’s security posture within Microsoft 365. It provides insights into your security configuration and recommends actions to improve it. The one big thing to note is that this is a Microsoft provided score and should not be taken with that context. What do I mean? Well, the score will recommend fantastic actions to take like turning on MFA but on the other hand you cannot get a perfect 100% score unless you buy all of Microsoft’s extra licenses to enable additional features. Some of these additional features are fantastic and worth every penny but others may not be applicable to your industry or to your unique organization. Additionally, the score does miss some crucial areas you will absolutely want to address.

How do I Improve my Office 365 Security Score?

To enhance your Office 365 Security Score, follow these steps:

1. Regularly review and improve your Microsoft Secure Score.
2. Implement recommended security configurations and practices.
3. Do not let this score be the only determinate of your M365 security.

How do You Harden Microsoft 365?

Part 1: Secure Identities & Access (Entra ID formerly Azure AD)

Entra ID Basic Set Up Best Practices

1. AD Connect – Cleanup: Regularly review and clean up AD Connect configurations.
2. Custom Landing Page: Enhance security by customizing the Entra ID landing page with your logos. (The login page when you sign in through a browser). That allows your users to recognize your logo when logging in and give them a warning flag if they do not see it.
3. Manage Local PC Admins in AAD: Control local PC administrators through Entra ID.
4. Pre-Approve Enterprise Applications: See step 5 where we block enterprise apps. You will want to pre-approve essential enterprise applications for smoother operations.

User & Admin Access Restriction

5. Do not allow users to grant consent to unmanaged applications: This is one of the most commonly attacked areas of M365 where bad actors try and trick user to approve a malicious third-party app so the bad actor can take all of that user’s data and potential ransomware your cloud environment.
6. Do not allow users to register applications: This is similar to step 5 but deals with limiting application registrations to administrators.
7. Restrict Access to the Entra ID Admin Portal: Secure sensitive admin portals by limiting access to the Entra ID admin portal.

Multi-Factor Authentication

8. Enable MFA for all users: Add an extra layer of security for user authentication.
9. Enable self-service password reset: Empower users to reset passwords securely.
10. Reconfirming user authentication methods: Set a number of days for users to regularly validate user authentication methods.

Set Conditional Access Policies

11. Force MFA on All Administrators: Strengthen administrator accounts with mandatory MFA.
12. Force MFA on All Accounts: Extend MFA requirements to all user accounts.
13. Block Legacy Authentication: Improve security by blocking legacy authentication methods. Besides MFA this is the most important thing you can do for your hardening your tenant. WARNING: Older devices or apps may require access to legacy authentication, but you will never want all users to have it allowed. There are ways to limit your exposure while still securing your M365 tenant by only allowing it for users who must have it and locking down the locations of these legacy auth logins.
14. Geo-Blocking: Restrict access based on geographical location.
15. Lock down Accounts programs used to login to Program IP’s: Enhance security by restricting account access to specific IP ranges.

Set Up Security Alerts & Logs

16. Notify all admins when other admins reset passwords: Increase transparency in password reset activities.
17. Entra ID Identity Protection Alerts enabled: Stay informed about identity protection alerts.
18. Setup MFA Notifications: Enable notifications for Multi-Factor Authentication events.
19. Enable Unified Audit Log (UAL): Centralize audit logs for comprehensive security monitoring.

Manually Review the Following Regularly

20. Review Risky Users and Sign-ins: Identify and address potential security risks.
21. Review list of Enterprise Applications for suspicious apps: Ensure only authorized applications are in use.

Additional Security Protocols in Entra ID (Machine learning capabilities enable with higher level of levels of M365 licenses)

22. Turn on sign-in risk policy: Proactively address sign-in risks.
23. Turn on user risk policy: Monitor and mitigate user-specific security risks.
24. Harden External Collaboration Settings: Secure external collaboration settings for added protection.

Part 2: Secure M365 Admin Center (MSOnline)

1. Use limited administrative roles: Restrict administrative roles for enhanced security.
2. Creating DA Accounts (Device Admin Account): Designate Device Admin Accounts for device level administration without having full admins of a Global Admin. This means if you were to enter admin credentials on a compromised PC to install an app by accident and the credentials got compromised the entire M365 cloud would not be compromised.
3. Designate more than one global admin: Ensure redundancy in administrative access.
4. Designate fewer than 5 global admins: Limit the number of global admins for better control.
5. Customize the helpdesk link in AAD and set it to your IT or Managed Service IT Service Providers Team: Streamline support communication through customized helpdesk links.
6. Password Policy: Align password policies with your companies security measures.

Part 3: Secure Microsoft Exchange

1. Turn on audit data recording: Capture comprehensive audit data for analysis.
2. Turn on mailbox auditing for all users: Enhance visibility into mailbox activity.
3. Block External Email Forwarding Globally & Check Mail Forwarding Rules: Prevent unauthorized email forwarding by not allowing mail to leave your M365 tenant and review mail rules for any that seem malicious.
4. Set outbound spam notifications: Receive alerts for potential outbound spam.
5. Review mailbox delegation: Ensure secure delegation of mailbox access.
6. No transport rules to external domains: Restrict transport rules to internal domains only.
7. Do not use mail forwarding rules to external domains: Prevent unauthorized email forwarding rules.
8. Do not use mail flow rules that bypass anti-spam protection: Ensure all emails undergo anti-spam checks. Mail flow rules that set the Spam Confidence Level (SCL) to a negative number will bypass Microsoft anti-spam protection.

Part 4: Additional Best Practices for Hardening Microsoft 365

SharePoint/OneDrive

• Configure Expiration Time for External Sharing Links (SharePoint): Control the duration of external sharing links for SharePoint.

Endpoint Manager (Intune)

• Basic MAM Policy: Implement a basic Mobile Application Management policy for secure mobile device usage.

Final Points

Keep in mind that one-time hardening is not enough. You will want to audit these changes at regular intervals. Choose an interval that is appropriate for your organization. At IntegriCom we audit our clients bi-annually. Another very crucial point is that this list is an ever changing and ever evolving list as Microsoft continues to rapidly update and change these cloud services. You must keep researching ways to harden your tenant and keep up to date with the changes Microsoft makes to Office 365 / M365.