As I have mentioned in previous posts, I get the opportunity to meet with enterprises on a regular basis around security.  Most of these organizations run the spectrum on their adoption of O365 and other cloud-related services.  Specific to O365, there are extreme early adopters before there were means to secure the service to ones that are just now considering it to others that are in the process. The commonality between all these customers, no matter their stage of adoption, is how “what are best practices for securing O365?”.  So let’s take a look at the best practices resources from Microsoft.

Note:  In most cases, the guidance below assumes the customer is licensed for a minimum of EMS E3 for their environment and additional licensing for advanced security features are typically called out in the documentation.

O365 30, 60, and Beyond

This is a baseline resource to help establish a foundation of security for companies as they begin to adopt their first O365 workload which is typically Exchange or OneDrive.  It focuses on quick wins around basic admin and identity protections along with key service logging.

Identity 5 Easy Steps

In the roadmap above it references in the 90-day timeline to implement advanced protection.  The 5 Easy Steps guide focuses on those advanced steps for protecting identities with an organization by focusing on:

1. Strengthen your credentials.
2. Reduce your attack surface area.
3. Automate threat response.
4. Increase your awareness of auditing and monitoring.
5. Enable more predictable and complete end-user security with self-help.

Azure AD Break Glass

While the link to this guide has several of the same guidance as the 5 Easy Steps above there are a few additional ones that are worth calling out that every organization should put in their own O365 Security Roadmap.

• Define at least 2 emergency accounts

• Identify Microsoft accounts in administrative roles that need to be switched to work or school accounts

• Ensure separate user accounts and mail forwarding for global administrator accounts

• Ensure the passwords of administrative accounts have recently changed

• Turn on password hash synchronization (THIS IS A MUST)

Microsoft 365 Golden Config

As I mentioned in the note above, the guidance assumes the customer has licensed a minimum of M365 E3/EMS E3 to protect O365.  However, if your organization has licensed M365 E5/EMS E5 then you will want to use this guide as it provides guidance to implement the necessary policies to establish zero trust when accessing O365 resources.

Deployment Guides

While the sections above provide links to get started with key security components, customers will inquire if there are deployment guides for the respective security components that can protect O365.  Provided below are such guides that can be provided to the IT architecture group or PMO to develop an implementation plan.

• Azure Active Directory
• Intune
• Azure Information Protection
• Microsoft Cloud App Security

Fast Track Resources

As part of licensing M365 services, customers have the option to leverage a “FREE” (yes, free) service from Microsoft called Fast Track.  This group can be engaged through your Account Team or Customer Success Manager to assist with guidance and adoption of M365 services.  As you can see in the graphic below, they also can assist and provide resources to help implement all the security components discussed above.

Microsoft Secure Score

As organizations go about implementing the above guidelines and services they can refer to the Microsoft Secure Score.  This a checklist of items that can be used as a checkpoint to make sure the best practices are being implemented for their environment.

Check Back for Updates

Keep this link bookmarked in your browser favorites and check back periodically as I will update this as new guidance is released from Microsoft.  Best of luck in securing your O365 investment.