Front Page: NCSC-FI
Front Page: NCSC-FI

How to protect your Microsoft 365 services

Criminals are constantly phishing for Microsoft 365 account credentials and using the account names and passwords obtained through phishing attacks to hijack M365 accounts. These instructions provide advice on how you can more effectively protect your company’s Microsoft 365 services.

Go through the list in your organisation and prepare a plan on how you will implement the protection measures. Some of them, such as enabling multi-factor authentication (MFA), can be implemented in stages. Prepare and plan the change well, and be sure to also provide instructions to users.

The instructions apply to Microsoft 365 Business Basic, Microsoft 365 Business Standard and Microsoft 365 Business Premium subscriptions. The changes listed below do not require any additional products or licences from Microsoft.

Microsoft 365 protection measures against data breaches

  1. Turn on security defaults and multi-factor authentication on your Microsoft 365 tenant.
  2. Enable and check multi-factor authentication for user accounts and admins. 
  3. Create an emergency access admin account. It is a good idea to have an emergency access admin account that should only be used in situations where you cannot access your Microsoft 365 services on any other account.
  4. Enable audit logging. The audit log provides you with more information about any data breaches. The audit log can be used to trace the time and scope of a data breach and perhaps even how it occurred.
  5. Check whether you have Alert Policies enabled. These policies help you to track user and admin activities and alert you in case of threats or data loss incidents.

Protection measures for SharePoint Online, OneDrive for Business and Teams

  1. Prevent guests from sending invites to your Microsoft 365 environment to other guests. Sending invites should only be allowed from within your organisation.
  2. Allow the synchronisation of OneDrive for Business and Sharepoint files only on devices connected to your domain.
  3. You can impose restrictions on Sharepoint and OneDrive sharing, such as requiring guests to sign in or provide a confirmation code.
  4. Require strong authentication for third party apps on SharePoint. Using third party apps should not be allowed without multi-factor authentication.
  5. Prevent anonymous participant access to Teams meetings. This way, users who receive an invitation link to a Teams meeting have to sign in to join.
  6. Block third party apps on Teams. This can be done by having the admin of the tenant check app functionalities before installing them on the Microsoft tenant.

Protection measures for Exchange Online servers

  1. Implement SPF, DKIM and DMARC authentication for email. The SPF value is already defined as it is mandatory on Microsoft 365, but you should set up DKIM as well. SPF, DKIM and DMARC allow you to authenticate your sent emails, preventing them from being flagged as spam.
  2. Block sign-in to shared mailboxes. Access to shared mailboxes should only be granted to users who need it.
  3. Set up a policy that prevents the forwarding of email messages to an external email address. This will ensure that even if one of your organisation’s email accounts is compromised, the attacker will not be able to automatically forward messages to their own email address.
  4. Add a tag or warning to external email messages. This will make it easier for recipients to spot scam messages.
  5. Enable preset security policies in Exchange Online Protection. These include policies that protect your Exchange Online environment from the latest attack trends.

General protection measures for Microsoft 365 and Azure services

  1. Add your company’s logo or some other brand image to the sign-in page. Phishing websites sometimes use the default Microsoft sign-in window, which users can learn to treat as suspicious if they get used to seeing a version with your company’s branding.
  2. Review your password policy. Define how long passwords must be, how many special characters they need to include and how often they need to be changed.
  3. Configure role-based access control (RBAC) for administrators. 
  4. Turn off user consent to apps. Applications may ask permission to access the user’s profile and send email on the user’s behalf during installation. They may also request access to files that the user has access to. With user consent to apps turned off, admins can check whether the permissions being asked are reasonable before consenting to an app. 
  5. Enable an idle timeout for Azure portal sessions. This way any user who leaves Azure portal open on their browser is automatically signed out after the specified time.
  6. Restrict users’ access to the Azure administration portal. 
  7. Check whether you have Alert Policies enabled. These policies help you to track user and admin activities and alert you in case of threats or data loss incidents.