As an MSP, keeping client files secure is top of mind. But if you’re responsible for protecting Microsoft 365 domains, there are so many choices and seemingly hidden capabilities that it can be overwhelming to know where to begin.
To help, Egnyte recently sat down with Liam Cleary, a Microsoft MVP and MCT and CEO/Owner of SharePlicity, to get his take on the five steps every Microsoft 365 administrator should take to reduce the security risk for their business. Here is what he came back with.
1. Turn on Multi-Factor Authentication
Microsoft 365 currently supports two different types of multi-factor authentication (MFA). MFA adds an important layer of security because users need to present two or more verification factors to successfully gain access to the system.
The first approach associates MFA to an individual account through basic enablement and enforcement.
- In this scenario, enablement just means that when users log in they have to go through a registration and they get prompted.
- Enforcement means no matter where they log in from, they will get prompted for MFA but there's still a registration process.
The better option is to use conditional access policies, which are part of Azure Active Directory premium licensing. They're included in some of the Microsoft business licensing as well.
Using these policies is the easiest way to implement MFA for all users. Here are a couple of examples of how it works:
- All administrator accounts or specific roles, like the global admin role, are enforced for MFA if they try to get to the Azure Portal, instead of the Microsoft 365 Portal
- Require MFA for every user coming in from a targeted location, typically defined by subnets or IP address ranges
2. Enable Safe Attachments
We all get emails with attachments and links, and Microsoft has the ability to deeply inspect emails in Exchange for potential threats. It’s accomplished using Safe Attachments and Links, and is included as part of Microsoft Defender Suite for Office 365.
To give you an idea of how the Safe Attachments process works, if Microsoft identifies something unusual in an email sent to you, it will scan it, but it also has the ability to remove an attachment, put it into a virtualized sandbox, and automatically clean it. It will then send you the original email with a message saying it's currently being scanned. Once the scan is completed and the file is found to be clean, the system will re-insert the attachment.
Also, when you receive an email with a link, Microsoft validates each one that gets clicked and looks for malicious content and validates the IP address range.
3. Block Automatic Forwarding
Setting up auto forwarding of email is often one of the first steps malicious actors take when they have successfully broken into a Microsoft 365 tenant, so it’s important to be proactive in your defenses.
Attackers will create auto-forwarding mail rules to exfiltrate data coming to and from a given mailbox. They also use this to build a picture of the mail that you send and who it gets sent to, which gives them more accounts to target.
While there are legitimate situations where auto-forwarding is valuable, as a general rule, you should block auto forwarding of email to anything outside the organization. For those instances where auto-forwarding is needed, then you should restrict it to specific domains.
4. Set Up Anti-Phishing Policies
Anti-phishing policies once again come under Microsoft Defender. There are some default settings in Microsoft 365 to help block phishing, spam, and ransomware, but these are just basic policies.
Every organization should implement specific anti-phishing policies. These policies should be based on information generated by an Admin Center feature that tells you which users are being targeted by phishing attacks the most.
This feature lets you see the number of phishing emails specific users have received, and if any are from known campaigns. With that information, you can define more stringent policies for emails that may be targeted to those individuals. It also helps you determine which users require more training.
5. Enable Device Protection
Devices need to be protected because that's how we connect to Microsoft 365. We're using cell phones, tablets, laptops, and desktops. It really makes no difference at this point, but you must define some kind of protection on the devices.
If you have Microsoft Intune capabilities, then you can create mobile application management policies where you can protect company data by segmenting it into containers on the device.
The device is then blocked from communicating with other applications so, for example, they can't copy something out of an email and put it in a text message.If needed, you can just click a button to wipe the containerized data off the device.
Next Steps
While there are so many choices, these five suggestions are a good baseline. Once you’ve established these best practices, take the time to understand how your clients use their data. From there, look to and broaden the tools you use to more effectively secure their data and provide customized support for your clients.
Author Tim Johnson is director MSP product marketing at Egnyte. Read more Egnyte guest blogs here. Regularly contributed guest blogs are part of ChannelE2E’s sponsorship program.