Net Platforms

NetPlatforms Featured Image 1

Securing Your Microsoft 365 Accounts – 5 In-built Features to Enhance Your Security Posture

The Microsoft cloud offers exceptional cyber security. Trusted by over 1 million organisations worldwide, and supported by a $1 billion annual cyber security budget, there are few safer places to store your business’s data.

With measures like geo-redundancy, encryption, and enterprise-grade firewalls protecting its data centres, Microsoft’s cloud services offer unrivalled levels of security and resilience, and the company remains committed to enhancing its cyber protections in the years ahead. However, it’s crucial to remember that under the ‘shared responsibility’ model, ultimate liability for the security of the data you host on Microsoft’s services, lies with your business.

‘Shared Responsibility’ Summarised

Microsoft’s shared responsibility model defines the relationship the company has with its customers in terms of the partitioning of security and compliance responsibilities. In a nutshell, Microsoft is Responsible for:

· Maintaining the uptime of its infrastructure to provide reliable services.

· Taking steps to defend its infrastructure and services against the threat of cyber-attacks.

Your business is responsible for:

· Taking steps to protect the integrity and confidentiality of the data you host within Microsoft services. This includes managing access, applying robust authentication measures, implementing a secure data backup, and deploying the in-built tools Microsoft provides to users to enhance their data security posture.

· Ensuring that your security controls comply with the data protection regulations that apply to your business.

In this mini blog series, we want to help you boost the security of your Microsoft 365 accounts, by providing a checklist to help you compare your current configuration against best practice. Fully optimising the security of Microsoft 365 means leveraging the security features that come built in, and supplementing these with additional controls to further fortify your defences. In this article, we’ll focus on 5 native security features you can use to enhance your security posture; consult with your IT support provider to ensure these have been optimised for security, and not left on the defaults!

Threat Policies

No matter which Microsoft 365 plan your business operates, you’ll have access to a range of cyber threat protections, designed to offer baseline protection against the likes of malware and phishing. While these security protections are no silver bullet and should be deployed as part of a comprehensive cyber security strategy, activating them will provide an additional safeguard to your business, particularly against email-based threats.

These protections are configurable through the ‘Threat Policies’ section of the Microsoft 365 admin centre. To locate and engage the measures available to you, log in to your 365 account and locate the admin centre as pictured below. 

Image of Microsoft office hub

Launch the ‘Microsoft 365 Security Center’ by clicking the ‘security’ button from the menu on the left side, then locate and click ‘policies and rules’ and ‘threat policies’ as shown. 

Image of the policies and rules of Microsoft 365

From here, you should see a range of configurable policies which will vary in nature and scope depending on your Microsoft 365 subscription. No matter which plan you’re on, however, you should be able to activate and configure policies to counter malware, phishing attempts and spam. Most cyber breaches are attributable to email-based threats, so by switching on these simple protections you help to secure your email accounts and your wider Microsoft ecosystem.

Role-based Access Controls (RBAC)

The ‘principle of least privilege’ is a cyber security best practice that advocates extending user privileges and access rights sparingly: on the basis of strict need. One way to apply this practice, is by establishing role-based access controls, which see rights and permissions granted on the basis of job role.

So why is it important to restrict user access and privileges?

In any system, the ‘admin’ account features the broadest set of privileges and access rights, including the ability to alter security settings, manage users accounts and authorise the download and installation of new software. With untethered scope to make system changes and access virtually all data, an admin account could be used to devastating effect in the hands of a malicious actor. It therefore makes good security sense to limit ‘admin privileges’ to as few accounts as possible, or ideally to host such privileges on dedicated accounts with limited functionality to further reduce risk.

Within Microsoft 365, role-based access controls can be managed through the 365 admin centre and applied to user accounts on a time-restricted basis to limit risk exposure. To apply these controls, open the 365 admin centre as before, locate ‘settings’ from the menu on the left of the screen, and select ‘Org settings’ as depicted.

Image of the different tabs and settings in 365 app

Select the tab named ‘Security and privacy,’ and then click ‘Privileged access’ from the options listed. From here you can extend a variety of admin roles to your team for as much times as is necessary to allow individuals to complete certain tasks or assignments.

Image of the security access settings in the 365 app

Secure Score

Secure score is an underutilised feature found within the Microsoft 365 admin centre. It features a simple percentage grading system to help users gauge their security posture and deploy measures to improve it. Featuring a simple and intuitive dashboard, Secure Score assigns a percentage score across a number of security categories, including identities, devices and apps, empowering users to take targeted action to address areas of deficiency.

The best part of Secure Score is the actionable guidance it provides via the ‘improvement actions’ tab shown below. This tab displays a list of actionable steps for driving security posture improvements, with those likely to deliver the greatest impact listed first. In many cases, you’ll even be provided with a link to the configuration page for the suggested changes, making it effortlessly simple to make changes that deliver immediate security benefits.

The complex, multifaceted nature of cyber security can make it difficult to identify areas for improvement. Secure score is a convenient and intuitive tool that provides security posture insights and empowers users to take positive action.

Image of Microsoft secure score

Multi-factor Authentication

Thanks to readily available password cracking tools, cybercriminals are able to force entry to weakly protected user accounts with remarkable ease. One of the best ways to prevent credential compromise and avoid unauthorised access to your Microsoft 365 accounts is by implementing multi-factor authentication (MFA), a secure authentication mechanism that requires an additional identifier over and above a username/password combination.

To enforce MFA across your Microsoft 365 accounts, open the 365 Admin Centre, select ‘Users’ from the menu on the left, and click ‘Active users’ as shown. Multi-factor authentication can then be configured by navigating to the tab of the same name.

image of active users in windows settings

For a secure and convenient way to implement MFA, require that your users download the Microsoft Authenticator Mobile App. This provides a secure authentication mechanism by sending a unique, one-time code to the user’s registered device upon each sign-in attempt, which they are required to submit to verify their identity.

Password-free Authentication

The inherent vulnerability in account passwords lies in their ability to be stolen, guessed or even hacked using accessible software tools. From phishing campaigns to malware programs like keyloggers, cybercriminals use a range of tactics to obtain account credentials, and steal and corrupt the sensitive information contained within the accounts themselves. According to many cyber security experts, the most secure authentication methods involve dispensing with passwords altogether: passwordless authentication. So how does that work?

Passwordless authentication requires users to submit 2 forms of identification to gain access to their accounts, neither of which is an account password. Such information might include:

  • Something that the user possesses. This mechanism typically involves sending a passcode to a device that’s registered against the authorised account holder. The Microsoft Authenticator App provides an example.
  • A Biometric Identifier. Fingerprints and face scans are common biometric identifiers.
  • Location Data. Location data can be leveraged in authentication security to block sign-in attempts from unsanctioned or unexpected geographic locations.
  • Something sent to the user. A passcode or token sent to the user via email, SMS or phone call provides another common route for implementing passwordless authentication.

To activate passwordless authentication within Microsoft 365, you’ll have to open the Azure Active Directory Admin centre. Once there, navigate to the ‘security’ field at the side within the main dashboard. Once inside the security dashboard, click ‘Authentication methods’ as shown.

image of password less security in settings

You’ll then be presented with a number of options for applying passwordless authentication practices. Current options include utilising the Microsoft Authenticator App, Windows Hello (a device-level authentication feature for Windows 11/10) and FIDO2 keys (these require the use of removable storage media, such as a USB drive).

In Summary

While Microsoft 365’s in-built security protections are relatively limited in their scope, they are worth exploring, and incorporating within a wider cybersecurity framework. Start a conversation with your IT team or IT support provider today, to ensure they’re making use of these helpful security features to defend your 365 accounts and the data held within them.

Stay tuned for our next piece, where we’ll consider additional steps you can take to further improve your Microsoft 365 security.

Netplatforms: Transformative IT for Businesses Across London and The Southeast

Need secure, optimised and reliable IT that supports your operations and drives your growth? Netplatforms can help. We help organisations across London and the Southeast thrive and grow in our digital age, with tailored tech solutions that deliver measurable results, and IT management and support that prioritises proactivity. Ready to take the next step in your digital transformation? Get in touch with Netplatforms today. We’d love to hear from you and help you overcome your technology challenges.