Office 365 hardening tips & tricks

Links open directly to the relevant pages in Office 365

  1. Enable MFA for Administrative Accounts.

2. Configure PIM (Privileged Identity Management) for Admin Accounts​.
Microsoft Documentation – O365 License Requirements
.

3. Enable “Password Hash Sync” when using Azure AD Connect
Microsoft Documentation


“Password hash synchronization helps by reducing the number of passwords, your users need to maintain to just one.”

To use password hash synchronization in your environment, you need to:​

  • Install, or be using Azure AD Connect.​
  • Configure directory synchronization between your on-premises​
    Active Directory instance and your Azure Active Directory instance.​
  • Enable password hash synchronization.

4. Implement and enforce a banned/bad password list.​

You can specify lists of bad passwords to prevent people from utilizing poor passwords. Consider using:

5. Ensure all applications and Employees are using Modern Authentication​.

Ever wonder why people can still authenticate to Office 365 even if you have two-factor authentication setup? This is why. You need to audit who is using what integrations, applications and authentication mechanisms are being used to figure out how to whittle down where basic authentication is occurring. See Microsoft’s Documentation on the subject, and/or this blog post. These screenshots show examples of how to look for user accounts using outdated authentication mechanisms logging into https://portal.azure.com.

Searching Sign-Ins for Legacy Authentication Mechanisms.
Legacy Authentication Mechanisms

A simple way to mitigate this is implementing a conditional control policy, which can block legacy authentication altogether.
You can also enable Modern Authentication in the Office 365 Admin Center.

6. Enable User, Admin, and Mailbox Activity Logging​.
See Microsoft’s Documentation on the Subject.

7. Put “External” on external senders on the subject line of incoming emails.

An example of adding an external message warning.

8. Restrict Logins from Unusual Locations​ using Conditional Access.

Example of adding locations to conditional access.

9. Enable/Purchase Microsoft ATP.
ATP Does the following:

  • Scans e-mails before they reach your user’s inbox to see if they are on known spam lists/reputable lists.
  • Scans attachments before the arrive in a user’s inbox.
  • Puts a wrapper around URL’s to monitor user clicks, and put a stop to some phishing/malware downloaders.
  • Allows tracking for Office 365 administrators to see who clicked what links.
    • Another product that does this is Mimecast.

10. Purge e-mails using Threat Explorer. (May require E3 License)
This allows you to retroactively remove e-mails that have already been sent to the user (in the event of a phishing e-mail being sent out across your organization).

Example of looking for an e-mail using threat explorer.
Actions available, click “Hard Delete” to delete e-mails already in a User’s inbox.

Leave a Reply

Your email address will not be published. Required fields are marked *