1. Enable Multi Factor Authentication for all Global Administrators
Global Administrator accounts can access literally everything within your Office 365 tenant including all documents in OneDrive for Business, SharePoint Documents and all mailboxes. Subsequently, accounts with this level of privilege, with only a password for protection, have the potential to pose a huge risk. Enabling multi factor authentication will force the administrators to enter a code (which is sent to their mobile phone via SMS) every time they login to the Office 365 Portal. This can also be set up for all of your Office 365 users who aren’t Global Administrators in Office 365.
2. Enable Mailbox Auditing
Mailbox Auditing allows you to see who has access to which mailboxes and when. This can be used to identify when a user has accessed an unauthorised mailbox. It can also allow you to identify when users have accessed their own mailboxes. With such features, Mailbox Auditing will prove to be an important tool when investigating a breach of credentials to see what time mail was being accessed. Being able to report on when data has been accessed and by whom is a core requirement of the GDPR and is generally considered to be part of good security practice. Also, it takes very little time to setup and can be done so with no additional costs.
3. Force all mobile devices to use a password!
Setting a password on your mobile device may seem obvious but it is something that can be overlooked. Doing so can pose a significant security threat given that the amount of data stored and handled on mobile devices is ever-increasing. For this reason, organisations need guarantees that the password feature is mandatory. Office 365 can check mobile devices when they connect to the system for Email or Documents and prompt the user to enable a password on their device before connecting to the business Office 365 platform. This step immediately prevents somebody losing or having their mobile device stolen and company data being compromised from the device.
4. Disable all accounts inactive for 30 days or more
Security breaches are commonly unsophisticated. A lot of the time they are a result of accounts being breached, either by a brute force attempt correctly guessing weak passwords, or a previous employee accessing data after they’ve left the company. You may have some genuine users who haven’t logged in within the last 30 days. With these you can skip them or re-enable when the users require access again (The latter is recommended).
5. Have no more than Five Global Administrators and no less than Two
This step helps not only from a security perspective (by limiting who has complete access to all your Office 365 data as mentioned in Step 1) but it also helps reduce the number of administrative changes being made to your platform, therefore reducing problems and downtime. Having at least two Global Administrators ensures you don’t become locked out of your tenant! I would propose using the filter in ‘Active Users’ to show only ‘Global Administrators’ and then using the link below to add and remove the privilege as per your needs.
I hope the information in this article is useful. If you need any further assistance, feel free to get in touch.