So we’re going to jump straight into the main content of the webinar now and go through what we believe are the OFfice 365 and Endpoint Manager best practices. Like Andy mentioned, this is all based on our recommendations that we recommend to customers we work with on a one-off basis but also it performs a standard as part of our managed services as well. This information is all in a document, which is quite a large document because it is designed to give people enough information to go off and implement these policies. We’ll be providing this document after the webinar.
During this session we’re going to be going through some Office 365 Tenant and some Azure AD best practices and baseline measures that we think everyone should have in place. One of those in conditional access policies and we’re going to do a seperate section to break them out even more because they are quite detailed but they are still one of the baseline measures. We’re then going to go on and talk about Endpoint Manager and how it can help you with security, but more specifically what we recommend you do with it with both mobile and desktop devices.
The security baseline measures are broken down into two parts. First of all, we’ve got things that we think are definitely quick wins, which can be done with any licence, so you don’t need any additional licences, so anybody can do these reasonably quickly. First thing we’d say is make sure you have MFA and administrator accounts. We recommend enabling MFA on all of your admin accounts. Off the back of that, ensure that you have a break glass account or multiple break glass accounts that are excluded from MFA but have complex usernames and complex passwords that you use only in the event your multi factor or second method of authentication is unavailable on one of your main accounts, so you don’t get locked out your tenant.
If you’re syncing through your Azure AD ensure you’ve got a password policy in place and make sure that’s in place on premises if you’re synchronising or in the cloud if not. Another one is restricting who can invite guests in your organisation. By default, anybody in your organisation can invite guests into your tenant. Most people won’t ever use this ability, so why not reduce the size of the attack surface and restrict who can get into your tenant.
Make sure you’ve got your DMARC, DKIM and SPF configured correctly as this will vastly improve your email security. Another one that people might not be aware of is that Azure AD allows users to integrate third party SaaS applications to Office 365. A lot of the time people think that’s being used for single sign on, so it might be people using things like Dropbox, we personally use things like Lucid Chart and Draw.io which are online applications that allow you to login with Office 365. The danger of these third party apps is they’re not just using single sign on, they also potentially have access to your OneDrive and your users mailboxes. At an absolute minimum, configure it so it requires consent from an admin so someone can still go in and click single sign on with a particular application but it will go to an admin for them to approve, or alternatively just completely restrict it. This is something we definitely recommend doing.
The final quick win is to review your SharePoint and OneDrive external settings. The amount of customers we’ve dealt with where their SharePoint and OneDrive settings are set so anybody can share with anybody is probably the majority of them. I wouldn’t recommend that as a default setting for anyone.
The other baseline measures that we do for all of our managed service customers require additional licensing. This includes implementing tenant branding, so making sure your company logo is on your tenant screen. This helps people get a bit of an expectation of what to see when they log in and by default know what doesn’t look normal, in case they receive a phishing link etc.
By default, anybody can join any device to Azure AD, so you want to restrict that to make sure that only admins or members of a particular group can join.
Integrate self service password reset. If you’ve got a P1 plan it will be slightly more secure and also makes things more convenient for yourself or your IT support team. They can reset passwords via Office 365 by adding a couple more methods of authentication.
And then conditional access which I’ll touch on further which we think is an absolute baseline if you want your tenant to be more secure. We’ll go through it in more detail but in summary it’s effectively you define policies at a tenant level that applies to every authentication that comes into your tenant and it will review those authentication attempts and using the conditions you set determine if it will allow them or not. I will come to that shortly in a lot more detail.
So I just want to quickly show anyone who doesn’t know where to set the SharePoint and OneDrive external settings because I think it’s something you should take a look at. If you go into the Office 365 admin portal, on the left hand side if you click on SharePoint, and then expand the Policies section on the left, and then go to Sharing. These are the settings, so this is basically what the default is. The settings are very self explanatory but there are some extra ones such as limiting the name that you want to allow users to share with, only users in a certain group can share externally. So that’s just where it is if you want to go in there and check those settings.