Top 10 Office365 Security Recommendations

It seems Microsoft’s Office365/Microsoft365 cloud service offerings have taken the world by storm. According to Statista in February of 2022, 46% of organizations worldwide are using this cloud service or a hybrid version of it.

Although improved security is a potential reason why organizations are turning to cloud-based services, many of the security features available in O365/M365 are not enabled be default. Mile High Cyber recommends these “Top 10” security configuration settings for organizations wanting to benefit from Microsoft’s built-in security features:

1. Turn-on auditing (or ensure it’s already on)

2. Enforce Multi-factor Authentication (MFA) for all administrators, then all users

3. Create separate administrator accounts for admin activities

4. Set a strong password policy and identify banned passwords

5. Specify failed lockout threshold and duration

6. Add external email warning banner

7. Configure DMARC/DKIM/SPF for email

8. Disable user consent to apps

9. Monitor logins, failed logins, and risky logins

10. Configure security alerts for high-interest events

Finally, Mile High Cyber recommends organizations periodically review Microsoft’s “SecureScore” for ideas on additional security improvements, which are constantly changing (OK…that’s 11 security recommendations).

For help configuring your Office365 / Microsoft365 tenant or security testing/vulnerability assessment in general, contact us here.