Every day Microsoft accounts are targeted - they can be easy pickings when left in their default state, especially with a large proportion of businesses using them.
If compromised, your business data and your customers' data can be compromised and used to gain access to further systems or, frequently, to gain access to company money.
It's not too difficult to secure your tenant but it's something you have to manually do - the 'out of the box' set up is not all that secure.
So here goes...
1. Global Admin
The global admin is the account that is all powerful and can do the most damage if compromised. Tick these off to secure it:
- Don't give any of your day-to-day accounts Global Admin access, it should be a separate dedicated account
- Limit who has Global Admin. We'd recommend you have two accounts In case you lock yourself out of one! These should be strictly controlled
- Don't give it a licence - the global admin can do everything it needs to do without a licence
- Use a complex secure password, we're talking 12 random characters, numbers and symbols. This password should not be re-used anywhere else
- Make sure two factor authentication is enabled on your global admins
2. Login Screen
The default sign in screen for Office 365 and Azure online services is very easy to replicate, so can be difficult for your end users to know if it's a genuine login page or not. This leaves the door wide open for phishing attacks.
You can customise the login screen for free with your company logo and brand colours so it's unique to your business, and then teach your users to only log into pages that feature this - or at least question it when it doesn't look familiar.
3. Two Factor Auth
Use this on all your accounts. It's free and included with Office 365 and Azure tenants. This one feature can block more than 90% of attacks on your Microsoft tenant. It's a no brainer!
4. Conditional Access
This one will cost you an extra licence, as you'll need an Azure AD P1 licence for each user. It's worth it, though. This allows you to apply policies that only allow logins under certain conditions. We'd recommend the following as a starting point:
- Enforce the requirement to use two factor auth (you can, if you like, not require it in certain locations like your business HQ).
- Deny logins from countries in which your business does not operate - you can lock out most of the world using this simple policy
- Disable access from clients that use 'legacy authentication' - these are normally the older versions of Outlook, but if not done it leaves a gaping hole in your security.
5. Audit logs
Often left off, this is something we always turn on. There's no cost and you might never need it, but in the event you do, you'll be very pleased you turned it on.
The audit log tracks all the changes on your tenant, so you can see who has done what. In the event of a compromise, or even a disgruntled employee, you can unpick what has been done.
6. Password policy
Requiring frequent password changes is on by default, and you may be surprised to learn that we recommend you turn it off. Microsoft even recommend this the first time you login to a new tenant, now! It used to be standard to get users to change their password every 30 days or so, but all they would do is add a number, re-use passwords and maybe even write it down somewhere so they could keep track. So, turn it off and use all the above recommendations to secure your users properly, instead.
Don't re-use your password, your Microsoft password should be unique to your Azure and/or Office 365 account. If another of your accounts is compromised by poor security on another service, you don't want that password to be the cause of a breach.