When your institution acquired Microsoft 365 (also known as M365 and formerly called Office 365), it automatically created a Microsoft tenant with Azure AD. Since that tenant belongs to your organization, you are responsible for managing Azure AD and its security settings. Microsoft Azure services enable various default features that could be incompatible with the security, identity, and compliance requirements of your institution. it’s essential to customize the settings in Azure AD, M365, and Exchange Online (or Azure AD Premium P1, Intune, and Azure Information Protection) to fit your organization’s needs.
Customizing Azure AD Defaults
- Security Defaults — Turn on security defaults to make it easier for your institution to thwart cyberattacks by using preconfigured security settings. (If your tenant was created on or after October 22, 2019, security defaults may already be enabled in your tenant.)
- Password Policy — Configure the password policy applied to every user account that is created and managed directly in Azure AD. (Institutions with on-premises AD password policies governing password expirations should expect to manually synchronize their Azure AD password policy and their on-premises AD password policy.)
- Azure AD Device Registration — Prevent users from joining devices on their own and require multi-factor authentication (MFA) to register or join devices with Azure AD.
- Enterprise and Registered Apps — Keep non-administrator users from arbitrarily adding enterprise or registered applications, which can significantly increase risk. Afterwards, make sure to review every enterprise and registered application.
- External Collaboration — Restrict regular users from inviting guests for collaboration and keep guest users from signing into your apps and services with their own work, school, or social identities.
- Hybrid Identity with Password Hash Synchronization — Employ a hybrid identity architecture to synchronize users from on-premises Active Directory to Azure AD to minimize the number of identities users have across various platforms.
- Azure AD Administration Portal — Limit regular users’ ability to read data in the Azure AD Administration Portal.
- Administrator Review — Grant administrators only the specific permission they need to do their job and limit the number of static Global Administrator role assignments to fewer than five people.
- Partners – When working with Microsoft-certified solution providers (partners) to purchase and manage solutions for your institution, they could be granted Global/Helpdesk admin roles giving them delegated administrative capabilities to your Azure instance. Make sure to review all partners and their delegated rights regularly.
Altering M365 and Exchange Online Settings
In M365, you can customize a variety of settings. In OneDrive, SharePoint Online, and Teams, look at configuring external collaboration capabilities of users. For Exchange Online, there are many settings to review but one to start with is the current forwarding capabilities and settings for users both globally and per-user. Modifying or reviewing these settings is highly advisable since they are inherently designed to facilitate interaction and external collaboration. In addition, you can use the Protection Center to secure mobile devices that are connected to your Microsoft 365 organization; the Security Center to refine email management; the Compliance Center to implement an effective data retention policy; and the M365 Admin Center to enhance security with modern authentication, which encompasses MFA. (According to Microsoft, 99.9 percent of account compromises can be blocked with MFA.)
And with the proper license, you can further enhance cloud security by optimizing the settings for Azure AD Premium P1, Intune, and Azure Information Protection.
M365 Security Basics Solution
Once your institution has sufficient settings in place to support your policies, it is essential to monitor for exceptions with reporting and alerting features such as those provided with Safe Systems CloudInsight M365 Security Basics solution. Financial institutions that partner with Safe Systems can gain critical visibility into their security settings helping them successfully navigate the complexities of optimizing M365’s features..
For more information about how your institution can optimize Azure AD and O365/M365 settings to improve cloud security, download our white paper on “Azure and M365 Security Basics.”
The security settings that are discussed in this paper can have a dramatic impact on end-users and/or service functionality and should only be employed if deemed appropriate and after careful consideration. There are a variety of security options available, but organizations should strive to implement these technology services strategically and, ideally, through planned phases of objectives over potentially several months or even years. The recommendations, statements, and other concepts contained within this paper are provided primarily for the consideration of IT Administrators of financial institutions.