Microsoft Office 365 is popular because of its mobility and collaboration features. However, in a cloud-hosted environment, security is the main concern because new threats are constantly introduced. Your organization, therefore, needs to use all the tools at your disposal to secure your customers’ data.
This is why Office 365 offers built-in capabilities and customer controls to help customers meet compliance standards. Let’s look at the security and governance feature available in all major services.
Office 365 security and compliance features
1) Multi-factor authentication
Multi-factor authentication requires more than just a username and password. After users logged in with a username and password, they’ll receive a phone call or text message (depending on the configuration). Then they either answer the call or enter the access code received via text into the browser.
This can be set up on a user-by-user basis. For example, if you only want to set MFA on a particular group such as higher officials or company leads and not on the entire organization, it can be done with few clicks.
IP addresses can be whitelisted, meaning that, when users are at the office, they don’t need to use multi-factor authentication. This will only be required if they’re somewhere else.
Multi-factor authentication is a free feature available on all Office 365 plans. If your organization has an Azure AD premium plan or On-premises Identity Federation with Office 365 you can configure a more advanced level of MFA such as Biometric or Smartcard. The configuration of Multi-factor authentication is only a few steps that you must follow in Office 365 and can be enabled from an Office 365 Admin center.
2) App passcode
An app password is a code that gives an app or device permission to access an Office 365 account of your users. If you’re using Multi-Factor Authentication and want to use applications that connect to your Office 365 account, you will need to create an Office 365 App Password. This is to enable the App to connect to Office 365.
For example, if you’re using Outlook 2016 or an earlier version, Apple Mail App, Skype for Business or any other third party client with Office 365, you’ll need to create an App Password. Creating an Office 365 App Password is really easy to do. One can say it’s another level of security added to the Office 365 user login process.
3) Office 365 Trust Center
Microsoft created a site called Office 365 Trust Center. It covers everything regarding security, including:
- Physical security: Can people walk in and out at data centers? How are the buildings physically secured?
- Logical security: How are servers configured? What kind of network security is applied? What kind of auditing is implemented?
- Data security: How is the actual data secured? If someone gains access to the database, are they able to read your data?
The site can be accessed via link Microsoft Trust Center.
4) Role-Based Access Control
Role-Based Access Control (RBAC role) is a feature designed to control the administrative access over different services across Office 365. It requires the ability to control these services by separate administrators.
The best example to have such role-based access on the services is the following: let’s say you hired a SharePoint Developer, who will be designing and customizing your SharePoint sites, for a short time period. In that case, he will need admin level access to the SharePoint admin center and this can be achieved by assigning SharePoint administrators rights. You don’t need to give control of the complete environment to an outsider.
Below is the list of User Roles is available in Office 365:
- Global Administrator
- Billing Administrator
- Exchange Administrator
- SharePoint Administrator
- Password Administrator
- Skype for Business Administrator
- Compliance Administrator
- Service Administrator
- User management Administrator
- Dynamics 365 (online)
- Dynamics 365 service Administrator
- Power BI Administrator
In the Security and Compliance Center, you can track a new activity and monitor user’s actions on the portal. You can configure policies to get alerts when updates take place. If a user performs any new update activity, an alert is triggered as per the conditions applied by the administrator.
6) Office 365 Security Reports
Security Reports are available in the Security and Compliance Center. These reports are available in the Report Dashboard and give you a graphical representation of the policies. You can see or download the reports such as DLP policy matches, Malware detection, Spoof and Spam Detection and many others.
There is another category of reports available called as Usage and Activity Report, which gives you data as per each service. It is available in the Office 365 Admin center.
7) Content search
The ability to search across data is increasingly important, and Microsoft is now offering a lighter, quicker way to search across Office 365. Content Search can be used to find data in individual or all Exchange mailboxes, SharePoint sites, OneDrive for Business locations, and Skype for Business.
This feature is helpful in terms of searching a specific type of information stored or shared across the organization. For example, if a user lost some important file that was sent to someone via email in the past, can be recovered by searching all mailboxes where admin only needs to query the name of the attachment.
There are no limits on the number of content locations that you can search. There are also no limits on the number of searches that can run at the same time. After you run a content search, the number of content locations and an estimated number of search results are displayed in the details pane on the Content search page. After running a search you can preview the results, get keyword statistics for one or more searches, bulk-edit content searches, and export the results to a local computer. This feature is available under the Security and Compliance Center.
8) Audit log search
In large organizations, it is a very common requirement to track the user and administrator’s actions on the services. Whether it is an administrator going rogue or a regular user deleting an important business document, it is equally harmful to an organization. While there are many ways to restrict and control access to Office 365, it is still important that there’s an audit log available with this required information. This is where Audit log search in Office 365 Security & Compliance Center comes to the picture.
Auditing can be performed on almost all major services and actions in Office 365 such as editing, uploading and deletion of a document in SharePoint, OneDrive, and Group sites. Mailbox permission and personal inbox email activity to user creation to deletion. Auditing can be easily done in the Security and Compliance Center and you can also perform a more granular level of auditing via PowerShell.
9) Azure AD Connect and single sign on
Azure Active Directory provides access control and identity management capabilities for Office 365 cloud services. Azure AD Connect allows you to synchronize on-premises active directory objects with Microsoft Office 365 cloud services. This allows you to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD.
Azure AD Connect is made up of three main components, namely Sync Services, AD FS and Health Monitoring. The Sync services component is the old DirSync and is responsible for replicating on-premises Active Directory users and groups to the Office 365 cloud. AD FS is an optional component and can be used to set up a Hybrid environment with Office 365. Features like SSO, sign-on policy, smart cards, etc. are available after Hybrid setup. The health monitoring component of Azure AD Connect allows you to monitor On-Premises active directory and synchronized objects using Azure AD Connect Health Portal.
10) Mobile device management via Intune
Intune is Microsoft’s mobile device and mobile application management solution. It’s typically available as part of Microsoft’s Enterprise Mobility + Security licensing bundle. Intune allows you to manage employee mobile devices and apps from a single dashboard. Manage across Android, iOS and Window devices. It also allows you to centrally manage the deployment of updates and applications to keep your workers at peak productivity. Key features of Intune are:
- Protect your company information by helping to control the way your workforce accesses and shares it.
- Manage the mobile devices your workforce uses to access company data.
- Manage the mobile apps your workforce uses.
- Ensure devices and apps are compliant with company security requirements.
- Apply conditional access policies so users can follow organization-based access policies even when they are not on the office premises.
11) Conditional access via Azure AD
Azure Active Directory (Azure AD) enforces conditional access policies to help secure access to Office 365 services. You can create a conditional access policy that blocks a user who is using a noncompliant device from accessing an Office 365 service. The control capabilities in Azure Active Directory (Azure AD) conditional access offer simple ways to help secure resources in the cloud. Conditional access policies like multi-factor authentication can help protect against the risk of stolen and phished credentials. Other conditional access policies can help keep your organization’s data safe. For example, in addition to requiring credentials, you might have a policy that only devices that are enrolled in a mobile device management system, like Microsoft Intune, can access your organization’s sensitive services. With conditional access control in place, Azure AD checks for the specific conditions you set for a user to access an application. After access requirements are met, the user is authenticated and able to access the application. Conditions can be Group Membership, Location, Device platform, etc.
Policies are applied on the Mobile Platforms, Applications, and Browsers below:
- Windows domain-joined & Windows 10 Mobile work or personal devices
- Windows 7
- Windows 8 / 8.1
- Windows 10
- Windows Server 2008 R2
- Windows Server 2012 R2
- Windows Server 2016
- Windows Phone
- IOS and Android devices
- Mac OS
- Internet Explorer
- Chrome Browser
- Safari Browser
- Edge Browser
Conditional access features can be leveraged by having Azure AD Premium Subscription.
12) Office 365 Advanced Reporting via Azure AD
To look for unusual or suspicious sign-in activities in your Office 365 organization, you can use sign-in and activity reports in Microsoft Azure. You can gain insights into how your environment is doing. The most exciting thing with these reports is that it collects data as your per Geolocation and irregular sign-in behavior. In situations where you try to sign in to Office 365 from 1000 miles away from your regular sign in location (IP-based tracking), it notifies the administrator via email and logs this detail in the report with the current IP address, device type, and other details.
The provided data enables you to:
- Determine how your apps and services are utilized by your users
- Detect potential risks affecting the health of your environment
- Troubleshoot issues preventing your users from getting their work done
There are two types of activity reports in Azure Active Directory:
Audit logs: The audit logs activity report provides you with access to the history of every task performed in your tenant.
Sign-ins: With the sign-ins activity report you can determine who has performed the tasks reported by the audit logs report.
13) Microsoft Advanced Threat Analytics
Advanced Threat Analytics is meant to help businesses block targeted attacks by automatically analyzing, learning and identifying all normal and abnormal behavior.
Microsoft ATA can identify advanced persistent threats, as well as other malicious activity, better than traditional defenses because it is continuously learning about how users, devices, and network resources interact. It is also able to detect when these patterns change.
This is a built-in security feature by Microsoft in the backend as a Machine learning or AI technique, which majorly protects the environment from malicious links and attachments in emails.
14) Password policy
Every user account that needs to sign in to Office 365 must have a unique user principal name (UPN) or LOGIN ID attribute value associated with their account. Password restrictions are mentioned below:
- 8 characters minimum and 16 characters maximum
- Strong passwords only: Requires 3 out of 4 of the following:
- Lowercase characters
- Uppercase characters
- Numbers (0-9)
- Symbols (see password restrictions above)
You can set password expiration as per your company policy. This configuration can be done via PowerShell or from the Office 365 Admin Center Security settings.
After 10 unsuccessful sign-in attempts (wrong password), the user will be locked out for one minute. Further incorrect sign-in attempts will lock out the user for longer.
These are just some of the security and governance features that we find useful in Office 365. Do you have any features to add?