Microsoft 365 Security Assessment

What our M365 Security Assessment Does

Many of our clients often look to us to engage in our Microsoft 365 Security Assessment (often called Office 365 security due to previous product names) process to help identify threats in their M365 environment. We thought it would be helpful to highlight this process and answer some questions regarding the service, scope, and common findings and issues.

Licensing

Our step is understanding the scope of the environment. We often send a configuration survey prior to our first call or ask questions during the discovery process. This helps us understand the security capabilities of the organization as certain features and controls are not available on certain license plans like Business Standard or Exchange Online. Understanding the number of licensed users and the provisioned licenses also help us understand the needs of an organization. While security is important across all organizations, the larger organizations will often have harder times with manual processes and will likely need to leverage automation to achieve comprehensive security controls.

Migration History

From our experience, depending on when the tenant was created there are often remnants or certain features that could be present compared to other organizations. Even as reflected in Microsoft documentation, tenants that were migrated before October of 2019 may not have baseline configurations available such as:

• Enforcing Azure Multi-Factor Authentication registration for all users
• Forcing Administrators to use Multi-Factor Authentication
• Block Legacy Authentication protocols
• Requiring all users to perform Multi-Factor Authentication when needed
• Protect privilege access

source

This can help us understand the “health” of a tenant and the likely starting point for the security defaults and likely areas of improvement.

Company Policy

Once crucial point of managing Microsoft security is understanding company policy and expectations. If the organization has not made a conscious effort to pursue a company wide MFA effort for all users it will unlikely be enabled. We look to understand if there is an expectation of MFA for all users, device enrollment for Microsoft 365 apps, and policies on sharing data with external parties to help understand the controls.

Bringing It Together

After understanding a bit about the environment, we look to have discussions about configurations on the environment such as managing users accounts, conditional access / MFA requirements, external access for Teams and Onedrive, and many other areas of the platform. Understanding the environment is crucial to tailoring a comprehensive security review that’s unique to the environment. A couple of our most common findings are disabling access to shared mailboxes and creating separate administrator accounts from the default administrator account. Here is an excerpt from our report regarding separate administrator accounts:

Privileged access should not be assigned to the default account.  For example, if John Doe is the admin for the account he should posses a john.doe@company.com and an admin.jdoe@company.onmicrosoft.com account. Similar to network, need two accounts, one for admin and one for non-admin. Go into M365 and create a new admin account as onmicrosoft.com

Many of the findings are often operational or policy based versus true technical implementations. While not as simple as checking boxes, simply working with the team and discussing proper practice helps close major gaps in cloud security.