(Originally published Dec 2022)
While Microsoft 365 is a transformative suite of tools for productivity, there’s no denying its potential impact on security. Ever-increasing complexity and sprawl make misconfiguration more likely, oversight more challenging, and your attack surface only grows over time.
But what are the most significant security risks associated with Microsoft 365 – and what can you do to mitigate those risks effectively?
In this article:
Securing your Microsoft 365 environment starts by understanding the most significant risks you face and the vectors attackers are most likely to exploit.
According to Gartner, 99% of all security breaches are the result of misconfiguration. Even if you have a robust set of policies to govern Microsoft 365, the slow, repetitive nature of manual configuration makes it easy for something to be overlooked.Human error is behind many of the critical misconfigurations we see most often.
Conditional Access policies
Conditional Access policies in Entra are used to secure access to applications and services based on specific conditions such as user role, location and device state. If misconfigured, these policies could expose sensitive data to unauthorized users.
Cross-tenant access and external identity management
Effective collaboration depends on external users being able to access your resources, but this is a hotspot for misconfiguration. If your cross-tenant access settings are too permissive, a malicious actor from an external organization could extract confidential information and gain wider access.
Device compliance and configuration
The proliferation of devices that could potentially be used to access your network and resources poses a major security risk. Misconfigured devices or policies that determine access could introduce malware or other vulnerabilities into your network.
Password reset and expiration policies
Regularly resetting passwords is a fundamental best practice in security, but most users need to be prompted to cycle passwords with an expiration message. Misconfigured expiration policies lead to stale passwords which, if used across multiple accounts, could be vectors for attacks.
Advanced Threat Protection (ATP)management
ATP monitors and protects against sophisticated malware. When ATP is misconfigured, you could be vulnerable to cyberattacks and data breaches, including sophisticated phishing attacks that escalate to your critical systems.
Mobile Application Management(MAM)
MAM policies control how your data is accessed and managed on mobile devices, allowing for secure access. If misconfigured, MAM could lead to unauthorized access through mobile devices,risking data leakage and security breaches.
Changes to AD Groups
Active Directory (AD) groups are the heart of resource security; a user’s group memberships determine what applications and resources (such as file shares) they can access. This means changes in group attributes can have serious security consequences.
AD groups are much more complex in Microsoft 365 than in a typical local implementation, so monitoring for important changes is even more important.
Changes in roles
Roles determine what a user can do within each application or resource. Over time, a given user may accumulate different roles; many organizations are good at adding roles as needed but not at removing roles that are no longer necessary. If a hacker compromises an account with more excessive roles, they get widespread access to multiple parts of your environment.
It's also important to monitor changes to the roles themselves. An ordinary user role that suddenly has elevated administrative privileges is a clear indication that something is wrong.
Failed login attempts
Users mistype their passwords all the time, but rarely hundreds of times in a row. Microsoft 365 logs failed login attempts, but these should be regularly monitored for the potential signs of a brute-force attempt to breach your security.
Learn why organizations should backup Azure AD (now Entra) tenants.
Accessing non-owned email accounts
As a rule, no user should be able to access another user’s email account. However, system administrators often have elevated privileges that enable them to access a wide variety of email accounts.
If this is the case, each administrative account should be tied to an individual user and their activities must be closely monitored.
Inbound message forwarding
Users would rarely have a need to forward all incoming emails to an external address, but this is a common tactic for hackers who can access a compromised account.
Monitoring for these forwarding changes to an account is an effective way to spot the signs of a breach earlier.
Creating or deleting teams
Creating a new team in Microsoft Teams automatically creates new AD groups that control user access to that team site. It’s important to know how these team sites are being used and what changes are made to the associated groups.
Groups that are accidentally modified or deleted can have crippling effects on users’ ability to collaborate.
Guest access
An important feature of Microsoft Teams is the ability to share content with people outside the organization.While there are compelling business reasons for enabling this guest access, the creation of guest accounts should be monitored to prevent external access to confidential information.
Want to learn how to get external user management under control?
Sharing files and anonymous links
Microsoft OneDrive and SharePoint enable the sharing of files and folders to both internal and external users.
While users must be careful to avoid making sensitive resources available to anonymous external users, admins can also block anonymous access to specific content.
Resource creation
Several applications in the Microsoft 365 ecosystem create resources automatically. For example,creating a Microsoft Teams site creates a group calendar and mailbox, a SharePoint site for storing and collaborating on files, and more.
Monitoring automatic and manual resource creation is critical for both resource management and security reasons.
Application changes
Changes to applications, such as changing services, adding or changing application role assignments, and adding or changing application user passwords, can compromise security or even stop an application from functioning altogether.
It’s also a good idea to stay on top of app permissions and API access, especially in light of the Midnight Blizzard incident.
With so many distinct risks across your Microsoft 365 tenant, it can be difficult to know where to begin. To help,here are some key security strategies that every organization should prioritize:
As you strive to embed these strategies, a best practice approach to security will cover eight key areas:
Users are always on the frontlines of security and implementing best practices around identity and access management is an effective way to reduce your risk. From basic password hygiene to multi-factor authentication, these are the fundamentals of keeping your systems and data safe.
Keep your sensitive data safe by implementing sensitivity labels, establishing clear policies for sharing, and encrypting data where relevant. You will also need a structured approach to redundancy and backups to make sure your critical data is always available.
Visibility is a crucial part of your Microsoft 365 security posture. Beyond enabling audit logs and alerts, you need efficient, realistic ways to parse all that data and use it to inform your policies and improvements. Continuous monitoring and analysis are key.
To control the myriad of devices users may bring into your network, implement processes to regularly update and review device compliance. Common security controls on mobile devices include remote lock and wipe functionality.
A huge number of modern hacks begin with an email. Phishing is a leading attack vector and the more users you have,the bigger that attack surface grows. Effective email security and best practices are key, from securing shared mailboxes to disabling auto-forward functionality.
The collaborative nature of Microsoft Teams means it’s easy for channels and groups to spiral out of control. Common strategies for improving Teams security include restricting public teams groups, assigning every group with an owner, and monitoring or removing inactive Teams groups.
Often sitting between your internal users and external collaborators, OneDrive and SharePoint need special attention when it comes to security. We recommend regularly reviewing and cleaning up inactive sites and drives, as well as enforcing sensitivity labels to automate stricter controls on your most sensitive data.
Finally, user adoption and training is a factor in Microsoft 365 security that’s often overlooked. While technical controls are important, they’re no substitute for training users on appropriate usage, your policies, and the most common forms of attack.
Start improving your Microsoft 365 security posture today with our comprehensive security checklist. With strategic ideas and practical steps you can take across your environment, it’s an excellent way to benchmark your current position and make targeted improvements.
Download your Microsoft 365 security checklist >
Microsoft offers several distinct security tools and features designed to provide a baseline of protection for Microsoft 365 users and enterprises. These include Microsoft Defender, Microsoft Sentinel and Microsoft Secure Score.
For MSPs, learn how to maintain secure baseline configurations to protect your customers.
Microsoft Defender primarily provides filtering for Microsoft 365 email and Microsoft Teams. Underpinned by AI, Defender protects against phishing, email compromise, ransomware, and other threats by checking link and attachment safety and enforcing your anti-phishing policies.
Admins can also access real-time reports to understand threats, analyze them, and use those insights to support decision making and remediation.
Microsoft Secure Score is a framework designed to promote good security practices inside Microsoft 365. From a dashboard within Microsoft Defender, you can follow a structured process for improving your security posture, then see how you’re doing with a simple percentage score. While this provides a good at-a-glance view of your security,it is by no means exhaustive and requires a lot of manual handling.
Microsoft Sentinel is a cloud-native SIEM system that collects data from across your Microsoft 365 environment and uses it to highlight risks and potential threats. The solution can also be connected to your non-Microsoft software, enriching your data pool for more accurate insights into baseline usage and those trends that may indicate an attack. Crucially, Microsoft Sentinel is designed to deliver insights at scale.
When it comes to Microsoft 365 security, the more layers you have in place, the better. But relying on Microsoft’s own security tools alone isn’t enough to keep your environment and organization safe.
While Microsoft Defender and Microsoft Sentinel can help detect unusual behavior and potential insider threats, the human element remains a critical vulnerability. Insider threats and human errors, such as falling for phishing scams, using weak passwords, or misconfiguring systems, can lead to security breaches that these tools might not always predict or prevent.
APTs are sophisticated, long-term attacks by highly skilled adversaries targeting specific organizations. While Microsoft's tools are designed to detect and mitigate many forms of cyberattacks, the highly customized nature of APTs means that some attacks might bypass detection mechanisms, especially in their initial stages.
Attackers increasingly target software suppliers and other third-party vendors as a means to gain access to their primary targets. While Microsoft's security solutions offer ways to monitor and secure your environment, they may not fully cover the complexities of assessing and mitigating risks introduced by third-party vendors and software.
Organizations often use custom-built software or proprietary protocols that are not widely adopted. These might not be fully supported by automated security tools, which can lead to gaps in monitoring and protection.
What makes CoreView unique is that it’s a single tool for every aspect of your Microsoft 365 security. There’s no need to juggle multiple interfaces for different parts of puzzle – just control everything in one place.
It’s easier for admins, less prone to mistakes, and consolidates all your data for a more cohesive view of your security posture and potential risks.
Learn more about how CoreView can help with your Microsoft 365 security: contact CoreView today.