The Most Important Security Features for Setting Up and Using your Microsoft 365 Account

These days, many companies are considering to move to the Office cloud. Characterized by perceived risks such as security concerns, the path to the cloud is made more difficult.

The office cloud from Microsoft (Microsoft 365) offers your company the ideal entry into a world full of flexible office functions from a single source.

We have summarized the most important Microsoft security features to make your entry into the cloud easier and to set up your Microsoft Tenant as securely as possible according to Microsoft security standards.

1. Multi Factor-Authentication (MFA)

A convenient login process for the user is not necessarily the most secure procedure. The standard login process includes the simple specification of credentials (username & password).

MFA adds another authentication method to this process, resulting in a more secure login step. This includes the additional entry of authentication codes via SMS or the Microsoft Authenticator-App, which are both linked to the specific user account. Should a situation arise in which user data is leaked to third parties through a security breach, this method prevents unauthorized third parties from accessing data.

Alternatively, Microsoft provides the Azure-MFA as an add-on, which poses an even more individual solution for login monitoring and can be booked in the Microsoft Portal (this service is not part of the standard MFA and can therefore only be added for an additional charge).

MFA can be used by all users and is highly recommended by Microsoft!

Our advice: Be sure to use the MFA function provided by default to protect yourself from unauthorized third-party logins. You can find the setting in Azure Active Directory (AD) > Security > MFA.

2. Conditional Access

Free access to company resources is a serious security risk for all companies. Microsoft provides the key to this problem with Conditional Access. In Azure AD > Security, you have the option of defining access policies for your company and denying access according to defined conditions. For example, define countries as “not secure” or only allow access via VPN, specifying the VPN-Point IP.

You have the option of to design access policies individually and to adapt them to your company’s requirements.

Microsoft provides comprehensive monitoring protocols that log all actions in the Microsoft 365 account.

These logs can be used to track activities and users.

But be careful: Do not lock yourself out of the system immediately! Setting a conditional access incorrectly can block your access to the Microsoft Tenant! In this case, contact Microsoft Support for unblocking.

You already have access to conditional access functions with the Microsoft 365 Business Premium licences and the Enterprise licences.

Our advice: Set your individual security policy in Azure AD. Ensure that the user can work optimally depending on the particular business case. Restrict third-party access as needed.

3. Microsoft Defender / Advanced Threat Protection

Ransomware is becoming an ever-increasing risk for companies. A virus or Trojan can spread to the user’s and the company’s system just by moving the mouse over a link in an email, without anyone noticing.

To protect your data in the best possible way, Microsoft Defender for Microsoft 365 has the ability to detect and simulate threats (attack simulator).

It offers a large portfolio of policies to define individual protection and monitor the functions with the help of real-time reports.

Advanced Threat Protection helps you to identify and eliminate risks at an early stage. By opening the links/attachments in a secure environment, detached from their Microsoft tenant, a risk assessment is performed so that malicious content doesn’t reach your employees’ and colleagues’ inboxes in the first place.

Microsoft Defender Plan 1 is already included in Business Premium. The extended function (Microsoft Defender for Microsoft 365 Plan 2) is included in the Office 365 E5, Office 365 A5, Office 365 E5 Security and Microsoft 365 E5 licenses. However, they can also be flexibly added to other license packages as an add-on.

Our advice: Plan 1 already provides you with real-time detection of malicious files. This is particularly important to enable rapid action in the event of a cyber attack. Plan 2, which includes security campaigns and attack simulators, is recommended to our enterprise customers depending on their business case.

4. Privileged Identity Management (PAM)

Although it is easy to give every user administrator rights, this poses a considerable security risk when it comes to implementation.

As a Global Administrator, you have full access to all the functions offered by the Microsoft 365 Cloud. This includes access to user data, financial data and, for example, access to all team data. In accordance with the guiding principle “As much as necessary, as little as possible”, authorizations are to be assigned in the Microsoft tenant.

This is where Microsoft’s Privileged Identity Management comes into action. It gives the company the possibility to create users as temporary administrators. The users are marked as temporarily authorized admins and have the possibility to request administrator access depending on their need.

You are responsible for controlling how long and to which information a user may have access to administrator rights. In the request, the user has the option to specify the time period and reason for the request.

PAM is available as an add-on and in the Azure Active Directory Premium P2 plan.

Our advice: Limit your super admins / global administrators to what is necessary. In Azure AD > Quick Start > Privileged Identity Management you can assign privileged roles to your users. We recommend the use of a user-based request management, in which each user can make justified administration requests. These are then released and managed from a central point in the company.

5. Encrypted E-Mail + Data Loss Prevention (DLP)

Sensitive data, such as personal data or business information that is not allowed to leak out due to legal or internal regulations, is present in almost every company.

Microsoft offers the possibility to identify this risk and limit it by means of encrypted e-mails and data loss prevention.

Encrypted E-Mail ensure that users can only see the content end-to-end. Microsoft provides various types of encryption, such as Office Message Encryption (OME), S/MIME Certificates or Information Rights Management (IRM).

With Data Loss Prevention Microsoft has developed a function that prevents sensitive company data from being sent into the company environment. However, this function does not only cover the pure sending of mail. Office applications such as SharePoint Online, OneDrive for Business, Microsoft Excel/Word, etc. are also monitored and external access to confidential documents is restricted.

Create trusted locations and prevent the sharing of company data in Microsoft Teams, for example.

Every company has the option to create its own DLP policies in Azure-AD and thereby control the company’s data dispatch in order to fulfill complex compliance requirements.

To use encrypted e-mails and data loss prevention, you need at least one mailbox with an Exchange Online Plan 2 licence or an Enterprise licence (E3 and higher).

Our advice: Secure both your internal and external communication channels. With OME you secure your data traffic by default. If you prefer more secure encryption, we recommend using S/MIME, PGP, TLS or gateway encryption.

6. Azure AD Identity Protection

You want to protect your employees’ user accounts from unauthorized access? You want to detect hacker attacks before they have penetrated your system? Azure AD Identity Protection is the solution!

With the help of machine learning, the system learns when and where their employees and colleagues log in and out of the system and how they work.

This has the advantage that the system can quickly detect irregularities and inform you as the system administrator. Regardless of whether the location or time signals unusual behaviour, you have the option of automatically requesting the user to authenticate via MFA or to block access via defined policies.

The “Traveller function”, for example, offers the possibility of recognizing that a user cannot log on in Germany and one hour later in the United States.

It is important to emphasize that the data is user-account linked and encrypted. If an employee is fired the or the account is locked, the data cannot be retrieved.

To get access to the full functionalities, you need the Azure AD Premium P2 plan. Restricted information is already accessible within the Azure AD Premium P1 plan.

Our advice: A large proportion of cyberattacks come from abroad. There are always new threats that may be unknown to you as a security officer. With the use of this machine learning solution, your system will automatically understand which accesses are to be classified as a risk. Use this feature as early risk detection. You can find the service under Azure AD > Security > Identity Protection.

Do you have questions about getting started in the cloud or about existing cloud solutions? Ask the cloud experts!