Much like many cloud services, Microsoft 365 Enterprise’s core value proposition becomes its primary challenge for security teams. The cloud-based suite of productivity apps and services (formerly Office 365) lets companies create, share and collaborate from anywhere on any device. Even if an enterprise does not operate on Microsoft 365, no doubt a large percentage of its business partners are, especially with the increased need for remote collaboration during the pandemic.
While Microsoft 365 offers an expansive set of capabilities, the core security controls boil down to a pretty short set of essentials, achieved through Microsoft’s unified identity and access management architecture. While it’s a short control list, security pros need to get the configurations right. Microsoft 365’s default configurations are pretty promiscuous. These default settings include letting non-privileged users invite guest users to the organization’s Azure Active Directory and default file sharing settings.
To assess the security of Microsoft 365 deployments, it’s important to ask several important questions to gain more transparency and accountability. Here are seven of the most important based on the security domains covered in the Microsoft 365 Security Criteria, which include authentication, account management and service configuration:
Are users configured with multi-factor authentication?
Consider multi-factor authentication a critical security control to protect the organization from password attacks such as password guessing and credential theft. If a Microsoft 365 user account gets compromised, an attacker may gain access to the user’s emails, files, chat history, and other sensitive data.
Microsoft 365 offers multi-factor authentication through two different features: Azure MFA for Microsoft 365 and Azure Conditional Access, which defines granular user access policies. Acceptable responses to this question should include that all users are configured with a multi-factor status of enforced and that Conditional Access rules are configured for all employees and partners.
Have you removed the default OneDrive link type: “Sharable: Anyone with the link?”
When a user creates a sharable OneDrive link, it’s set to “Shareable: Anyone with the link” by default. If the link gets forwarded in email or otherwise shared outside of the organization, anyone with the link can access the OneDrive file.
As such, it’s more secure to configure the default OneDrive sharing setting to “Internal: Only people in your organization.” If a user needs to share the file with an external user, they may configure the link to “Shareable” – but by default links will be internal-only. An acceptable response should indicate that secrurity teams set the links configuration to “Internal” or “Direct.”
Are the insecure default user permissions removed?
By default, non-administrative users may access the Azure AD administrative portal and perform several different actions, including registering custom-developed applications for use within Azure AD. This lets users connect their Azure AD accounts with their LinkedIn account and allows for inviting external guest users, among others.
Each of these settings may have a security impact. If the response to this question indicates that the organization has not configured these default settings in a more restrictive way, it’s a tell-tale sign that it lacks Microsoft 365 security maturity.
If the security team has synched the on-premises Active Directory with Azure Active Directory, are only necessary objects synchronized?
If an organization synchronizes its on-premises Active Directory with Azure Active Directory, it’s a good indicator that the organization’s IT environment has grown complex enough to justify cloud authentication. Organizations will commonly synchronize their on-prem AD with Azure AD to let users authenticate via public cloud SaaS applications and to ease the administrative burden of managing users across a portfolio of cloud services.
Acceptable responses should align with a best security practice to only sync those AD objects that require use within Azure AD (e.g. on-prem service accounts that only access on-prem resources should not get synchronized, whereas user accounts should be synchronized). As such, examine the objects within Azure AD to determine if the organization is synchronizing the appropriate objects.
Is the number of users configured as administrators in Microsoft 365 appropriate for the size of the organization?
Having more than one administrator in Microsoft 365 ensures that if one administrator becomes unavailable, another user can make changes to the tenant. However, users who do not have a valid justification to have administrative access to Microsoft 365 may expose the organization to risk. Microsoft recommends that in most cases an organizations should have no more than five Global Admins. If more than two users are Global Admins, identify the justification for the additional privileged users.
Are dedicated administrative accounts used?
Because it’s the path of least resistance, attackers will target users with privileged access to the Microsoft 365 tenant. Using a privileged account for day-to-day use increases the likelihood that an attacker will gain privileged access to the environment if they are successfully exploited. As such, administrative personnel should use their privileged accounts only when required.
Are tenant Global Administrators configured with working email addresses?
Microsoft 365 Global Admins receive a variety of important email notifications that include service status, security events, and other information. When an organization first signs up for Microsoft 365, users are provisioned with a default username and email address in the [email protected] format.
For example, a new Global Admin, Larry Washington, at Acme Corp. might have the following username: [email protected]. However, if the organization doesn’t use Microsoft 365 Outlook for email, Larry might not receive tenant administrative notification emails. Another scenario: Larry gets assigned a Microsoft 365 username of [email protected]. While this may be Larry’s username on Microsoft 365, it may not be Larry’s valid working email address as configured in Active Directory. As such, the assigned username needs to verify via Outlook that global admins use an email address that’s configured to a working address.
The questions here cover some of the most important Microsoft 365 controls to assess, but there are many more. Regardless of the controls and the questions asked, responses should always include details on configuration states that clearly show the controls meet the criterion requirements. Above all, security assessments founded on objective evidence are the most effective way to achieve good risk outcomes.
Kelly White, chief executive officer, RiskRecon
