InfoGuard Cyber Security and Cyber Defence Blog

Sharpen up your M365 Cloud Security: 5 recommendations from practice

Geschrieben von Daniel Lötscher | 24 Jun 2024

In our digitally networked world, securing your "Microsoft 365 Cloud" environment is not just a recommendation, but a necessity. Although Microsoft offers a comprehensive list of the top ten security recommendations (Microsoft’s 365 Business Security Best Practices), the challenges and threats are constantly evolving. Focused and dynamic adaptation of your security measures is therefore essential – not least because Microsoft’s approach is “usability first” rather than “security first”. In this article, we highlight the top-five Microsoft 365 misconfigurations that we regularly encounter in our Microsoft 365 Cloud assessment with clients. You will also find tips that you can use as a “digital clean-up” before a professional review.

Are you ready for the digital clean-up of your “Microsoft 365 Cloud” environment? Below you will find five specific recommendations from the field: 

1. SharePoint & OneDrive sharing authorisations

Microsoft 365 has greatly simplified the way companies share files. In the early days of the “Microsoft 365” era, authorisations for sharing internal documents were often too generous. Even if your company promotes an open culture and fosters exchange with external companies, you should restrict the sharing settings to “authenticated users” and invite your partners as guests on your “Microsoft 365” tenant. This minimises the risk of links set to “Everyone” accidentally being sent to unauthorised parties or appearing on the Internet to be freely downloaded.

The authorisations for shared files are assigned the “Edit” permission by default – the idea being that Microsoft 365 is mainly used for collaboration with external parties. If this does not meet your requirements, adjust the default setting to “View” to share the documents with the lowest possible authorisations by default. Don’t worry – employees can still actively assign the “Edit” authorisation. 

 

Figure 1: Default settings for “File and folder links” 

 

Figure 2: “SharePoint online admin center” settings

2. Overly complex “Conditional Access” guidelines

With Conditional Access, the Microsoft Cloud offers a tool for realising state-of-the-art zero-trust principles with extremely high granularity. You determine how your users can access company resources based on signals such as client apps (e.g. browsers), device platforms, risk  or even location. This access can then be granted by means of controls such as multifactor authentication (MFA), device conformity, device status or even further “Mobile Application Management” (MAM) guidelines.

The disadvantage of high granularity is that it often creates complex access policies that fulfil the intended purpose but allow further, unintended access due to an absence of checks. A simple misconfiguration, such as an OR link that should actually be an AND link, can pose a major security risk.

Similarly, keeping certain exceptions too open in the guideline configuration can create gaping holes in an otherwise solid set of rules. Check your guidelines regularly and set up an audit log to ensure the traceability of changes.

Free tip: use a rule to monitor your sign-in logs (e.g. Log Analytics from Microsoft) for the occurrence of single-factor authentication events. This allows you to check whether there are any unintentional gaps in your MFA and CA policies and whether individual users are illicitly logging in without an MFA – a simple yet very effective tool in your security system.

 

Review of the changes to the “Conditional Access” guidelines: Microsoft Entra admin center > Protection > Conditional Access > Audit logs (Under “Monitoring” tab)
Check which “Conditional Access” policies are active and how they are used: Microsoft Entra admin center > Protection > Conditional Access > Insights and reporting
Checking the Conditional Access guidelines using the what-if tool: Microsoft Entra admin center > Protection > Conditional Access > Policies > What-If

Table 1: Configuration control of MFA and CA policies

3. Access reviews for guests and privileged accounts

Implementing regular checks for guest access and highly privileged internal accounts is crucial and ensures that only authorised persons have access to sensitive company data. Regular access reviews ensure that access rights are up-to-date and appropriate.

If you have Business Premium or E3 licences without a P2 add-on and/or ID Governance, carry out the process manually. Create a series of appointments in the calendar and check privileged users and external guests sporadically.

If you have a P2 or E5 licence, use Microsoft’s integrated Access Review function to access technological support for this process.

4. Using the Microsoft Secure Score dashboard

The Microsoft Security Dashboard provides you with an overview of your own Secure Score as a customer. This integrated security assessment of your environment for your own review and to track the measures implemented is a valuable tool.

The Secure Score helps you to quickly identify and intercept “low-hanging fruit” in your environment, which improves the overall security of your systems and cloud environment. This overview is an often overlooked but extremely valuable starting point for optimising your cyber security.

Your company’s own Secure Score dashboard alerts you to issues such as unpatched vulnerabilities, faulty configurations or poorly secured management ports. You can extend such checks to your entire cloud environment, including Microsoft Azure, Google Cloud and Amazon Web Services, via Microsoft’s “Defender for Cloud” service.

 

Figure 3: Check for unpatched vulnerabilities and recommendations for secure configuration

5. MFA still a critical point

Despite the constant recommendations and warnings, many companies have still not fully implemented multi-factor authentication (MFA). The lack of MFA on all user accounts makes organisations particularly vulnerable to attacks. Our incident response team and security consultants have encountered numerous incidents in which the lack of MFA made it easier for attackers to gain entry.

It is therefore essential to implement MFA on all services that are exposed to the outside and to regularly check whether all user accounts are protected. MFA registration should also be additionally restricted by means of location and/or device conformity. Consider integrating an identity provider of your choice to enable centralised user management and authentication. This not only offers greater security, but also optimises operational processes.

An even more secure solution is the direct introduction of phishing-resistant authentication methods – for example FIDO2 keys or TPM-based authentication mechanisms such as Windows Hello. The future is “passwordless”, which is much more secure and also more suitable for business applications, being both a strong login option and one that enjoys high acceptance due to its user-friendliness. We would be happy to discuss the options for securing your identities with you.

Our conclusion – for your best possible "Microsoft 365 Cloud" security?

This compact guide is designed to help you strengthen your company’s cyber security measures and build a robust defence against online threats. By being proactive and implementing our recommendations, you can effectively improve the security of your digital assets and protect your organisation from potential cyberattacks.

Regular checks and the adaptation of security strategies are nevertheless essential to keep your “Microsoft 365” environment secure. Utilise the resources available from Microsoft and take advantage of external expert assessments to strengthen your cyber resilience. Our Microsoft-365-Cloud-Assessment team can support you with a more in-depth analysis and tailor-made security strategies.

As a Microsoft-certified “Solution Partner for Security”, we are happy to support you with an independent review or carry out a security-related optimisation of your cloud environment in accordance with Microsoft’s best practices, combined with the experience of our Incident Response Team.  

Do you want to learn more about "Microsoft 365 Cloud" security?

In our next blog article on "Microsoft 365 Cloud" security, you will find out what five insights we have gained from the Microsoft 365 advanced cloud assessments. Stay tuned, subscribe to our blog updates and we’ll send you our blog articles directly to your inbox.

 

In the meantime, why not read these articles on the “Microsoft 365 Cloud":

We wish you an inspiring reading.