Microsoft Office 365 Security Best Practices and Recommendations

Microsoft continues to improve its game. It’s important to check the configuration and appropriate settings in Microsoft 365’s different services to make sure you’re at the right level of risk tolerance. 

Microsoft utilizes a defense-in depth approach to ensure that they follow operational best practices to offer physical as well as logical and data layer security. These layers assist in protecting the 365 users in general, however each organization has to make sure that the installation and configuration of their tenant is secured.

Ossisto365 strongly suggests that you go through the following guide and follow its suggestions whenever you need to. Be aware that these defaults affect mailboxes that are new. Audit settings must be reviewed for all accounts that were created before January 1, 2019. 

The missing piece in Your Office 365 Strategy 

Each Office 365 cybersecurity strategy should include extended detection and response (XDR) tools. These advanced systems incorporate algorithms and rules designed by analysts to track suspicious activity across your system, which includes Office 365 elements such as inboxes, as well as software that is delivered via the cloud. This page provides more information on managed XDR.

Enable and enforce Multi-Factor Authentication 

Ossisto365 strongly suggests using multi-factor authentication. Accounts of users are compromised every day and this increases the possibility of losing control of crucial data and data. Credential harvesting attacks pose a constant danger to any company. One of the most effective security measures to prevent this risk is to force users to make use of the multi-factor authentication (MFA) for access to important systems like emails and files sharing.

MFA will significantly reduce the effectiveness of attacker techniques even when they have compromised the password of the user as they will also have to compromise the second element. The additional factors could come in a variety of forms like a physical token or an application that is installed on an electronic device. There are a variety of options and methods to enable multi-factor authentication in Microsoft 365, and the choices for setting up the system will depend on the license.

Azure Intune, Azure along with Enterprise Mobile Device Management plans provide additional features when installing or implementing this security feature. 

Reference: Enabling Azure Multi-factor Authentication, Requiring MFA for Intune Enrollment 

Conditional Access Policies 

Administrators are able to examine the restrictions and apply them, or reduce certain rules, like multi-factor authentication requirements if users access resources from an authorized location or device. These situations increase the chances that users who access the site is trusted, and thus reduce the security requirements to authorise the user.

This option is very effective to strike the perfect balance between convenience and security. In addition, the restriction of access to areas and devices employees shouldn’t be logging into can be enforced and monitored. A Azure AD Premium subscription is needed to use of the conditional access policy. 

Reference: Configuring Conditional Access Policies, Azure AD License Comparison 


Business E-mail Compromise 

Phishing is a major cause of cyber-attacks within companies particularly those that use Microsoft 365. A thorough investigation usually reveals that the source is an e-mail pretends to be a shared document stored on a domain which is remarkably similar to OneDrive. When a user clicks the hyperlink, they are taken on a sign-in screen which is a mirror of Microsoft’s login pages for 365.

The credentials entered on the fake screen will be sent into the hands of an attacker who will be able to access the user’s email address and other files. This is why the use of multifactor authentication (MFA) an extremely effective ways to stop any attacker from getting access to your data even after they’ve compromised the password. 

It’s equally important to be aware of when your password is compromised. It’s even more crucial in the event that the attacker authenticates to the victim’s account. This data is crucial to determining the type of activity carried out or to determine if it is triggering breach notification requirement. 

In order to ensure that you have the information to identify the threats and undertake a thorough investigation to determine the source of the threat, make sure you have enough information to detect these threats or conduct an investigation, make sure that your Microsoft 365 tenant is auditing all of the areas that are crucial to you. In January of 2019, Microsoft recognized the need for this information and incorporated it in relation to auditing mailboxes. 

Reference: Manage Mailbox Auditing 

Verify that mailbox auditing is enabled by default 

Get-OrganizationConfig | Format-List AuditDisabled 


Set Audit Logging to On. 

Data from events that contain crucial information, like system and user activity modifications, details about authentication and so on. It is crucial to keep logs of information to identify dangers, particularly when conducting an investigation. An administrator must manually enable the “Office 365 audit log search.” This feature may record user and admin activity for 90 days; however, it is best to validate which retention settings are configured based on licensing/configuration.

The information can and be sent to the security information and events monitoring (SIEM)/XDR Solution for further monitoring and the ability to correlate. Be aware that only mailbox audit events for users with E5 are accessible through the audit log search inside the Security & Compliance Center or via an API for Office 365 Management Activity. Office 365 Management Activity API. 

Reference: Enabling Audit Logging 

Make use of the Security & Compliance Center to enable search in audit logs 

  • Within the Security & Compliance Center, search and investigate > Search and investigation > Audit log search. 
  • Click Record to begin recording the admin and user actions. 

Enabling auditing via Powershell 

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true 


Check if auditing has been enabled/disabled through Powershell 

Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled 


Allow Mailbox Auditing 

Within Office 365, administrators should allow mailbox auditing to track mailbox access activity. By default, auditing of mailboxes is turned off. In the event of a security breach and the mailbox is audited, there could be no information, if any, about the activities of an attacker. When audit logs are enabled and enabled, the audit log will be searched for activity in mailboxes.

In addition when the audit logs for mailboxes are enabled, certain actions carried out by administrators, delegated as well as owners are recorded in default. It is suggested to turn on at least the default logs, as well as the commands listed below that are referenced However, every organization must determine which logging level is required. We strongly recommend activating the “UpdateInboxRules” setting for all kinds of users.

Attackers typically create a forwarding rule which forwards a copy the user’s mailbox to a secondary address, such as an Gmail account. This gives them access to the users’ inbox even after they change their password! We recommend reviewing and auditing these rules. Make sure you have the ability to add logic to eliminate legitimate forwarding rules that were created by employees.

We suggest applying logic to look at forwarding rules sending e-mail to an outside tenant domain or the organization’s domain. Even if an employee trying to forward email to their personal email address This is a bad method, since the information is no longer managed or protected under company policies. 

Reference: Enabling Mailbox Auditing, Mailbox Auditing Actions 

Enabling auditing through Powershell for all mailboxes used by users within your company 

Get-Mailbox -ResultSize Unlimited -Filter | Set-Mailbox -AuditEnabled $true 


Increased audit levels through Powershell for all mailboxes of users within your company 

Get-Mailbox -ResultSize Unlimited -Filter | Set-Mailbox -AuditOwner @ 


Verify whether auditing is disabled or enabled through Powershell 


The value True for the property AuditEnabled ensures that mailbox auditing is turned on. 

Get-Mailbox -ResultSize Unlimited -Filter | FL Name,Audit* 


Mobile Device Management 

The management of devices on mobile (MDM) must be reviewed and understood by every organization. Ensure that the appropriate policies are in place and that agreements are implemented for employees of the company. Exchange Administration can be configured to set up policies on what devices and users can connect to the email servers.

Policies that enforce compliance with the company’s policies like encryption of devices should be activated, as should the devices that can connect to the Exchange Administration. To add additional features and controls plans, you can sign up in exchange for Microsoft Intune and/or Enterprise Mobility Security. 

Refer to: MDM for Office 365 in contrast to Microsoft Intune 


Exchange Administration 

Configuring Exchange Email Encryption Rule 

Users who communicate via email, and who have an E3 or higher license can take advantage of Office 365’s message Encryption feature. Administrators can also set an email flow rule that will encode email messages with an explicit keyword within the subject. Encryption using Rights Protection can be leveraged to limit the capacity of those who receive encrypted mail messages, to pass them on to non-intentional recipients, print them out, or open them up to specific timeframes. 

Refer to: Define a Mail Flow Rule to Secure Email 

Create a Spoofing Rule 

A rule may be set up by using Exchange Admin Center to set the spam confidence level (SCL) to 9 if the message sender’s domain is any of the valid organizations domains, and the message comes from outside the company. A spoofing filter rule’s definition can limit the number of emails containing phishing messages which are sent. 


Protection of high Trust Accounts from fraudulent spoofing 

One of the most common ways used by criminals is to spoof a executive of a company or high-trust individuals. The attacker will impersonate accounts, such as CEO IT, HR, or CEO and ask employees to complete actions that could lead to the loss or breach of security. Some examples of this include straightforward as asking staff to buy gift cards, accessing the website to sign off on an item, or giving private details about the company.

If you work for a company that has Microsoft 365 Defender you can quickly address this issue. Microsoft 365 Defender comes with additional anti-phishing features that protect businesses from being hacked. Microsoft 365 Defender also protects your domains from being spoofed in a more efficient manner than the traditional method of transport regulations. 

Licensing requirements: Microsoft 365 Defender prerequisites 

Create DMARC as well as SPF Records to Validate Email 

Implementing DMARC (Domain-based message Authentication Reporting and Conformance) along with SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) is highly recommended for all businesses. These functions provide an extra protection against phishing and spoofing email. They also lower the threat of a compromise attack on business emails. DMARC settings tell Exchange servers to handle emails that were sent with the domain of the organization that are not able to pass SPF as well as DKIM validation tests. 

The DMARC TXT Record is also a way to deter phishing and spoofing attacks by confirming an IP address for the email’s sender against the claimed owner of the domain sending the email. The DMARC TXT record is a way to identify legitimate external email server. The email server that is the destination can confirm the message originated from approved outbound mail servers. 

A record called an SPF is used to identify IP addresses that have been allowed to send email for a particular domain. If an attacker attempts to spoof the organization’s domain by using an IP address that is not listed in the list, it could delay delivery to the target instantly. 

DKIM is to be set up after it is established that the SPF as well as DMARC records have been established. DKIM is a digital signature that is added to the header of each email message’s information. It is strongly recommended that DMARC settings are checked and implemented with care so as not to interfere with the your intended flow of mail. 

Refer to: Define DMARC to validate Email 

Determine DMARC Failure Rule 

Once DMARC is established for an organization, a rule must be set up within the Exchange Admin Center to direct which mail that is not able to pass DMARC validation is sent. A definition can be created such as ‘Deliver the message to the hosted quarantine’ if ‘authentication-results’ header contains “dmarc=fail” and sender’s address domain portion belongs to any of the organizations valid domains and the message is received from ‘Outside the organization.’ Under Additional properties the Sender address matches should be set to Header. 

The Define Rule for Data Exfiltration Restrictions 

A breach of business email could cause attackers to configure mailbox forwarding rules that allow an email copy out of the company to an email address belonging to a third party domain. Employees might also want to transfer copies of email to their personal email accounts. They can affect the security of the business. The rule can be set within Exchange Admin Center.

Exchange Admin Center to reject any message and provide an explanation of why forwarding rules to domains outside of the organization are not allowed. The rule could be defined when a message is sent to an outside organization and the type of message is auto-forward and the email was received from inside the company. It might also be helpful to set alert definitions in accordance with these criteria to ensure that the integrity of an account. Alert definitions can be created during the creation of the rule that sends an email notification to the designated person upon activation of the. 

Configure Connection Filters 

The security list IP address that is authorized for each domain may aid in preventing the possibility of blocked senders who are trusted from being identified. 

Reference: Connection Filters 


Configure Alert Policies 

The setting of alert policies can assist in monitoring administrator and user activities, malware threats and incidents of data loss within an company. Alerts should be defined to address malware and email forwarding/redirect policies, suspicious activity, at a minimum.

It is highly recommended that event data be sent to an SIEM solution to facilitate the purpose of correlation and storage for long-term events. If an existing SIEM is not being used, you should consider Microsoft’s cloud native SIEM Sentinel. It lets you log free of a variety of Microsoft 365 events for 30 or even 90 days, in certain circumstances. Additional charges could apply, and typically include storage of data in log analytics, or other custom events sources. You may want to consider a managed service like Ossisto365 to help you create the management of your environment. 


Manage Office Secure Score for Office 365 

Microsoft Secure Score will help evaluate each organization’s Office 365 security based on administration activities, and review security settings and provide suggestions. The score is calculated in accordance with the settings, and is evaluated on regular intervals. Secure Score is an excellent tool to assist you in understanding and assessing the risk you’re reducing through the use of various security functions throughout the year.

It is highly recommended that all of the outcomes are evaluated and taken into consideration for your company. It is important to note that settings should be scrutinized carefully, and adjustments may have to be made so as not to interfere with the flow of legitimate emails that are faked. Secure Score is a Secure Score function is widely supported and rolling out across different sections of Microsoft 365 cloud. The scoring feature must be reviewed on an ongoing basis because it is providing an important amount of information and is getting more advanced with each new release. 

Refer to: Secure Score Overview 


Security and Compliance Features 

There is a myriad of features listed below in Microsoft 365 that should be evaluated and configured using appropriate settings. These features should each be used in accordance to the business’s IT Security requirements, the following should also be considered/configured within the Security and Compliance section. 

Data Perfection Prevention

Protection of policies to aid in the identification and protection of sensitive data. 

Data Governance

Helps in categorizing the content, defining retention guidelines and destruction of data. 


Labels are added to documents or emails to enforce rules such as retention settings and the sensitivity. 

Information Privacy

GDPR’s requirements for data privacy and access to personal information. 

Threat Management

Tracking of threats and attack simulators are utilized to determine the level of risk. 


Customer Lockbox 

Lockbox requests from customers allow companies to restrict the manner in which the Microsoft support engineer can access the company’s data when it is necessary to access it. This feature is available on the E5 plan, or through Advanced Compliance License. This feature must be enabled in the event that it is it is available. 

Reference: Enable Customer Lockbox 


The Microsoft Platform 

To open the door to not looking only at emails, Microsoft offers an expansive collection of tools to safeguard companies. A well-integrated security system will improve efficiency and keep your company current with the latest new threats. Companies should review their current licenses with Microsoft and ensure that they’re making the most of everything they own.

They should also consider the advantages of altering it , either by increasing by acquiring individual license’s to enhance their security. Utilizing tools such as Microsoft Defender to Office 365 has features like secure links that help safeguard emails from malicious links through rewriting them and employing AI to check before the final recipient receiving the email. Microsoft provides tools to provide administrators with insight into the dangers of malicious emails and attachments to Office. 

Reference: Microsoft 365 Defender 

Reference: Microsoft Defender for Office 365 

Refer to: Microsoft Defender for Cloud 

Reference: Microsoft Sentinel 



Microsoft offers millions of users who use Microsoft Office 365 with expectations that more than two thirds businesses cloud-based by the year the year 2019. Microsoft utilizes a defense-in depth approach in order to follow best practices in operation to offer physical and logical layer security. These layers assist in protecting the users who use Microsoft 365. However it is the responsibility for each company using 365 to ensure that the deployment as well as the configuration for their tenants is secure. Each company is required to evaluate, adjust and tweak the correct settings across the different areas of Microsoft 365’s services in order to ensure that the appropriate level of risk tolerance is met. 

To assist you in evaluating the cyber risks of your organization or security requirements, please contact Ossisto365. 

Share on social media: