Step 3 to Securing your Microsoft 365 From Scratch
Are you sure you know who has access to your data? Performing a Microsoft 365 security audit of users, accounts, and mailboxes is not optional—it’s the foundation of a secure environment. We audit 17 key areas when we first onboard a tenant, and in this article we highlight 7 of the most important steps for your IT team to lock down your tenant.
Interested in a Step-by-Step Microsoft 365 SOP Checklist?
If you’re looking to simplify and standardize your Microsoft 365 setup, our detailed Microsoft 365 SOPs offer step-by-step checklists and templates to guide you through every aspect of configuration.
Contact us using the button below for access to these comprehensive resources designed to ensure security and efficiency in your Microsoft 365 environment.
1. Audit and Verify Active Users and Service Accounts
It is critical to ensure that your tenant has accurate records of who has access to resources.
Active Licensed Users and Service Accounts
Confirm, appropriately group, and monitor active users and service accounts. When a new employee or user is added to the tenant, they must be added to the Security Group in order to receive applicable policies and settings enforced on their devices, along with any conditional access policies or settings that must be enforced at an organization level.
Unlicensed Users and Service Accounts
Pay attention, as these users and service accounts often fly under the radar. However, they still pose a security risk. For each Service Account, update the Job Title to include Service Account for easier tagging and auditing in the future.
2. Secure and Manage Shared Mailboxes
Convert User Mailboxes to Shared Mailboxes
Doing so upon employee termination will avoid data loss and maintain access for authorized personnel. This will help prevent the mailbox from being deleted once the license is removed from the user account. Also, it is important to maintain a consistent understanding of how many users are licensed and accessing internal resources regularly.
To decommission a user, the best way to revoke a license assigned to a terminated employee or service account is to convert the UserMailbox to a SharedMailbox.
Go to admin.exchange.microsoft.com > Recipients > Mailboxes > Locate UserMailbox > Select Mailbox > Click Convert to shared mailbox. Once the mailbox is converted, you can navigate back to admin.microsoft.com, look up the former user, and remove any licenses that were assigned.
Block Sign-In For Shared Mailboxes
Prevent unauthorized access and enhance security. A shared mailbox allows access only to those who are delegated. However, problems sometimes arise, such as an admin resetting the password or an attacker signing in directly. To prevent unauthorized access, it’s important to block sign-in for the account associated with the shared mailbox. This ensures emails can only be sent by authorized users with distinct identities.
Block Shared Mailboxes in Microsoft 365 Admin Center
You can manually deactivate Shared Mailboxes one-by-one by performing the following step. Navigate to admin.microsoft.com, Active users > Locate User > Block sign-in. Then, the account will no longer be able to access internal resources and will be blocked moving forward.
Automatically block sign-in of Shared Mailboxes via Exchange Online PowerShell Script
This step is more robust and can take care of blocking sign-in of Shared Mailboxes all at once. To do so, connect to Exchange and Azure AD / Entra ID using Connect-ExchangeOnline and Connect-AzureAD
# Get all shared mailboxes in the tenant
$sharedMailboxes = Get-Mailbox-RecipientTypeDetails SharedMailbox -ResultSize Unlimited
# Block sign-in for each shared mailbox
foreach ($mailbox in $sharedMailboxes) {
# Set the user principal name (UPN) $upn = $mailbox.UserPrincipalName
# Get the Azure AD user associated with the shared mailbox
$aadUser = Get-AzureADUser -ObjectId $upn
if ($aadUser)
{ # Block the sign-in Set-AzureADUser -ObjectId $aadUser.ObjectId -AccountEnabled $false Write-Output "Blocked sign-in for shared mailbox: $upn" }
else { Write-Output "Could not find Azure AD user for shared mailbox: $upn" } }
3. Audit Administrator Privileges
To avoid privilege abuse, tightly control administrator roles. First, pull an export of all Global Administrator roles that exist within the tenant and perform the following actions.
Navigate to portal.azure.com > Entra ID > Roles and Administrators > Global Administrators > Active Assignments > Export
-
Right-sizing Global Admin Roles
This step ensures that no unnecessary privileges exist. Review and audit all of your global administrators and ensure that none are permissioned unnecessarily.
-
Separate Admin Accounts
It is crucial to isolate high-risk access from day-to-day operations.
- Administrative accounts, which have high-privilege access to data, users, and settings, should be strictly separated from regular standard user accounts and should not have unnecessary applications like email, Teams, or SharePoint assigned to them.
- To keep your administrative accounts safe and minimize security risks, make sure these accounts are cloud-only and are licensed only for essential tasks. For access to functionalities such as Identity Protection, PIM, and Conditional Access in Microsoft 365, a Microsoft Entra ID P1 or P2 license is required.
-
Ensure that 2 Break Glass Admin accounts are created
- Sometimes, an organization might need a break glass account for emergency access. Losing administrator functions can lead to major issues for an organization, like being unable to support operations, losing visibility into security, and potentially incurring financial losses.
- Therefore, it’s important to have more than one global administrator to ensure oversight and maintain redundancy in case an admin leaves the organization.
- However, limit the number of global admins to no more than four per tenant to manage risks effectively. Ideally, these global administrators should not have licenses assigned to them.
- Improper setup of an emergency access account can weaken security. Microsoft advises keeping at least one such account outside all conditional access rules. To safeguard these accounts from random guesses, passwords must be long and complex. Alternatively, you can use FIDO2 security keys for a secure, passwordless option.
- To start, make sure that the accounts are appropriately named and do NOT identify with any person.
- Example naming convention: Breakglass Admin Account 1 aka Admin When Shit Hits the Fan
Requirements for Break Glass Administrator Accounts
-
- These accounts use the default .onmicrosoft.com domain and not the organization’s.
- The accounts are cloud-only.
- The accounts are unlicensed.
- The accounts are assigned the Global Administrator directory role.
- Passwords must be at least 16 characters or more, randomly generated, and MAY be separated into multiple pieces to be joined on emergency.
ℹ️ One of the global admin accounts must be excluded from your conditional access policies.
Realistically, you should have a policy in place for managing the break glass admin accounts for the organizations that you manage. Additionally, you should identify baselines for your team members in terms of accessing these resources and specific requirements for when these accounts are used.
4. Enforce Archiving Policies
Managing email storage and ensuring compliance with retention policies prevents clutter and data sprawl.
Implement Mailbox Archiving Policies
Retain important communications and optimize storage. The script below will enable the Archiving Policy across your tenant for all mailboxes.
First, Connect-ExchangeOnline with your Admin account.
Then, run the following script:
Get-Mailbox -Filter {ArchiveGuid -Eq "00000000-0000-0000-0000-000000000000" -AND
RecipientTypeDetails -Eq "UserMailbox"} | Enable-Mailbox -Archive
The results that appear in the script indicate the mailboxes for which archiving was enabled.
Finally, Disconnect-ExchangeOnline with your Global Admin account and repeat for all your customers.
5. Audit and Secure Service Accounts
These accounts often have elevated privileges. Therefore, they are often targets for attackers.
Reset passwords and Rotate Keys for Service Accounts
Doing so ensures secure password management and eliminates stale access points. Verify that all services are functional and restored. All Service Accounts should follow a strict Password Policy with the Passwords stored in the Client Password Vault.
6. Audit Sign-In Logs and Activity
Regular review of sign-in activity can detect potential threats like brute-force attacks.
Review Sign-In Logs to identify suspicious behavior and flag incidents for response.
To perform this audit, navigate to portal.azure.com > Select Entra ID > Within Entra ID > Under Monitoring select Sign-in Logs
Review the following sign-in activities:
- User sign-ins (interactive)
- User sign-ins (non-interactive)
- Service principle sign-ins
- Managed identity sign-ins
Pay mind to the IP address, Location, User, and Status. Additionally, review any irregular or abnormal sign-ins.
Audit and check sign in activity for the past 24 hours, 7 days, and 1 month if you have not accessed the tenant before. By doing so, you can help identify indicators of compromise.
7. Disable Legacy Authentication
Old protocols like IMAP and POP are often exploited in attacks.
Disable IMAP/POP across existing mailboxes
This reduces the risk of logons via outdated logon methods.
First, Connect-ExchangeOnline with your Global Admin account
Next, run the following script:
Get-CASMailbox -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | Select-Object @{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox -ImapEnabled $false -PopEnabled $falseFinally, Disconnect-ExchangeOnline
Disable IMAP and POP for all future mailboxes
First, Connect-ExchangeOnline with your Global Admin account
Next, run the following script:
Get-CASMailboxPlan -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | set-CASMailboxPlan -ImapEnabled $false -PopEnabled $falseLast, Disconnect-ExchangeOnline
Regularly Perform a Microsoft 365 Security Aduit
These steps focus on both securing access and monitoring activity. Doing so allows businesses to maintain visibility and control over their environments. This process is foundational to any robust cybersecurity program. By implementing these measures, you’re taking control of your environment, securing sensitive data, and ensuring compliance. So, if your team isn’t doing these regularly, it’s time to take action.
The Complete Guide to Microsoft 365
Want full access to the ultimate Microsoft 365 deployment & security cheatsheet? Purchase our complete Golden Tenant now to get detailed instructions, in-depth explanations, and even personalized Microsoft consulting. Have peace of mind with the security of your Microsoft suite by using our CIS-compliant SOPs.
