Hardening office 365 and Azure

Create an emergency access Admin Account

This account must be excluded from multi factor authentication

Enable Azure Portal Inactivity Timeout

1. Clear on the gear icon

2. Select Configure directory level timeout

3. Enable the idle timeout and set it to 30 minutes

Enable Preset Security Policies in Exchange Online

1. Expand Threat Management and select Policy

2. Click on Preset Security Policies

3. Edit the Standard Protection

4. Add the condition the recipient’s domains are

5. Add all the domains of your tenant

6. Confirm the settings

Blocking Basic Authentication Protocols

Blocking Unused protocols

1. Expand Settings and select Org settings

2. Select Modern Authentication

3. Turn off all the basic authentication protocols that you are not using

Block Legacy Authentication for SharePoint

Third party apps in office 365 don’t enforce multi factor authentication and allow your users to connect to share point without MFA .

1. Expand Policies and select Access Control

2. Select Apps that don’t use.

3. Block the access

 Block Shared Mailbox Sign-in

1. Select Active Users

2. Filter the list on unlicensed users

3. Select the Shared Mailbox and Resource user accounts

4. Click on the eclipse and select Edit Sign-In Status

5. Block the users from signing in

Block Auto-forwarding to External Domain

Auto forwarding to an external domain is normally not used we need stop that by a policy

1. Open the Exchange Admin Center

2. Select Mail Flow

3. Create a new rule and name it “Block auto-forward to external domain”

4. Select More options at the bottom of the screen

5. Configure the rule as follows:

·         Apply this rule if: The sender is located – inside the organization

·         Add a condition: The recipient is located – outside the organization

·         Add a condition: The Message Properties – include the message type – Auto-Forward

·         Do the following: Block the message – reject the message with the explanation – “Auto-forwarding to an external domain not allowed”

6. Audit this rule with severity level: Medium

Block User Consent to Apps

Disabling the unverified apps by disabling user consent in the office 365 Admin center

1. Open Microsoft 365 Admin Center

2. Expand Settings and select Org Settings

3. Select User consent to apps

4. Turn off “Let users provide consent

Azure Active directory next step

1. In Azure AD select Enterprise Applications

2. Select Consent and permissions

3. Select Allow user consent for apps from verified publishers and Do not allow group owner consent

4. Click on Permission classifications

5. Add the 5 low-risk permissions.

6. Go back to the Enterprise applications and select User Settings

7. Enable Users can request admin consent

8. Add one or more admins for the request

Block guest can invite access

In the Azure Active directory navigate external identifies and select the external collaboration settings. Set guest can invite to no

Block Anonymous Users can join a Meeting

1. Open the Teams Admin Center

2. Expand Meetings and select Meeting Settings

3. Turn off Anonymous users can join a meeting 

Limit External Sharing in SharePoint

1. Open the SharePoint Admin Center

2. Navigate to Policies > Sharing

3. Change Content can be shared with to New and existing guests (this way they need to verify)

4. Expand More external sharing settings

5. Enable Guest must sign in using the same account to which sharing invitations are sent

6. Make sure that Allow guest to share items they don’t own is disabled

7. And enable People who use a verification code and set it to 30 days.

Protect against ransomware 

• Go to the Exchange admin center.

• In the mail flow category, select rules.

• Select +, and then Create a new rule.

• Select **** at the bottom of the dialog box to see the full set of options.

• Apply the settings in the following table for each rule. Leave the rest of the settings at the default, unless you want to change these.

• Select Save 

Raise the level of protection against malware in mail

• Go to https://protection.office.com and sign in with your admin account credentials.

• In the Security & Compliance Center, in the left navigation pane, under Threat management, choose Policy > Anti-Malware.

• Double-click the default policy to edit this company-wide policy.

• Select Settings.

• Under Common Attachment Types Filter, select On. The file types that are blocked are listed in the window directly below this control. You can add or delete file types later, if needed.

• Select Save. 

Protect email from phishing attacks

• .      Go to https://protection.office.com.

•     In the Security & Compliance Center, in the left navigation pane, under Threat management, select Policy.

•      On the Policy page, select Anti-phishing.

•          On the Anti-phishing page, select + Create. A wizard launches that steps you through defining your anti-phishing policy.

•      After reviewed the settings, select Create this policy or Save, as appropriate.

 Protect against malicious attachments and files with Safe Attachments

•        Go to https://protection.office.com and sign in with your admin account.

•        In the Security & Compliance Center, in the left navigation pane, under Threat management, select Policy.

•      On the Policy page, select Safe Attachments.

•       On the Safe attachments page, apply for this protection broadly by selecting the Turn on ATP for SharePoint, OneDrive, and Microsoft Teams check box.

•       Select + to create a new policy.

•        Apply the settings in the following table.

•      After you have reviewed your settings, select Create this policy or Save, as appropriate.

 Turn off basic authentication

In the Microsoft 365 Admin Center, under Settings > Org Settings > Modern Authentication you can designate the protocols in your tenant that no longer require Basic Authentication to be enable

 Create a Conditional Access policy

1.       Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.

2.       Browse to Azure Active Directory > Security > Conditional Access.

3.       Select New policy.

4.       Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.

5.       Under Assignments, select Users and groups

1.       Under Include, select All users.

2.       Under Exclude, select Users and groups and choose any accounts that must maintain the ability to use legacy authentication. Exclude at least one account to prevent yourself from being locked out. If you do not exclude any account, you will not be able to create this policy.

3.       Select Done.

6.       Under Cloud apps or actions, select All cloud apps.

1.       Select Done.

7.       Under Conditions > Client apps, set Configure to Yes.

1.       Check only the boxes Exchange ActiveSync clients and Other clients.

2.       Select Done.

8.       Under Access controls > Grant, select Block access.

1.       Select Select.

9.       Confirm your settings and set Enable policy to Report-only.

10.   Select Create to enable your policy.

Protect email from phishing attacks

•        Go to https://protection.office.com.

•       In the Security & Compliance Center, in the left navigation pane, under Threat management, select Policy.

•        On the Policy page, select Anti-phishing.

•       On the Anti-phishing page, select + Create. A wizard launches that steps you through defining your anti-phishing policy.

•        After reviewing the settings, select Create this policy or Save, as appropriate. 

SECURING THE OFFICE 365

• Detect malicious files and attachments

• Implement Outbound and Inbound Spam Policy

• Use automated tools to determine password strength (Weak password test)

• Implement account lockout

• Data loss prevention policy

• Require approved client apps

• ·Implement connection filter