Your Microsoft 365 Vulnerabilities Questions Answered

Save to My DOJO

Your Microsoft 365 Vulnerabilities Questions Answered

Security is becoming increasingly important and considering the attacks on Solarwinds and Kaysea that have shaken the IT industry, there has never been a better time to reassess your own security measures and there is no better place to start than with your Microsoft 365 tenant.

The questions answered in this article were asked during a webinar we hosted which was presented by Truesec enterprise security experts Fabio Viggiani and Hasain Alshakarti. If you weren’t able to attend the webinar you can watch the full recording for free right here on the DOJO. It covers the most critical vulnerabilities in the Microsoft 365 suite, and how they would go about fixing or preventing them. As always in webinars such as this, we’re given a number of questions from attendees. Below you’ll find a list of the questions and associated answers from this webinar series, starting with a 30-minute follow-up video featuring Hasain and myself!

Resources

View mail flow reports in the Reports dashboard in Security & Compliance Center
Troubleshoot using the What If tool in Conditional Access
Top 10 ways to secure Microsoft 365 for business plans
Microsoft Secure Score
What’s inside Microsoft Security Best Practices? – (Security Compass)

Your M365 Security Questions

 

Are there any recommended conditional access policies that should be applied to ALL tenants?

Yes: at a minimum, policies should be put in place that blocks legacy authentication mechanisms along with requiring MFA for all users if possible (admins at a minimum). Also if you’ve got employees logging in from only a handful of countries go ahead and set up geofencing as well. Finally, don’t forget to set up your “break glass” accounts!

Are there any recommended tools to help test passwords against known breaches?

There are features in the Identity Protections features in M365 that can help with this. Additionally, a plugin can be installed on your on-prem DCs to have local passwords checked as well.

If I’m an SMB or some organization that has one of the lower licensing SKUs, what are my options for stopping Phishing?

At a minimum, you can set up MFA, which is included even in the lower licensing tiers. User awareness training and careful log monitoring can be useful at this size of organization as well.

Are Hardware-Based MFA Devices More Secure?

Not necessarily, the threat-actor is still going to wait for the end-user to do what they need to do to log in. The threat actor’s session token is still the target and can be compromised after a successful authentication with things like malicious OAuth applications…etc.

What are your recommendations for MFA in situations where you may have a shared global admin account across multiple team members?

Security best practices say don’t do this for a number of reasons. Ideally, each administrator requiring this level of access will have their own global admin account and leverage features such as just-in-time access.

Is it advantageous from a security perspective to have all endpoints accessing M365 managed by InTune?

Every situation is different of course, but anything that can increase the overall trust of a device (like being managed by InTune if that works for your organization) is generally beneficial

How much effort should organizations put towards end-user training?

This is certainly an area that organizations should focus on with consistent regular training. That said, this needs to be paired with technical solutions that are able to identify and take action against a threat because the human element WILL fail at some point despite best-laid plans

Isn’t Conditional Access Deprecated?

Not at all! It could be you’re thinking of Conditional Access Baseline Policies, which never made it out of preview, but was instead replaced by Security Defaults. That said Conditional Access itself remains a highly potent tool for Security in M365.  

Is there a list of Microsoft Default Enterprise Apps and App Registrations for Reference Purposes?

I’m not aware of one myself. To a degree, the list will partially be dictated by the licenses that are active in your M365 tenant. For example, if you only have Exchange Online Plan 1 and nothing else it may look odd to see Teams and SharePoint in that list…etc…etc. Even with defaults, the list should be reviewed by a human on a regular basis. That said, if we stumble across one at some point, I’ll be sure to update this list with a link to it! 

Does the Outlook Client Application still work if MAPI Legacy Authentication is disabled?

I suspect this question comes from my discussions around MAPI being a legacy authentication protocol and should have mentioned that the advice there is specific to MAPI via HTTP, which is only used via Outlook 2010 and older clients. Newer Outlook clients can take full advantage of Modern Authentication and still work with no issue as it doesn’t leverage a legacy MAPI protocol. 

Seems like a lot of these recommendations require specific M365 licenses. Is there a recommended license or combo of licenses for different-sized organizations? 

Admittedly, you almost need a PhD in order to wrap your head around M365 licensing.In short, the 3 potential “addons” you’re looking for are Azure AD Premium Plan 1 or Plan 2, or one of the EMS E3 or E5 options, which include varying levels of AAD Premium. Any of these can be tacked on to various M365 packages for the extra security functionality, and some packages come with them. For example, Business Premium comes with AAD Premium plan 1 which will net you the basic conditional access features. I suggest reviewing the AAD Pricing page, and EMS comparison page. Then it becomes a pricing exercise of which option works best for your customer’s specific needs.  

Andy Mentioned an eBook that covers M365. Can you share the URL for that again?

Sure thing! The eBook can be found here! 

To use Conditional Access do we need Azure AD Plan 1?

Correct. AAD Premium Plan 1 will get you access to basic conditional access functionality that will cover many use-cases for many different organizations. If you need all the bells and whistles such as Risky sign-in protection, risky user detection….etc..etc, then you’ll need AAD Premium Plan 2. See the AAD Pricing Page for some comparisons 

Can I have Azure AD Connect in more than one DC?

Without additional context, I’m assuming you need to sync multiple AD Forests into Azure AD? If that’s the case I suggest reviewing the Azure AD Connect topologies Documentation here for more information on that use case.  

How can Intune help with security?

This is a fairly broad question. I would suggest reviewing this entry from the Microsoft Docs documentation for more information on Intune and the device protections it can provide.  

Is the Microsoft Authenticator App the way to go in terms of providing the code for MFA?

It’s ONE potential way to go, and it works quite well in most cases. That said, if you’re part of an organization that has more specific security requirements there are other options such as hardware MFA keys, as an example.  

More on M365 Security and Vulnerabilities

We have a number of articles centered around security, but below are some of the articles that most closely go along with the topic of this webinar!

How the SolarWinds Hack Could Change Data Security Forever
M365 Records Management Guide
How Conditional Access Makes MFA Easy for Your Company
Why you Should Be Using Azure Security Benchmark
How to Secure Your Apps and Data with Azure Active Directory
Managing Identities and Passwords in Azure Active Directory
How to Boost your Azure Secure Score
The Actual Performance Impact of Spectre/Meltdown Hyper-V Updates

And just a reminder, if you haven’t watched the full webinar – what are you waiting for? Your 5 Most Critical M365 Vulnerabilities Revealed and How to Fix Them is free to watch right now!

Thanks for reading and for submitting your questions if you were one of our attendees for the webinar! Again, if you asked a question that you don’t see listed here or in the video, be sure to use the comments form below and we’ll get back to you with an answer!

As always, thanks for reading!

Threat Monitor
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

Leave a comment or ask a question

Your email address will not be published. Required fields are marked *

Your email address will not be published. Required fields are marked *

Notify me of follow-up replies via email

Yes, I would like to receive new blog posts by email

What is the color of grass?

Please note: If you’re not already a member on the Dojo Forums you will create a new account and receive an activation email.