Your Microsoft 365 Security Questions Answered

Follow up questions from our hugely popular webinar on Microsoft 365 Security Settings!

Save to My DOJO

Your Microsoft 365 Security Questions Answered

Table of contents

  1. Watch the M365 Security Webinar
  2. Is it worth implementing the legacy per-user MFA in Azure AD?
  3. Any hints on identifying/filtering for actual credit card numbers?
  4. Do you have any recommendations on implementing MFA for an organization?
  5. Do alert policies for SharePoint require AAD Plan 2?
  6. Do we need Azure AD Plan 2 for all users of the tenant or only admins who manage them?
  7. Does Conditional Access make a distinction between enabled/enforced for MFA?
  8. How do you create a block legacy authentication policy in Conditional Access?
  9. I’ve had issues with external guests having “contributor” permission. Help!
  10. When do I use an inverse policy?
  11. If you’ve already set SharePoint sites with a logo et. al. branding, do the settings in Entra override them?
  12. Is there specific Microsoft (or other) training you would recommend for security personnel who may be relatively new to the Azure/M365 environment?
  13. What are your ideas to confront the phishing email with common domains like Gmail, Yahoo, Outlook, Hotmail, etc..?
  14. What do you suggest if MFA is not applicable for any account used for some services or software
  15. How do you use Smart Card auth against Microsoft 365 with an on-prem AD CS CA?
  16. What directory services (user identity management) tool would you recommend for mixed OS-environments Windows/Mac/Unix? e.g. Jumpcloud?
  17. How do you exclude a Global Admin account from access to SharePoint instances?
  18. What if for 2FA apps staff refuse to put that app on personal phone so use phone call or text?
  19. Is Defender for 365 included with “M365 Business Premium” licensing? Didn’t see it listed on either included or available for add-on.
  20. Defender still has the stigma that it isn’t good enough compared to mainstream AV solutions. What’s your take on this? Would you drop your AV solution just for Defender?
  21. I have been told by Microsoft to put all my conditions into compliance policies and then leave Conditional Access for just “MFA required” and “marked as compliance”. Is this still best practice?
  22. Is there an easy way to prevent users from downloading attachments when using Outlook online/OWA?
  23. Does Defender come with Mobility & Security E3?
  24. How does permissions and invitations work for new guests?
  25. What is a best practice for sharing only selected folder or two from a SharePoint site with a guest user?
  26. For phones that don’t have Android or IOS we allow those users to get a Microsoft call. Is that advised?
  27. For SMB customers where licensing E3/E5 for all users may be cost-prohibitive, does it make sense to add security-related add-on plans à la carte? If so, what are the most important add-ons to include?
  28. When I turn off legacy authentication, does this mean that basic 2FA will stop working? By basic 2FA I mean per user MFA, where everything requires 2FA prompts.?
  29. Which 2FA products do you recommend for 365 and single sign-on?
  30. Wrap-Up

Few areas of technology garner more questions than those questions centered around security, except maybe licensing. Pair that with the fact that features in Microsoft 365 are relatively new to the industry, depending on the feature, and you’ve got a number of administrators who find themselves in a place where there are knowledge gaps to fill. We’ve gathered several common M365 security questions in this post to hopefully help those IT pros who find themselves in this position. If you have other questions not covered in the list below, feel free to use the questions form and we’ll be sure to get back with you!

Watch the M365 Security Webinar

In case you’re wondering where this list of questions comes from, we hosted a webinar on this very topic. This list of questions was curated from questions asked during two live sessions. You can now watch the M365 Security Configurations webinar on-demand.

Also, if you prefer your security content in book form, we’ve got an excellent eBook on this topic here!

The questions

Is it worth implementing the legacy per-user MFA in Azure AD?

There are two ways to enable MFA in Office / Microsoft 365. You can either use the legacy interface where it’s just enabled on a per-user basis, this requires no additional licensing (all versions of Azure AD can do this), but you have very little flexibility. You can set the MFA status to be remembered for X amount of days on a device that the user successfully used MFA on. The second way is to use Conditional Access Policies, which lets you customize it based on group the user is a member of, the device they’re coming from and the application they’re accessing. You can fine-tune it so that they have to do MFA every time for very sensitive applications, while not prompting them for day-to-day access very often. Of course, the second method is preferable, but it requires Azure AD Premium P1 licensing (or P2) to use Conditional Access Policies.

If you have no other option, using per-user MFA instead of relying on just username and password is vastly preferable and will make your organization much more secure.

 

Any hints on identifying/filtering for actual credit card numbers?

(question continued) We have a number of trades customers and it sure seems like part numbers in the construction industry look to Microsoft like they are credit cards.

The credit card Sensitive Information Type (SIT) doesn’t just look at 4 x 4 numbers, it also takes into account adjacent information to increase the confidence that it is really a CC.

Also – we would create a custom SIT for the part numbers, so that they don’t get confused with CCs. But we do understand that it’s not easy and that false positives will happen.

 

Do you have any recommendations on implementing MFA for an organization?

The technical side of the question is easy and well documented. That said, it’s usually the human side of MFA implementation that goes wrong. Best suggestion is to heavily communicate with your end-users and to conduct A LOT of planning and prep work up front. MFA only keeps you secure when you have the users’ cooperation and understanding of what to do AND what not to do.

 

Do alert policies for SharePoint require AAD Plan 2?

No, most types of alert policies are available at all licensing levels, including SharePoint external (or internal) sharing alerts. There are some advanced alerts, primarily security related that require E5 licensing. You can read more about alert policies here https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide.

 

Do we need Azure AD Plan 2 for all users of the tenant or only admins who manage them?

To use Privileged Identity Management (PIM) you only need it for administrators but there are many advanced security features that are “unlocked” with AAD P2 licensing that might be desirable to have for all users, depending on your organization’s risk appetite, third party service usage etc.

 

Does Conditional Access make a distinction between enabled/enforced for MFA?

If you have a Conditional Access (CA) policy setting that requires a user to perform MFA to access a particular application, and that user is not enabled for MFA yet, they’ll automatically be redirected to the registration page to complete that process first. And you can definitely have CA policies that enforce MFA for every access to a particularly sensitive application.

 

How do you create a block legacy authentication policy in Conditional Access?

There is a pre-existing policy template in the Conditional Access wizard that simplifies the creation of the policy. Take a look at the template and deploy it with the wizard once you’re ready to proceed.

 

I’ve had issues with external guests having “contributor” permission. Help!

(question continued) They can open an excel file we have given them permission to view but embedded links to allowed documents within the excel file cannot be opened and instead show an error that they should “ask permission”. Is this a known issue with external guests and non-member access in SharePoint sites?

This article gives some troubleshooting steps to follow for SharePoint external file sharing https://docs.microsoft.com/en-us/sharepoint/troubleshoot/sharing-and-permissions/error-when-external-user-accepts-an-invitation-by-using-another-account Also, please check if you have SharePoint settings set to New and Existing guests, or Existing guests only.

 

When do I use an inverse policy?

(question continued) If you create a new CAP and it allows access based on specific conditions, is it recommended to create a converse block policy in conjunction to explicitly block access that doesn’t fit the allow conditions?

When created properly, the initial policy should be enough to block unwanted access, so you shouldn’t have to create an inverse policy.

 

If you’ve already set SharePoint sites with a logo et. al. branding, do the settings in Entra override them?

No, Entra is just another view into the existing Azure AD portal settings and blades so the settings should be visible / in sync between the two of them.

 

Is there specific Microsoft (or other) training you would recommend for security personnel who may be relatively new to the Azure/M365 environment?

Microsoft Learn paths are fantastic and they’re free. We would suggest to then prepare for the AZ-500, MS-500 and / or the SC-200, SC-300, SC-400 exams, all of which have paths here https://docs.microsoft.com/en-us/learn/.

 

What are your ideas to confront the phishing email with common domains like Gmail, Yahoo, Outlook, Hotmail, etc..?

We would use the anti-phishing policies in HornetSecurity 365 Total Protection (or use the native ones in Exchange Online Protection).

 

What do you suggest if MFA is not applicable for any account used for some services or software

(question continued) for example, sending a scan from printer/scanner to e-mail, sending backup reports to e-mail, or sign in into software, etc.?

We would suggest auditing those accounts closely and limiting their access, i.e. “this account can send PDF scanned files from this device via email, but only if it comes from your public IP address”.

 

How do you use Smart Card auth against Microsoft 365 with an on-prem AD CS CA?

You’ll have to use Active Directory Federation Services (or a third-party provider).

 

What directory services (user identity management) tool would you recommend for mixed OS-environments Windows/Mac/Unix? e.g. Jumpcloud?

We’d recommend continuing to use Azure AD for mixed environments like this. It’s very important to have a single (if at all possible) source of identity for the whole organization and all identity types.

 

How do you exclude a Global Admin account from access to SharePoint instances?

You can take them out of any group with access to a SP site BUT they can always assign themselves permissions. Keep the number of GAs low, audit their actions closely and use PIM if possible.

 

What if for 2FA apps staff refuse to put that app on personal phone so use phone call or text?

This is really a company policy issue. In most cases company technology-use policy (or employment contracts) needs to be updated with verbiage along the lines of – “If you’re going to work here, this app/tool is REQUIRED”. I would also add clear policies about what the Microsoft Authenticator App can’t do when installed on a personal smartphone, to assuage user’s fears.

 

Is Defender for 365 included with “M365 Business Premium” licensing? Didn’t see it listed on either included or available for add-on.

Yes, M365 Business Premium comes with Defender for Office P1, and Defender for Business / Endpoint.

 

Defender still has the stigma that it isn’t good enough compared to mainstream AV solutions. What’s your take on this? Would you drop your AV solution just for Defender?

Absolutely! Defender for Endpoint is now a leading EDR / Endpoint protection for iOS, Android, MacOS, Linux and Windows. And it includes Threat and Vulnerability management to identify vulnerable software.

 

I have been told by Microsoft to put all my conditions into compliance policies and then leave Conditional Access for just “MFA required” and “marked as compliance”. Is this still best practice?

It’s a bit generic as an overall statement, and it always depends on the individual organizations’ security posture etc. But yes – use Conditional Access to build business policies into technical enforcement for all access to all applications and data. Use MFA wherever possible, and also enforce compliant devices. This last bit of course depends on your compliance policies for each platform so make sure you keep those tight.

 

Is there an easy way to prevent users from downloading attachments when using Outlook online/OWA?

This should be possible with Conditional Access. Take a look at the controls in the Conditional Access policy wizard.

 

Does Defender come with Mobility & Security E3?

Defender for Endpoint Plan P1 comes with M365 E3, but it’s a bit limited compared to MDE P2 that comes with M365 E5 (and Defender for Business that’s included in M365 Business premium is better – as long as you have less than 300 users).

 

How does permissions and invitations work for new guests?

(question continued) When setting the permission level to “New and Existing Guests”, when generating a link to a document to be shared externally, do users have to sign in using their Office 365/Microsoft accounts to access that file? What if the user doesn’t use an Office 365 or Microsoft account? Do they have to create it when accepting the invitation?

In that situation the external user will be emailed a code that they’ll have to enter when accessing the document.

 

What is a best practice for sharing only selected folder or two from a SharePoint site with a guest user?

Depends on the specific use-case, but it’s recommended to follow the rules of least privilege. I would also make sure to configure the time limit on share length to make sure the share is turned off after a given amount of time.

 

For phones that don’t have Android or IOS we allow those users to get a Microsoft call. Is that advised?

Yes. MFA via a phone call is better than nothing!

 

For SMB customers where licensing E3/E5 for all users may be cost-prohibitive, does it make sense to add security-related add-on plans à la carte? If so, what are the most important add-ons to include?

Generally, the pre-packaged plans (E3/E5) are the most cost-effective in terms of value. If there are specific features required by an end-customer organization, then it becomes a costing exercise based on the needs of that given situation. Another option if the larger bundles are too pricy would be to look at a third-party security vendor.

 

When I turn off legacy authentication, does this mean that basic 2FA will stop working? By basic 2FA I mean per user MFA, where everything requires 2FA prompts.?

No, all forms of Azure AD MFA / 2FA are unaffected by legacy authentication being turned off.

 

Which 2FA products do you recommend for 365 and single sign-on?

We would recommend using the built-in MFA in Azure AD, preferably enforced with Conditional Access policies as they give you the most flexibility.

 

Wrap-Up

That wraps up our M365 security configurations questions. Again, if you think of any follow-up questions, be sure to use the comments section below this article and we’ll be sure to get you an answer!

 

Thanks for reading!

Altaro Office 365 Backup
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

Leave a comment

Your email address will not be published.

Cyber Security Roundtable