Ensure all accounts enable Multi-Factor Authentication (MFA)
Not requiring Multi-Factor Authentication (MFA) in your company is like not requiring a password in 2010. Enable MFA for all user & administrative roles. Verify using command-line by using this great PowerShell script.
If you’re company has more that 5 global admins then you’re doing it wrong. Reduce the number of admins to minimize exposure to password attacks by applying the principle of least-privilege and following security best-practises:
- Have less than 5 global administrators roles
- Ensure global admin accounts are unlicensed
- Assign the default ‘.onmicrosoft’ domain
- Ensure MFA is enforced on admin accounts
Create a backup of your most valuable Office information
Which cloud made you think backups aren’t a thing anymore? If loss of data would mean significant business impact, consider integrating a solution that manages external backups as your insurance.
Disable your legacy authentication protocols
If you keep legacy protocols enabled, you’re doing attackers a favor. In consultation with remote communities, we draw up a long-term action plan that will create water security and improve.
Increase audit log age from the default value (90) to 365 days
The average company takes an average of 191 days to detect a data breach. Record user and admin activity in order to be able to trace back any potential malicious administrative or user action.
Review audit logging for all user mailboxes in your organization:
Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" | Out-GridView.
Enable mailbox audit logging for all user mailboxes in your organization.| Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'" | Select PrimarySmtpAddress | ForEach{ Set-Mailbox -Identity $_.PrimarySmtpAddress -AuditEnabled $true}Set the age limit for mailbox audit log entries for all user mailboxes in your organization to 365 days:
Get-Mailbox -ResultSize Unlimited -Filter "RecipientTypeDetails -eq 'UserMailbox'"| Set-Mailbox -AuditLogAgeLimit 365Control guest access in your environment
Managed your external collaborators according to best-practices.
Manage application consent in your company
Review external applications periodically and have delegated admins manage consent in the organization.
Apply custom company branding to your environment
Apply custom branding and train employees to recognize their own company branding everytime they log-on. Keeping the default branding increases exposure to low cost phishing attacks.
Allow users to report junk or phishing emails
Follow the step-by-step documentation by Microsoft to enable the Report Message button in Outlook.