Latest posts by Paul Schnackenburg (see all)
- Office 365 Secure Score – Securing Exchange Online - Thu, Aug 3 2017
- Office 365 Secure Score - Reporting and monitoring - Tue, Aug 1 2017
- Office 365 Secure Score - MFA for users and auditing - Mon, Jul 31 2017
In the first part of this series, we looked at what Secure Score is, why you would consider using it to improve the security of your Office 365 tenant, and how to take the first step: enabling MFA for your global administrators.
Identity is the new firewall ^
The network today for most businesses is decentralized, with data stored in numerous cloud services and on endpoint devices, along with some in traditional data center servers.
Today, the most (in-)visible part of your security shield is identity. In almost all major breaches that have made the headlines over the last few years, atrocious account hygiene has been the initial foothold for the bad guys. And if you don't know what Pass-the-Hash (Pass-the-Ticket) is, click each of those links.
The very first step on the way to a better secure score, and the only action worth 50 points, is enabling MFA for your global admins. You should also take stock of the number of global admins you have in your Office 365 tenant. Microsoft recommends five or fewer—yes, even for a really big company. For smaller outfits, two should do it. Remember—these accounts do not need to have an Office 365 license assigned. Admins should only use these accounts for tasks that require global admin access, not for email access or Yammer chats. Likewise, you wouldn't use your Domain Administrator account on-premises to surf the web or check your email.
MFA for users in Office 365 ^
The first thing to realize is that MFA for administrators (as we looked at in part 1) is free and part of Office 365. MFA for users for Office 365 applications exclusively is also free and part of Office 365. But if you want the "full" MFA that provides more configuration settings in the Azure portal, includes advanced reporting, and covers many more cloud and on-premises applications, you need Azure MFA. It's included in the Azure Active Directory Premium P1 or P2 plans as well as the Enterprise Mobility + Security (EMS) E3 and E5 plans.
Enabling MFA for ordinary users requires planning, compared to communicating the importance of security to a handful of IT administrators. First, you'll want to configure a list of internal IP addresses so that MFA won't prompt users while they're in the office. It would take determined hackers to steal a username and password along with a user's device and then break into your office to make sure they were on the internal network when they continued their breach of your infrastructure.
Second, depending on your version of Office and the type of accounts (cloud-only or synchronized accounts from AD on premises), you may need to train users how to use app passwords. Here are the official instructions you can give your users for how to set up MFA.
Third, depending on the size of your organization, you'll want to enable this in stages. Start by picking a brave bunch of early adopters who are good with technology. Make sure they have a smooth ride, fix any issues they might have, and refine the instructions before rolling out MFA more widely.
When I clicked the links Learn more and Launch for users and enabled MFA for a few users, they had an app password generated that they'll need to enter in Outlook and Skype for Business.
Audit data recording in Office 365 ^
Auditing is a crucial part of any security strategy, whether on premises or in the cloud. If you don't record what people do, you have no way of telling what's been done. Enabling audit data recording will store 90 days worth of audit logs for your entire tenant. The list of recorded activities is impressive. It covers basic administrative tasks such as adding users and groups, adding a user to a role, and assigning licenses. In addition, it covers file and folder activities in OneDrive and SharePoint online, along with Sway tasks, eDiscovery steps, PowerBI, Teams, and Dynamics 365 activities.
In Secure Score, click Enable audit data recording, Learn more, and then Launch Now. This will automatically take you to https://protection.office.com where (if you watch the top-right widget very carefully) it will enable audit logging after a minute or so.
Head to https://protection.office.com/#/unifiedauditlog to search through the actual log, picking the activity (or showing all activity), the date range, and the user you're interested in (or again, show all users) to see what's going on. Note that it doesn't update the audit logs in real time. I had to wait 15 minutes until the creation of a new user showed up in the log.
As you might imagine, audit logging will help you see account breaches, data exfiltration, or deletion and privilege elevations. It's also pretty much the only way to spot a malicious insider attack.
While Secure Score doesn't mention it, another best practice would be to log in at https://protection.office.com and click on Alerts and then Manage alerts. Here you can click on the button to create a New alert policy and pick from any of the actions listed under auditing. You can have it deliver an email when a specific user (or any user) takes the action.
Obviously, you'll need to pick carefully unless you want your mailbox flooded. But here for instance I've created an alert for user and group creation, and the addition of a domain to my tenant.
In part 3, we're going to look at reports that earn you points in Secure Score.