Office 365 security is paramount as CISA provides recommendations to ensure environments are configured to protect, detect, and respond against would be attackers 

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released an alert regarding Office 365 security recommendations amidst the surge of remote workers. Many organizations are migrating to Microsoft Office 365 and other cloud collaboration services, and due to the speed of these deployments, organizations may not be fully considering the security configurations of these platforms.

Since October 2018, CISA has conducted several engagements with customers who have migrated to cloud-based collaboration solutions like Office 365. Due to the Coronavirus pandemic, organizations have been forced to change their collaboration methods to support a full “work from home” workforce.

Office 365 provides cloud-based email capabilities, as well as chat and video capabilities using Microsoft Teams. While the abrupt shift to work-from-home may necessitate rapid deployment of cloud collaboration services, such as Office 365, hasty deployment can lead to oversights in security configurations and undermine a sound Office 365-specific security strategy.

CISA continues to see instances where entities are not implementing best security practices in regard to their Office 365 implementation, resulting in increased vulnerability to adversary attacks.

Help monitor the activity of your remote employees with 365 Productivity Insights for free!


The alert continues with the following list of recommended configurations when deploying Office 365:

Enable multi-factor authentication for administrator accounts: Azure Active Directory (AD) Global Administrators in an OFFICE 365 environment have the highest level of administrator privileges at the tenant level. This is equivalent to the Domain Administrator in an on-premises AD environment. The Azure AD Global Administrators are the first accounts created so that administrators can begin configuring their tenant and eventually migrate their users. Multi-factor authentication (MFA) is not enabled by default for these accounts. Microsoft has moved towards a “Secure by default” model, but even this must be enabled by the customer. The new feature, called “Security Defaults,”assists with enforcing administrators’ usage of MFA. These accounts are internet accessible because they are hosted in the cloud. If not immediately secured, an attacker can compromise these cloud-based accounts and maintain persistence as a customer migrates users to OFFICE 365.

Assign Administrator roles using Role-based Access Control (RBAC): Given its high level of default privilege, you should only use the Global Administrator account when absolutely necessary. Instead, using Azure AD’s numerous other built-in administrator roles instead of the Global Administrator account can limit assigning of overly permissive privileges to legitimate administrators. Practicing the principle of “Least Privilege” can greatly reduce the impact if an administrator account is compromised. Always assign administrators only the minimum permissions they need to do conduct their tasks.

Enable Unified Audit Log (UAL): OFFICE 365 has a logging capability called the Unified Audit Log that contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other OFFICE 365 services. An administrator must enable the Unified Audit Log in the Security and Compliance Center before queries can be run. Enabling UAL allows administrators the ability to investigate and search for actions within OFFICE 365 that could be potentially malicious or not within organizational policy.

Enable multi-factor authentication for all users: Though normal users in an OFFICE 365 environment do not have elevated permissions, they still have access to data that could be harmful to an organization if accessed by an unauthorized entity. Also, threat actors compromise normal user accounts in order to send phishing emails and attack other organizations using the apps and services the compromised user has access to.

Disable legacy protocol authentication when appropriate: Azure AD is the authentication method that OFFICE 365 uses to authenticate with Exchange Online, which provides email services. There are a number of legacy protocols associated with Exchange Online that do not support MFA features. These protocols include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP). Legacy protocols are often used with older email clients, which do not support modern authentication.

Enable alerts for suspicious activity: Enabling logging of activity within an Azure/0365 environment can greatly increase the owner’s effectiveness of identifying malicious activity occurring within their environment and enabling alerts will serve to enhance that. Creating and enabling alerts within the Security and Compliance Center to notify administrators of abnormal events will reduce the time needed to effectively identify and mitigate malicious activity. At a minimum, CISA recommends enabling alerts for logins from suspicious locations and for accounts exceeding sent email thresholds.

Incorporate Microsoft Secure Score: Microsoft provides a built-in tool to measure an organization’s security posture with respect to its OFFICE 365 services and offer enhancement recommendations. These recommendations provided by Microsoft Secure Score do NOT encompass all possible security configurations, but organizations should still consider using Microsoft Secure Score because OFFICE 365 service offerings frequently change. Using Microsoft Secure Score will help provide organizations a centralized dashboard for tracking and prioritizing security and compliance changes within OFFICE 365.

Integrate Logs with your existing SIEM tool: Even with robust logging enabled via the UAL, it is critical to integrate and correlate your OFFICE 365 logs with your other log management and monitoring solutions. This will ensure that you can detect anomalous activity in your environment and correlate it with any potential anomalous activity in OFFICE 365.


CISA concluded with encouraging organizations to implement an organizational cloud strategy to protect their infrastructure assets by defending against attacks related to their Office 365 transition and better securing Office 365 services. Specifically, CISA recommends that administrators implement the following mitigations and best practices:

  • Use multi-factor authentication. This is the best mitigation technique to protect against credential theft for Office 365 administrators and users.
  • Protect Global Admins from compromise and use the principle of “Least Privilege.”
  • Enable unified audit logging in the Security and Compliance Center.
  • Enable Alerting capabilities.
  • Integrate with organizational SIEM solutions.
  • Disable legacy email protocols, if not required, or limit their use to specific users.

Partner with MessageOps to Optimize your Office 365 Security

MessageOps can assist you with any of these Office 365 security solutions for a low price. We can also deliver an Office 365 security assessment. Contact us today at 877-788-1617 or visit:


Was this article helpful?