How Do You Securely Use the Office 365 Suite?

This blog was originally published by Fortica here.

Written by Romain Coussement – Cloud Security Expert at Fortica.

The Office 365 suite is already in place in many companies. Does everyone use it completely securely? Not necessarily. But be aware that Microsoft’s range of tools offers a host of security options that you and your employees should use to make this environment secure.

Multifactor authentication

Multifactor authentication (MFA) is vital when it comes to computer security because compromised usernames and passwords are often the gateway for hackers. You must ensure that, at a minimum, you activate multifactor authentication for the entire organization.

The most common way to use multifactor authentication is a verification code. The way it works is simple: The user signs into Office 365 using his or her username and password, and then a verification code is sent to his or her cellphone by text message or by the authentication application (Microsoft Authenticator). The user enters the code into the login page and accesses the environment.

There are other factors available with Office 365 to ensure strong authentication:

• A physical token
• A phone call
• Due to native vulnerabilities in the phone network, using the authentication app or the physical token as a second authentication factor is recommended.

Conditional access

While authentication factors are an important security measure, they should be used in combination with the conditional access features available in Office 365. Conditional access is used to control access based on criteria, such as the computer used, location, access group (e.g., administrator), and application the user is trying to access.

Location

In addition, Office 365 also allows you to enable an additional security check, which only allows logins from certain geographic regions. Only allowing logins from certain regions where your organization operates is recommended. You should at least require a second factor for unusual regions. Similarly, some regions where hackers often attack from should be blocked. For example, if your company operates in Canada and representatives go to the United States for business trips, you allow logins from Canada and ask for an additional factor when they are in the United States. You block all other regions. If necessary, you can change these settings if the company goes global.

The application

You can configure various permissions depending on the application that a user is trying to access. For example, if a user accesses Office 365 through an unmanaged computer, he or she can only access Outlook and cannot download attachments.

Company-managed computers and unmanaged computers

As for device management, you have the option to register certain computers in the corporate network. You can configure different permissions for users with computers that are or are not managed by the company. For example, when employees use workstations that are located on the company’s physical premises, they will have access to all the features of Office 365. This will not be the case when they use their personal computers. This type of security measure can prove very useful if an employee needs to log in to your computer systems from home. He or she will be able to work from his or her personal computer as needed while having restricted access to company data.

Access groups

Access groups are used to manage who accesses which applications and which information based on their role in the company. Access groups composed of privileged users, such as IT administrators, should have more restrictive policies when accessing Office 365. In particular, they should always authenticate using a second factor and logins from unusual countries should be blocked automatically.