Read time 7 minutes

Summary: For Microsoft 365 users seeking robust security, this article offers crucial best practices. It highlights Microsoft 365 Security Score, user training, multi-factor authentication, and message encryption. The piece emphasizes securing account data, including email encryption and disabling auto-forwarding. It also covers advanced protection against malware and ransomware through Microsoft 365 Security & Compliance Center settings, promoting robust email security practices.

This blog is for those who need their Microsoft 365 account to be well-secured from external threats and security breaches.

Cloud data isn’t impervious to threats; it’s susceptible to malware, phishing, ransomware, data breaches, hacking, and other external dangers. Many Microsoft 365 users grapple with these issues due to neglecting fundamental security measures recommended by Microsoft.

Best Practices for Microsoft 365 Security

We’ve chosen to offer crucial insights into these practices to assist users in creating a secure, breach-resistant, and risk-free cloud environment.

Use Microsoft 365 Security Score

Microsoft 365 Security Score is a built-in Microsoft service that enables users to assess their current settings and historical data, providing insights compared to recommended actions for Microsoft 365 identities, applications, data, devices, and infrastructure. It generates detailed reports and offers a security score.

This security score evaluates Microsoft 365 user security settings against Microsoft’s standard practices. Utilizing the Microsoft 365 score assists users in enhancing the security of their Microsoft 365 accounts.

Provide Training to Users

Office 365 users should be provided with advanced training on the features, interface, and security.

They should receive training on crucial Microsoft 365 security practices, including creating robust and unpredictable passwords for user mailboxes, activating Windows system protections such as firewalls, antivirus or antimalware software, employing account protection strategies, and more.

Set Multi-factor Authentication to Accounts

While Office 365 accounts are password-protected, relying solely on passwords is insufficient in light of rising digital threats. Therefore, it’s strongly recommended to enable multi-factor authentication (MFA) for Office 365 user accounts.

Multi-Factor Authentication (MFA) entails users completing multiple authentication steps before accessing their Microsoft 365 account. These steps may involve OTP verification via a phone number or an alternate email address, commonly known as 2-step verification. Implementing MFA enhances account security, safeguarding against unauthorized access by intruders and hackers.

To activate Multi-Factor Authentication in Microsoft 365, enabling “Security Defaults” is essential. In recent subscriptions, it’s enabled by default. However, for manual activation, here are the necessary steps to follow.

  1. Sign in to your Microsoft 365 account with administrator credentials (username and password).
  2. Click on Admin Center and navigate to Show All>Admin centers>Azure Active Directory
    .Admin Center
  3. In the opened Azure Active Directory admin center, select Azure Active Directory and then select Properties option.
    Azure Active Directory
  4. Next, click on Manage Security defaults option.
  5. To enable the Security defaults, click on Yes and then click on Save to save this setting.enable the Security defaults

Once you’ve enabled security defaults, you can proceed to activate Multi-Factor Authentication (MFA) or 2-step verification for your Microsoft 365 account using the Account Settings feature.

Security Practices for Microsoft 365 Account Data

Email messages and their confidential data are at significant risk from intruders. To safeguard your organization’s data, we recommend implementing these effective security practices.

Use Office message encryption

Encrypted messages are exclusively accessible to intended recipients. Microsoft 365 users can encrypt emails before sending them to recipients through various email services like Yahoo, Gmail, Outlook.com, and more.

To encrypt an email, users simply need to click on “Options” while composing the email and then follow “Permission > Encrypt.” Additional permission options, such as “Do Not Forward,” “Confidential/All Employees,” and “Highly Confidential/All Employees,” are available for users to apply. To access the encrypted email, the recipient must enter a passcode or sign in, ensuring it remains accessible only to them. Encrypting email messages is a valuable security practice to safeguard Office 365 account data from misuse or breaches.

Disable the Autoforward feature

The “Auto Forward” setting can be easily misused, and users may not always be aware of this potential risk. To mitigate this, it is advisable to refrain from enabling auto-forwarding of emails. Instead, a more prudent approach is to create a new rule and configure it to restrict auto-forwarding within the settings.

  1. Sign in to your Micros 365 account and open Admin Center.
  2. Follow Admin Centers>Exchange to open the Exchange Admin Center.
  3. Select mail flow category from the left panel and then click on rules.click on rules
  4. Click the plus icon to create a new rule. Click on More options.
  5. Apply settings with Reject Auto-forward emails to external domains and add conditions as per the requirement.
    Add a Name and use Block the Message action for Rejecting email for certain recipients and add desired conditions.Rejecting email
  6. Click Save to save settings of this new rule for your Microsoft 365 account email flow.

Configuring advanced protection against malware/ransomware

The Microsoft 365 Security & Compliance Center offers advanced features to safeguard against malware and ransomware threats. To protect against malware, users can employ the “Threat Management Policy” to block common file extensions that are often associated with malware. For a step-by-step guide on protecting Office 365 mailboxes from ransomware attacks, please refer to this resource: Protect Office 365 Mailbox from Ransomware Attacks .

  1. Follow this link and user global administrator credentials to open the Security & Compliance Center of your Microsoft 365 account.
  2. From the left panel, under the Security & Compliance Center, click on Threat Management and then select Policy>Malware.Threat Management
  3. Double click the default policy for editing and then click on the Settings option.
  4. Go to the Common Attachments Type Filter and set it as ON. Make selections from the available list or add/remove file types as per your wisdom; then finally click on Save to save this setting.save this setting

The “Microsoft 365 Advanced Threat Management” feature empowers users to establish robust security measures, including ATP anti-phishing policies, ATP Safe Attachments policies, and ATP Safe Links policies. These measures effectively shield Microsoft 365 content from harmful phishing attacks, malicious attachments, and infected links.

To safeguard valuable emails from ransomware attacks, users can create a mail transport rule and configure settings and conditions for handling suspicious emails as follows.

  1. Open the Exchange Admin Center from the Admin Centers category in the Microsoft 365 Admin Center.
  2. Go to mail flow>rules and click on the plus icon to create a new rule.
  3. Click on 4 stars to open More options.
  4. Apply the following settings for mail flow:
    • Block file types that could contain ransomware or other malicious code
    • Warn users before opening attachments of Office files
  5. Add conditions for the emails and attachments as per your wisdom and requirement.
  6. Now, your emails and attachment files are ransomware protected.

We trust that you have gained insights into advanced security services offered by Microsoft 365. For enduring data security, users should regularly back up their Microsoft 365 data. We make it easy for our users with the Kernel Office 365 Backup & Restore solution, allows Office 365 data backup efficiently.