Microsoft 365 Advanced Security Guide

Overview
When it comes to IT security, the threat landscape has become an advanced, persistent, and dangerous problem to deal with. Microsoft 365 is no exception, there are constantly phishing, hacking, and ransomware attacks that are ongoing and widespread. If you think your organization is too small for anyone to care, think again!
There are a number of tips and techniques that are built into the Microsoft 365 platform to help in mitigating these problems. Some of which are included with basic licensing such as Microsoft 365 Business Standard and others of which require special licenses such as Microsoft Entra ID P1.
This article will help to secure your Microsoft 365 tenant using a mix of security hardening practices and user awareness improvements. Below are the main categories that this article covers.
- Portal Branding & Customization
- Edge & Teams Customization
- Baseline Security Mode & Conditional Access
Portal Branding & Customization
Branding Overview
Why customize the portal with your brand and other changes?
I mean sure, it looks a little nicer, but does it really matter? This is where the user awareness comes into play. With the level of sophistication we are seeing these days with phishing attacks, combined with a busy day for the average employee, even multifactor authentication secured accounts are being breached.
How does this happen? First, your employee will receive an email with a link they probably should know better than to click, but they’re swamped with deadlines and it looks real, so they click it and before they realize what has happened they have entered their username, password, and a 6-digit MFA code. This has just provided the attacker with a 30-second window to log into their account, and as long as the session is kept alive by clicking a link every now and then, it can silently remain as a dormant breach while data is being harvested and plans are made for the real attack.
Long story short, yes, branding and customization can increase security. It takes a generic sign-in page and transforms it into your company sign-in page. Now when your team goes to log into Microsoft 365 services they will see your logo and your colours, which are instantly recognizable. With proper training, the team will also know that anything else is wrong.
Branding Requirements
- Favicon, 32x32px
- Background image, 1920x1080px
- Square logo, 240x240px
- Rectangular logo, 200x48px
- 3 colours
- Custom company domain (optional)
Branding Steps
Create Domain Redirect
This one is optional and will differ a little depending on your domain registrar. Again, this increases user awareness. Simply add a URL redirect for your company domain to the primary domain in your Microsoft 365 tenant. You can choose whatever you would like but I typically go with portal as the prefix so it feels familiar.
portal.mycompany.com => https://myapps.microsoft.com/mycompany.com
Create a Custom Company Theme
In the Microsoft 365 admin center:
- Click Show all
- Click Settings -> Org settings -> Organization Profile -> Custom themes
- Then either click + Add theme or … -> Edit if there is an existing theme
- Select your preferences on the General tab, I usually enable both
- Go to the Logos tab and upload your rectangular logo
- Go to the Colors tab and enter your company colours
Create a Custom Company Login Page
In the Microsoft 365 admin center:
- Click to open the Identity admin center
- Click on Entra ID -> Custom branding -> Edit
- Select your favicon, background, and background colour, then click Next: Layout >
- Select your preferred layout and click Next: Header >, I usually leave the defaults
- Add your rectangular logo if you enabled the header, then click Next: Footer >
- Select your preferred options and click Next: Sign-in form >
- Select your rectangular logo and square logo, then click Next: Review >
- Click Save
Edge & Teams Customization
App Customization Overview
Similar to the portal customization, Microsoft Edge and Teams can be customized to help unify the look and feel of those applications. Additionally, there are several security settings in Edge that can be implemented to improve your company security. That said, you will need to promote Microsoft Edge as the primary work browser (or for limited purpose devices such as kiosks this can be enforced as the only allowable browser).
Microsoft Edge Customization
First, if you do not have groups set up, you will need to make one or two; I typically make one for users and another for devices.
In the Microsoft 365 admin center:
- Click Show all
- Click to open the Identity admin center
- Click on Entra ID -> Groups -> All groups
- Click New group
- Select Security as the Group type, enter a name, and select Assigned as the Membership type
- Click No members selected, then add users and devices to the group
- Click Create
Now you can start making the customizations to Microsoft Edge.
In the Microsoft 365 admin center:
- Click Settings -> Microsoft Edge -> Configuration Policies
- Then click + Create policy
- Enter a name such as General Customizations and select the target Platforms (I usually target all)
- Click Next until the final screen then click Review and save
- Click to open the new policy
- On the Properties tab click Edit on the Assignments header
- Then click Select group and type in the name of the new group, then click Select
- Save the policy and return to the Properties tab and click Edit on the Settings header
- For each of the following click + Add setting and type in the name
- AllowGamesMenu => Disabled, no user override
- AllowSurfGame => Disabled, no user override
- AutoImportAtFirstRun => Disabled, no user override
- BingAdsSuppression => Enabled, no user override
- EnhanceSecurityMode => Balanced mode, no user override
- ForceBingSafeSearch => Moderate, no user override
- ForceGoogleSafeSearch => Enabled, no user override
- ForceYouTubeRestrict => Moderate, no user override
- GamerModeEnabled => Disabled, no user override
- HideFirstRunExperience => Enabled, no user override
- HomepageIsNewTabPage => Enabled, allow user override
- NewTabPageHideDefaultTopSites => Enabled, no user override
- NewTabPageManagedQuickLinks => Add up to 3 links here, allow user override
- NewTabPageQuickLinksEnabled => Enabled, no user override
- NewTabPageSetFeedType => Office 365, allow user override
- PasswordExportEnabled => Disabled, no user override
- ScarewareBlockerProtectionEnabled => Enabled, no user override
- ShowDownloadsInsecureWarningsEnabled => Enabled, no user override
- SmartScreenEnabled => Enabled, no user override
- ThirdPartyPasswordManagersAllowed => Enabled, no user override
- WalletDonationEnabled => Disabled, no user override
Also consider the following settings carefully, I would recommend using a password manager tool such as Passbolt or Bitwarden as they are far more secure than the browser-based password managers. One problem is that if an account is compromised, the attacker could export saved passwords from Microsoft Edge if the passwords are synced.
- ImportPasswordsDisabled => Enabled, no user override
- ImportSavedPasswords => Disabled, no user override
- PasswordManagerEnabled => Disabled, no user override
Finally, there is some branding for Microsoft Edge and additional security settings.
- Save the policy and go to the Customization Settings tab
- Click into Organization branding
- Select to Use custom branding
- Enter the Organization name, Accent color, and Organization logo (square)
- Click Security settings
- Enable the Configure enhanced security mode box and select Balanced
Microsoft Edge Web Content Filtering
This section requires one of a Microsoft 365 A1, A3, A5 license, a Business Premium license, or a Business Basic or Standard license with Intune Plan 1 or 2. This can also be done in the Defender portal depending on licensing but it is much simpler in the main portal if your requirements are not too complex.
Also note, it is possible your tenant is not on the latest release and the Web content filtering tab will simply not be present. If this is the case and you have the required licensing you may need to open a support case to request access.
For edge and limited use devices such as kiosks you may want to really lock things down. You can enable the web content filter which limits what content can be accessed via Microsoft Edge and enforces that Microsoft Edge is the only browser used.
In the Microsoft 365 admin center:
- Click Show all
- Go to Settings -> Microsoft Edge -> Configuration Policies
- Either click to create a new policy or select an existing policy
- Click Customization Settings -> Web content filtering
- Select the categories to block and save the policy
- Additionally, you can manage allowed, blocked, and requested sites
Microsoft Teams Customization
This section requires a Microsoft Teams Premium license.
This is not really a security enhancement, but since the branding has already been rolled out across the portal and Edge it is a natural extension to continue here.
In the Microsoft 365 admin center:
- Click Show all
- Click to open the Teams admin center
- Go to Meetings -> Customization policies -> + Add a theme
- Add a name
- Add the rectangular logo, and background image, and colour from earlier
- Click Apply
- Click Save
Baseline Security Mode & Conditional Access
Security Settings Overview
While the first section focused on user awareness security improvements, and the second section focused on a mix of that and security hardening, this section focuses only on security hardening.
There are two parts to this section, Baseline Security Mode and Conditional Access. The former is part of every Microsoft 365 tenant and should be reviewed and updated, while the latter is a licensed option that is very much worth consideration.
Baseline Security Mode
While there are a slew of different security settings and places to enable them in Microsoft 365, one that is included with all tenants is the Baseline Security Mode. This contains several key security recommendations related to authentication, file access, and Microsoft Office settings. The steps below outline how to get there and make changes, but there is also a lessor know URL that allows you to create custom policies and custom Microsoft Office installers, along with some other handy tools Office Settings Portal.
In the Microsoft 365 admin center:
- Click Show all
- Go to Settings -> Org settings -> Security & privacy
- Then click Baseline security mode
- In the popout
- You can initiate generating reports to view usage of related policies
- You can click to enable one or both of the default policy sets
- Or click to Open Baseline security mode
- In the Baseline security mode window
- You can review generated usage reports
- Enable individual policies
- Click Customize this policy to make adjustments
You will need to review the policies to see if there are any apps accessing these protocols or modes. Sometimes other systems such as backup systems or third-party cloud services may be authenticating with an older method.
Authentication Methods
Before diving into the security settings, it’s worth looking at multifactor-authentication methods and configuring them to improve overall security.
The methods are:
- Temporary Access Pass
- Voice call
- Email OTP
- SMS
- Software OATH tokens
- Hardware OATH tokens
- Microsoft Authenticator
- QR Code
- Verified ID
- Certificate-based authentication
- Passkey (FIDO2)
These include 3 strength categories that will help with the Conditional Access policies, those being: MFA, Passwordless MFA, and Phishing-resistant MFA. Each of which is successively higher strength. Full details at Microsoft Learn.
One key difference between these are that a regular MFA, and even Paswordless MFA, method are still subject to Man-In-The-Middle attacks and MFA Fatigue attacks, whereas Phishing-resistant MFA is very tough to bypass. Practically speaking, what does this mean though?
Basically, with regular MFA, if a code is provided to someone over the phone or entered into a malicious website, the attacker then has up to 30 seconds to use it to log in and establish a session; or for passwordless MFA, if an attacker has acquired the users’ password and sends one or more push notifications, one of which gets accepted, they can establish a session. But with phishing-resistant MFA, the user has a physical token they need to use for logging in.
Note that while the enforcement of particular MFA methods is part of the Conditional Access which requires additional licensing, all of the MFA methods are allowed on every tenant.
Conditional Access
This section requires a Microsoft Entra ID P1 or P2 license.
Conditional Access is a set of policies that allow governing access to your tenant based on a variety of different factors such as geographic location, requested resources, device type, user account or group, and risk policy (P2 only). You can also configure what type of sign-ins are allowed or blocked and combine this with session expiry durations. Combined, these can significantly increase security with little to no perceived increase in user requirements.
You will need to customize things to your own organization, but the set of policies below can be a good starting point in many cases.
First, if you do not already have them, create two “break glass” accounts that will be assigned the Global Administrator role for the entire Microsoft 365 tenant. This is extremely important so you do not accidentally lock yourself out and also a standard practice recommended by Microsoft. I would recommend configuring both accounts with phishing-resistant MFA such as a YubiKey and storing the account passwords somewhere safe such as a password management system or even in a company safe. These accounts should only be used if all other accounts are inaccessible.
Next, groups should be created to target the policies to.
In the Microsoft 365 admin center:
- Click Show all
- Click to open the Identity portal
- Click Groups -> All groups -> New group
- Leave the Group type as Security
- Enter a Group name
- Leave Membership type as Assigned
- Repeat as required
- Suggested are Conditional Access Admins, Conditional Access Users, and Conditional Access Travel
Then, creating Named locations to target policies.
- Click Conditional Access -> Named locations -> Countries location
- Check off any countries your organization operates within
- Click Create
- Then create another and select all countries your organization is not in
- Be sure to click Include unknown countries/regions
- If you have static IP addresses create one or more IP ranges location
- Provide a Name, check the Mark as trusted location box
- Enter any static IP addresses for the organization
And finally, creating the policies.
- Click Conditional Access -> Policies -> New policy from template
- Click the Block legacy access policy template
- Click Review + create
- Return to the policy screen and click to add a New policy
- Use the tables below to create policies as required
- Leave policies at Report-only to start
- Change to On after a few days have gone by and reviewing the report data
Review each of these to make sure it fits with how your organization operates. The main concept here is that most attacks come from out of country, so the heaviest restrictions are placed there; whereas the fewest attacks come from in the office, so the least restrictions are placed there.
Admin – In Country
Action: Grant access
| Include | Exclude | |
|---|---|---|
| Users | Application Administrator Authentication Administrator Billing Administrator Cloud Application Administrator Conditional Access Administrator Dynamics 365 Administrator Dynamics 365 Business Central Administrator Exchange Administrator Global Administrator Helpdesk Administrator Intune Administrator Password Administrator Privileged Authentication Administrator Privileged Role Administrator Security Administrator SharePoint Administrator Teams Administrator User Administrator Windows 365 Administrator |
Break glass accounts |
| Resources | Microsoft Admin Portals | |
| Network | In-country IPs | In-office static IPs |
| Platforms | ||
| App Types |
MFA Requirements: Phishing-resistant MFA.
Session Length: 4 hours
Admin – In Office
Action: Grant access
| Include | Exclude | |
|---|---|---|
| Users | Application Administrator Authentication Administrator Billing Administrator Cloud Application Administrator Conditional Access Administrator Dynamics 365 Administrator Dynamics 365 Business Central Administrator Exchange Administrator Global Administrator Helpdesk Administrator Intune Administrator Password Administrator Privileged Authentication Administrator Privileged Role Administrator Security Administrator SharePoint Administrator Teams Administrator User Administrator Windows 365 Administrator |
Break glass accounts |
| Resources | Microsoft Admin Portals | |
| Network | In-office static IPs | |
| Platforms | ||
| App Types |
MFA Requirements: Standard MFA.
Session Length: 4 hours
Block – Admin – Out of Country
Action: Block access
| Include | Exclude | |
|---|---|---|
| Users | Application Administrator Authentication Administrator Billing Administrator Cloud Application Administrator Conditional Access Administrator Dynamics 365 Administrator Dynamics 365 Business Central Administrator Exchange Administrator Global Administrator Helpdesk Administrator Intune Administrator Password Administrator Privileged Authentication Administrator Privileged Role Administrator Security Administrator SharePoint Administrator Teams Administrator User Administrator Windows 365 Administrator |
Break glass accounts |
| Resources | Microsoft Admin Portals | |
| Network | Global IPs | In-office static IPs |
| Platforms | ||
| App Types |
MFA Requirements:
Session Length:
Block – Users – Out of Country
Action: Block access
| Include | Exclude | |
|---|---|---|
| Users | All users | Break glass accounts Conditional Access Travel |
| Resources | All resources | |
| Network | Global IP | In-office static IPs |
| Platforms | ||
| App Types |
MFA Requirements:
Session Length:
Block – Legacy Authentication
Action: Block access
| Include | Exclude | |
|---|---|---|
| Users | All users | Break glass accounts |
| Resources | All resources | |
| Network | ||
| Platforms | ||
| App Types | Exchange ActiveSync clients Other clients |
MFA Requirements:
Session Length:
Users – In Country (Windows)
Action: Grant access
| Include | Exclude | |
|---|---|---|
| Users | All users | Break glass accounts |
| Resources | All resources | |
| Network | In-country IPs | In-office static IPs |
| Platforms | Windows | |
| App Types |
MFA Requirements: One of Passwordless MFA or Microsoft Entra Hybrid joined device.
Session Length: 14 days
Users – In Office
Action: Grant access
| Include | Exclude | |
|---|---|---|
| Users | All users | Break glass accounts Directory Synchronization Accounts |
| Resources | All resources | |
| Network | In-office static IPs | |
| Platforms | Windows | |
| App Types |
MFA Requirements: Standard MFA or Microsoft Entra Hybrid joined device.
Session Length: 90 days
Users – In Country (Non-Windows)
Action: Grant access
| Include | Exclude | |
|---|---|---|
| Users | All users | Break glass accounts |
| Resources | All resources | |
| Network | In-country IPs | |
| Platforms | Android iOS macOS Linux |
|
| App Types |
MFA Requirements: Passwordless MFA.
Session Length: 14 days
Users – Out of Country
Action: Grant access
| Include | Exclude | |
|---|---|---|
| Users | Conditional Access Travel | Break glass accounts |
| Resources | All resources | |
| Network | Global IP | In-office static IPs |
| Platforms | ||
| App Types |
MFA Requirements: One of Phishing-resistant MFA or Microsoft Entry Hybrid joined device.
Session Length: 1 day
Comments