Microsoft Office 365

Security Assessment

0
 Table of Contents

Overview .................................................................................. 2 Mail Flow .......................................................................................................11

Email Protection ............................................................................................12
What Is Covered....................................................................... 3
Impersonations & Phishing............................................................................13
Microsoft Secure Score ............................................................ 4
Top Users Targeted by Phishing Campaigns ..................................................13
Cheat Sheet: Recommended Improvements .......................................... 5
SharePoint Online / OneDrive for Business ........................................... 14
Security Assessments ............................................................... 6 Microsoft Teams .................................................................................... 15
Azure AD .................................................................................................. 6
Information Security & Governance ...................................................... 15
Azure – Identity Secure Score .................................................................. 6
Essential 8 .............................................................................................. 16
Azure – Risky Users .................................................................................. 6
Key Findings & Recommendations ......................................... 17
Multi-Factor Authentication ........................................................................... 7
Critical Items .......................................................................................... 17
Self-Service Password Reset ........................................................................... 8
Important Items ..................................................................................... 17
Device Management ....................................................................................... 9
General Items......................................................................................... 17
Conditional Access ........................................................................................ 10
Role Assignments .......................................................................................... 10 Get in Touch ........................................................................... 18
Exchange Online .................................................................................... 11

1
Overview
The goal of this assessment is to help Australian businesses to understand and reduce security risks to their
business. With over 30% of cyber incident breaches in Australia coming from compromised or stolen
credentials and another 43% from Phishing attacks it is highly important to secure your Microsoft Office
365 tenant.

30%
This assessment can be used to review your Microsoft Office 365 configuration for best practices and outline
any recommendations to improve your security posture. The recommendations in this assessment are based
on utilising Microsoft 365 Business as a minimum, however some recommendations will work for lower levels
of Microsoft licensing.

Microsoft Office 365 is an integral part of many Australian businesses providing key business services like
Azure Active Directory identity management, email, SharePoint and One Drive file management systems,
Microsoft Teams for collaboration software and device management.
30% of Cyber Incident
Your Microsoft Office 365 applications and data can be accessed in many ways; whether you’re working in Breaches in Australia Come From
the office, at your home office, on the road or from your laptop, phone or tablet device. There are now many Compromised or Stolen Credentials
ways to access sensitive business data so it’s imperative to ensure the security of this data of your
organisation’s Microsoft Office 365 suite.

This document will help considerably to raise your organisation’s Office 365 security posture. It can be used
to check off user, identity, and authentication actions needed to take to bolster security across each of these
critical vulnerability points.

43%
A1 Technologies specialises in helping businesses secure their Microsoft Office 365 environments. This
assessment template is based on our experience with our clients and ongoing improvements to our Managed
Services clients as part of our service. Through a continuous review and improvement schedule we regularly
add additional security improvements to our assessments. This version is offered here freely to allow
Australian Businesses the opportunity to improve their Security and reduce the risks to their businesses.

If, at any point, you need assistance with your security project to complete and assessment, implement
recommendations or discuss our Managed Services options, don’t hesitate to reach out, we would love to
hear from you.
Another 43% From
Phishing Attacks

2
What Is Covered
This assessment template will cover the following Microsoft Office 365 components:

Azure AD Assessment
- General identity access and device management settings.

Exchange
- Mail Flow assessment, mailbox and groups permissions, connectors, etc.

SharePoint & OneDrive

- General sharing settings, permissions on sites and libraries.

Teams
- Teams ownership, channel settings, sharing settings, etc.

Information Security
- Auditing, data loss prevention, information protection, etc.

Microsoft Secure Score

Microsoft Intune

3
Microsoft Secure Score
Your Microsoft Secure Score represents an overall scoring of security across five key Microsoft 365 areas:
identities, data, apps, devices, and infrastructure, each with its own associated score. The higher the score,
the more secure these are. It is a good check of overall system security health and by assessing each area
you can raise the individual and overall scores. Microsoft Secure Score is also based on your Microsoft
licensing, for example if your business utilises Microsoft Office 365 Business you will have less security
options available to you compared with Microsoft 365 Business (which includes Advanced Security and
Device Management).

Out of the box, most Microsoft Office 365 environments have a Microsoft Secure Score of between 35-45 –
this is a very low score however Microsoft provide the tools to greatly increase security. A score of 176 (like
the below example) provides a moderate level of security with low user impact on staff workflows, however
it’s possible to do better.

With the recommendations in this document, a

Microsoft Security Score of over 200 points can be
achieved with limited impact on day-to-day user
experience. However, the Microsoft Secure Score is
always changing, a score of 176 today may reduce over
time as new threats are found and new mitigation
options are available. A continuous management
through the monitoring of various logs is required and
regular reviews of the current Security Score to
implement ongoing improvements is required.

This assessment template focuses heavily on credentials protection to mitigate threats, in particular the
largest user changes that organisations will typically make is by implementing Multi-Factor Authentication
(MFA), which forces users to use a second level of authentication when accessing company data. You’ll be
familiar with MFA in real life – e.g. banks asking for a verification code sent over SMS or via Windows or
Google Authenticator.

Additionally, planning and tuning security settings over time will ensure your environment and your staff are
much safer from the risk of attacks. A1 Technologies recommend monthly reviews of logs and quarterly
planning for to implement improvements.

4
Cheat Sheet: Recommended Improvements
A recommended list of actions to increase your Microsoft Secure Score can be seen in the table below.

Improvement Action Score Category User Impact Implementation Cost Source

Register All Users For Multi-Factor Authentication (MFA) 5/20 Identity High High Azure Active Directory
Require MFA For Azure AD Privileged Roles 33/50 Identity Low Low Azure Active Directory
Require MFA For All Users 2/30 Identity Moderate Moderate Azure Active Directory
Block Client Forwarding Rules [Not Scored] 0/20 Data Moderate Moderate Exchange Online
Microsoft Information
Set Outbound Spam Notifications [Not Scored] 0/15 Data Low Low
Protection
Turn On Mailbox Auditing For All Users [Not Scored] 0/10 Data Low Low Exchange Online
Enable Password Hash Sync If Hybrid 0/10 Identity Low Low Azure Active Directory
Enable Self-Service Password Reset 0/5 Identity Moderate Moderate Azure Active Directory
Microsoft Information
No Transport Rule To External Domains [Not Scored] 0/5 Data Low Low
Protection
Microsoft Information
Do Not Use Mail Flow Rules That Bypass Anti-Spam Protection [Not Scored] 0/5 Data Low Low
Protection
SPO Sites Have Classification Policies [Not Scored] 0/10 Data Moderate Moderate SharePoint Online
Do Not Allow Anonymous Calendar Sharing [Not Scored] 0/10 Data Moderate Low Exchange Online
Do Not Allow Users To Grant Consent To Unmanaged Applications 0/10 Identity Moderate Low Azure Active Directory
Turn On Sign-In Risk Policy 0/30 Identity Moderate Moderate Azure Active Directory
Turn On User Risk Policy 0/30 Identity Moderate Moderate Azure Active Directory
Enable Policy To Block Legacy Authentication 0/20 Identity Moderate Moderate Azure Active Directory
Turn On Cloud App Security Console 0/20 Apps Low Moderate Microsoft Cloud App Security
Create A Microsoft Intune Compliance Policy For iOS 0/10 Device Moderate Low Intune
Create A Microsoft Intune Compliance Policy For Windows 0/10 Device Moderate Low Intune
Create A Microsoft Intune Compliance Policy For MacOS 0/10 Device Moderate Low Intune
Create A Microsoft Intune Configuration Profile For iOS 0/10 Device Moderate Low Intune
Create A Microsoft Intune Configuration Profile For MacOS 0/10 Device Moderate Low Intune
Enable Microsoft Defender ATP Integration Into Microsoft Intune 0/10 Device Low Low Intune
Microsoft Information
Require Mobile Devices To Use A Password [Not Scored] 0/5 Device Low Low
Protection

5
Security Assessments
Azure AD
Microsoft Office 365 uses Azure Active Directory (Azure AD), a Microsoft cloud-based user identity and
authentication service to manage identities and authentication for Microsoft Office 365. Getting your
identity infrastructure configured correctly is vital to managing Microsoft Office 365 user access and
permissions for your organisation.

Azure – Identity Secure Score

Like the Microsoft Secure Score, Azure also displays its own secure score based on identity (user information).
The Identity Secure Score makes up the ‘Identity’ component of the Microsoft Secure Score and breaks down
in more detail improvement actions to safeguard identity (and how much it will count towards your
Azure Identity Secure Score (out of 255), such as Require MFA for Azure AD privileged roles (50 points),
Require MFA for all users (29 points), and Use limited administrative roles (1 point). This is directly available
in the Azure dashboard.

Azure – Risky Users

A1 Technologies recommends reviewing your “Risky Users” reports (available via the Azure dashboard, under
‘Users flagged for risk’) on a regular basis. Risky Users have behaviour that can lead to a data breach or
unauthorised access. This includes behaviours such as poor password strength, leaked credentials, and logins
from different locations or devices. The Risky User portal will also warn of attempted malicious attacks such
as logins from Overseas. Risky Users can be classified as either High, Medium, or Low risk.

6
Multi-Factor Authentication
Two-factor verification is more secure than just a password, because it relies on two forms of
authentication: something you know (your password), and something you have with you (i.e. a mobile
device). Two-factor verification can help to stop malicious hackers from pretending to be you. Even if they
have your password, they will also require access to your mobile to gain access to your account. Multi-
factor authentication can refer to two or more authentications necessary to gain access.

Current State Recommended State Update Requirements

Security Defaults: Enable this setting to apply new Microsoft recommended
Security defaults is a set of basic identity security mechanisms recommended security settings such as:
by Microsoft. When enabled, these recommendations will be automatically 1. MFA on all users
enforced in your organisation. Administrators and users will be better 2. Restrict access to Azure portal
protected from common identity-related attacks. 3. Restrict access to Azure PowerShell

Global Admins:
Microsoft recommends that you have at least 2 global admins required at
any time to reset passwords and to protect against a rogue admin or
compromised account. We now also recommend that you have no more
than 4 global admins to reduce your organisation's collective risk.

MFA:
Enforce MFA for all users.

Modern Authentication:
App passwords are used by legacy applications. Enforce users to use modern
authentication clients and disable app passwords.

MFA Verification Options:

Recommend removing phone and SMS as verification methods as they are
weaker options than the Microsoft Authenticator mobile app.

MFA Device User Trust:

Allow trusted user devices to remember MFA for a period of 14 days.

7
Self-Service Password Reset
Self-service password reset (SSPR) is an Azure Active Directory feature that enables employees to reset
their passwords without needing to contact IT. Employees must register for, or be registered for, the self-
service password reset before using the service. During registration, the employee chooses one or more
authentication methods enabled by their organisation.

It is strongly recommended that Global Administrators also set up this service for their own accounts.

Current State Recommended State Update Requirements

Self Service Password:

Enable SSPR for all users.

Once enabled, users are required to complete the SSPR process to

register a device that will allow them to complete SSPR.

8
Device Management
Intune is a cloud-based enterprise mobility management (EMM) service that helps enable your workforce
to be productive while keeping your corporate data protected. With Intune, you can:

- Manage the mobile devices your workforce uses to access company data, whether company
owned or BYO device.
- Manage the client apps your workforce uses.
- Protect your company information by helping to control the way your workforce accesses and
shares it.
- Ensure devices and apps are compliant with company security requirements.

Intune integrates closely with Azure Active Directory (Azure AD) for identity and access control and Azure
Information Protection for data protection. We recommend all organisations use Intune for enterprise
mobile security management.

Current State Recommended State Update Requirements

MDM Auto-Enrolment:
During Azure AD join for Windows 10 devices, the device will
Azure AD Premium P1 or P2.
automatically be enrolled with Intune for policy and configuration
management.

Intune Compliance Policies:

Compliance policies will examine management defined rules for
compliance (like encryption, password strength, secure boot and
Azure AD Premium P1 or P2.
similar), and mark each device as compliant or non-compliant with
company policies. Policies should be defined for all used platforms in
the environment.

Intune Compliance Policies:

Configuration policies should push company requirements and settings
to user devices.

Intune Compliance Policies:

Ensure all Android and Apple devices are enrolled with Intune.
Recommend enrolling all Windows 10, Android and Mac devices.

9
Conditional Access
The modern security perimeter now extends beyond an organisation's network to include user and device
identity. Organisations can utilise these identity signals as part of their access control decisions.

Conditional Access is the tool used by Azure Active Directory to bring signals together, make decisions, and
enforce organisational policies. Conditional Access policies at their simplest are if-then statements, if a
user wants to access a resource, then they must complete an action.

Current State Recommended State Update Requirements

Conditional Access Policies:
Configure Conditional Access policies for different platforms, type
of access (from trusted or untrusted devices), and user groups.
For example, if a user attempts to access resources from a trusted
device (enrolled with Intune), which they have used within the past
14 days, they will be granted access. For untrusted devices (access
from web browser from a non-managed device) it will require
multifactor authentication every time.

Risk-based Sign-in Policies:

The system will intelligently monitor user sign-ins and block
suspicious sign-ins detected based on parameters like time, location
or client application.

Security Defaults:
Baseline Protection policies are a legacy experience which is being
deprecated. All baseline protection policies will be removed on
February 29th, 2020. If you are looking to enable security policy for
your organisation, we recommend enabling Security Defaults or
configuring Conditional Access policies.

Role Assignments
There are several default roles in Azure AD / Office 365. It is important to define what identities can
manage different aspects of your Office 365 environment.

Current State Recommended State Update Requirements

Restrict Privileged Access:
Remove user accounts from Global Administrator role and create a
separate admin-only account for needed persons.

10
Exchange Online
Microsoft Exchange Online is a hosted messaging solution that delivers the capabilities of Microsoft
Exchange Server as a cloud-based service. It gives users access to email, calendar, contacts, and tasks from
PCs, the web, and mobile devices.

Mail Flow
Current State Recommended State Update Requirements
Ensure SPF record published for Office 365.
Ensure DKIM is configured for the all domains.
Ensure DMARC is configured for all domains.
Spam Filter Policy:
Spam Filter policy configured for all domains. Additionally, enable
advanced threat protection (or 3rd party spam filter products).

Anonymous Connectors:
Configure connector only if you need device to anonymously relay.

Client Forwarding Rules:

Ensure this rule is turned on.

Default Malware Filter:

Enable this setting.

Auto-forwarding to external contacts disabled.

11
Email Protection
To protect your email messages from malicious attacks, Office 365 uses Advanced Threat Protection.

Microsoft Office 365 Advanced Threat Protection (ATP) is a cloud-based email filtering service that helps
protect your organisation against unknown malware and viruses by providing robust zero-day protection
and includes features to safeguard your organisation from harmful links in real-time. ATP has rich reporting
and URL trace capabilities that give administrators insight into the kind of attacks happening in your
organisation.

Current State Recommended State Update Requirements

Anti-Phishing Policy:
Configure Anti-Phishing policy for all users in the tenant.

Safe Link Policies:

Configure Safe Link policy to scan email for malicious URLs enabled.

Safe Attachment Policies:

Configure ATP policy to scan emails for malicious attachments enabled
for SharePoint, OneDrive, and Microsoft Teams.

Default Retention Policy:

This policy contains the following retention tags
1 Month Delete
1 Week Delete
1 Year Delete
5 Year Delete
6 Month Delete
Default 2 Year Move to Archive
Junk Email
Never Delete
Personal 1 Year Move to Archive
Personal 5 Year Move to Archive
Personal Never Move to Archive
Recoverable Items 14 Days Move to Archive

3rd Party Backup:

A1 Technologies recommend the use of a 3rd party cloud-based backup
technology to backup mailboxes, this is different to a retention policy and
offers a point in time restore of mail data or SharePoint data.

12
Impersonations & Phishing
While Microsoft works hard for ATP to catch impersonation and phishing
attempts, sometimes these emails can still land in organisational inboxes.
Invoking policies like only accepting emails from known domains, while
effective, can completely stifle workflow.

You can choose to use additional email filtering products by third party
services; however, the best line of defence is in-house security briefings
about current phishing attacks and what to look out for in emails.

Phishing and impersonation attempts are sophisticated affairs, easily

mimicking real-world service providers, known contacts, and other
associates.

Train staff to check incoming email addresses to known addresses, log in to

outside service providers only through their known sites, and be wary of
opening attachments from unknown senders – document-based malware
can deliver payloads upon opening.

Top Users Targeted by Phishing Campaigns

Anyone has that access to important resources within your organisation is
a major target for phishing. This means those in finance, HR, sales, C-suite
and their personal assistants, and IT administrators. Anyone with the keys
to significant funds or data is a major target, although all staff need training,
no matter their responsibilities.

13
SharePoint Online / OneDrive for Business
Microsoft SharePoint Online in Office 365 is a content, knowledge, and application management and
organisation platform. It empowers people to share and work together, to inform and engage others
across the company, to transform business processes, and to harness collective knowledge. In addition,
SharePoint provides capabilities for organisations to protect and manage their data and to build custom
solutions.

OneDrive is an online storage space in the cloud that's provided for individual licensed users in an
organisation. Use it to help protect work files and access them across multiple devices. OneDrive lets you
share files and collaborate on documents, and sync files to your computer.

Current State Recommended State Update Requirements

Default Link Type:
This section allows you to configure how you as an organisation want to
share documents.

Allow Guests to Share Items They Don’t Own Is Set:

Recommend change setting False unless required otherwise.

Default Link Permission:

Recommend change default link permissions to “View” unless required
otherwise.

Expiration for Anonymous Links:

Recommend set expiration of 7 days.

File and Folder Links:

Recommend restricting who you share links with. If this setting is
required, this should also be set to expire after a set number of days.

14
Microsoft Teams
Microsoft Teams is a unified communications platform that combines persistent workplace chat, video
meetings, file storage (including collaboration on files), and application integration. The service integrates
with your organisation's Microsoft Office 365 subscription office productivity suite and features extensions
that can integrate with non-Microsoft products. Microsoft Teams is a competitor to services such as Slack
and is the evolution and upgrade path from Microsoft Skype for Business.

Current State Recommended State Update Requirements

Default Policies:
Define more granular policies, especially for external access and guest
users.

Information Security & Governance

General information security guidelines and tools coming from Office 365 and Azure.

Current State Recommended State Update Requirements

Modern Retention Policies:
Configure retention policies for all Office 365 services for better
compliance.
User Actions Auditing:
Turn on auditing for user and admin actions.
DLP Policies:
Define fine-grained DLP policies to protect accident data leakage in
domain.
Mail Archive Policy:
Define fine-grained AIP policies to encrypt messages and apply
permissions and track documents shared internally and externally.

Alert Policies:
Alert policies enabled for detection of suspicious actions.
Establish Company Branding:
Allows admins and users to quickly identify what tenant they are
connecting into.

15
Essential 8
A1 Technologies also recommends complying with the Australian Cyber
Security Centre’s Essential 8 guidelines. This includes the below 8 key areas,
of which, several of the key areas reside outside of Microsoft Office 365.

1. Application Whitelisting
2. Microsoft Office 365 Macro Settings
3. Restrict Administrative Privileges
4. Multi-Factor Authentication
5. Patch Applications
6. User Application Hardening
7. Patch Operating Systems
8. Daily Backups

The Essential 8 is 8 security strategies that the Australian Cyber Security

Centre (ASCS) recommends, as a minimum-security baseline, for businesses
of any size or industry.

You can read more about the Essential 8 here.

16
Key Findings &
Recommendations
// use this section to outline key findings & recommendations for your
team, managers, or vendors. It should include critical, important, and
general recommendations.

Critical Items
To be addressed and remediated immediately.

1. Critical item
2. Critical item

Important Items
To be addressed and remediated immediately.

1. Important item
2. Important item

General Items
To be addressed and remediated immediately.

1. Important item
2. Important item

17
 A1 Technologies is an Australian IT Consultancy and Managed Service Provider (MSP)
specialising in delivering robust, responsive, and secure IT and Technology solutions to
businesses Australia-wide.

If you need help deploying, managing, or optimising any part of your technology
infrastructure, feel free to reach out, we would love to hear from you.

Our Services A Few Words from Our Customers

• IT Consultancy
• IT Support & Helpdesk
• IT Security & Auditing
• Business Internet & VoIP
Solutions
• SD-WAN Solutions
• Professional & Project
Services
• Cloud Migration
• Azure Consulting
• Cloud Security & Auditing
• Cloud Architecture, and
Optimisation
• Microsoft 365 Security
Consulting
• AWS Consulting
“Excellent experienced team who can quickly understand the pressures
of a business and help prioritise.”
Mark Woodhouse, CFO, JD Sports Fashion Retail
“I would like to thank A1 and commend you for your excellent work.
A1 delivered beyond my expectations..."
Sandra Whitaker, IT Manager, NSW Nurses & Midwives Association

“A1 has been very efficient and a great value-add to our business”
Trevor Bolland, CEO, Nuzest Life.

Get in Touch
Contact: Rob Rattray, Sales Director
P: 1300 287 910 | E: rob@a1t.com.au

18