Office 365 is popular because of its mobility, enterprise and collaboration features. However, in a cloud-hosted environment, security is the main concern because alarming threats are constantly introduced. Your organization, therefore, needs to use all the tools at your disposal to secure your customers’ and organization’s data.
That is why Office 365 offers built-in capabilities and organization controls to help customers meet compliance standards. Have a look at the security and governance feature available in all major services.
Office 365 Security
1) Multi-Factor Authentication (MFA Logins)
Multi-factor authentication (MFA) requires more than just a username and password. After users logged in with a username and password, they’ll receive a text message or a phone call (depending on the configuration). Then they either answer the call or enter the access code received via text into the prompted screen.
This can be set up for each user (depending on the preferences). For example, if you only want to set MFA on a particular group such as higher management or company leads and not on the entire organization, it can be done with few clicks.
IP addresses can be whitelisted, when users are in the office, they don’t need to use multi-factor authentication. This will only be required if they’re using not from whitelisted IP addresses.
Multi-factor authentication is a free feature available on all Microsoft Office 365 subscription plans.
2) Password Protection Policy
Every user account that needs to sign in to the Microsoft Office 365 must have a unique user principal name (UPN) or LOGIN ID attribute value associated with their account. Password restrictions are mentioned below:
• 8 to 16 characters maximum
• Strong passwords only: Requires 3 out of 4 of the following:
• Lowercase characters
• Uppercase characters
• Numbers (0 to 9)
You can set password expiration as per your organization policy. This configuration can be done via the Microsoft Office 365 Admin Center Security settings or by PowerShell.
After 10 unsuccessful sign-in attempts (entered the wrong password), the user will be locked out for one minute. Further incorrect sign-in attempts will lock out the user for a longer period of time.
3) Office 365 Security Data & Reports
Detailed Security Reports are available in the Security and Compliance Center. These reports are available in the Report Dashboard and provide a graphical representation of the policies. You can see or download the reports such as Malware detection, Spoof and Spam Detection, DLP policy matches, and many others.
There is one more category of reports available, called Usage and Activity Report. Which gives you data as per service. It can be found in the Office 365 Admin center.
4) Content Search Engine
The ability to search across data is extremely important, and Microsoft is now offering a quicker way to search across Microsoft Office 365. Content Search can be used to search data in individual or all SharePoint sites, Skype for Business, Exchange mailboxes and OneDrive for Business.
This feature is important to search in terms of searching for a specific type of information stored or shared across the organization. For example, if a user lost some important file that was sent to someone via email or Skype for Business in the past, it can be recovered by searching all mailboxes or Skype for Business where admin only needs to query the name of the attachment.
There is no limit on the number of content locations that the user can search for. There is also no limit on the number of searches that users can run at the same time. When the user runs a content search, the number of content locations displayed in the detail pane along with an estimated number of search results on the Content search page.
5) Audit Log Search
In large organizations, it is a very common and important requirement to track the user and administrator’s actions on the services. Whether it is an administrator going rogue or a regular user deleting an important and valuable business document, it is harmful to an organization. While there are many ways to restrict and control access to Microsoft Office 365, it is still important that there’s an audit log available with this required information. This is where Audit log search in Microsoft Office 365 Security & Compliance Center requires.
Auditing can be performed on almost all major services and actions in Office 365 such as uploading, editing and deletion of a document, list and pictures in OneDrive, SharePoint and Group sites. Mailbox permissions and personal inbox email activities to user creation to deletion. Auditing can be easily done in the Security and Compliance Center and administrators can also perform a more granular level of auditing via PowerShell.
6) Application Password
An app password is a code that gives an app or device permission to access a Microsoft Office 365 account of your users. If you’re using Multi-Factor Authentication (MFA) and want to use applications that connect to your Microsoft Office 365 account, you will need to create a Microsoft Office 365 App Password. This is to enable the App to connect to Microsoft Office 365.
For example, if you’re using Microsoft Outlook 2016 or an earlier version, Skype for Business, Apple Mail App or any other third-party client with Microsoft Office 365, you’ll need to create an App Password. Creating a Microsoft Office 365 App Password. One can say it’s another level of security added to the Microsoft Office 365 user login process.
7) Office 365 Trust Center
Microsoft created a site named Office 365 Trust Center. It covers everything regarding security, including:
• Physical security: Can people walk in and walk out at data centers? How are the buildings secured physically?
• Logical security: How the servers are configured? What kind of network security is applied to this? What kind of auditing is implemented for logical security?
• Data security: How is the data secured? If someone gains access to the database, are they able to read/edit your data?
8) Role Based User Access Control
Role-Based Access Control (RBAC role) is a feature designed to control administrative access over different services across Microsoft Office 365. It requires the ability to control all these services by separate administrators.
The best example to have such role-based access is the following: you hired a SharePoint Developer, who will be customizing and designing your SharePoint sites, for a short time period. In that case, he will require admin-level access to the SharePoint admin center, and this can only be achieved by assigning the SharePoint administrator's rights. You don’t need to give control of the complete environment to an outsider (for security measures).
Below is the list of User Roles available in Microsoft Office 365:
• Global Administrator
• Billing Administrator
• Exchange Administrator
• SharePoint Administrator
• Password Administrator
• Skype for Business Administrator
• Compliance Administrator
• Service Administrator
• User Management Administrator
• Dynamics 365 (online)
• Dynamics 365 service Administrator
• Power BI Administrator
9) Alerts & Triggers
In the Security and Compliance Center, you can monitor the user’s actions and track a new activity on the portal. You can configure policies to get custom alerts when updates take place. When a user performs any new update activity, a custom alert is triggered as per the conditions applied by the administrator.
10) Mobile Management
Intune is Microsoft’s mobile device & mobile application management solution. It’s typically available as part of Microsoft’s Enterprise Mobility and Security licensing bundle. Intune allows an administrator to manage employee’s mobile devices and apps from a single dashboard. Manage across iOS, Android and Windows devices. It also allows the administrator to centrally manage the deployment of updates and applications to keep your workers at peak productivity. Key features of Intune are mentioned below:
Protect your company information and data by helping to control the way your workforce accesses and shares it.
Manage the mobile devices of your workforce uses to access company data.
Manage the mobile apps of your workforce uses.
Ensure devices and apps are compliant with the company’s latest security requirements.
Apply conditional access policies so users can follow organizational based access policies even when they are not on the office premises.