Microsoft 365 (M365) Security Best Practices: Administration & Privilege

Microsoft 365 (M365)—formerly called Microsoft Office 365—is the day-to-day workhorse of productivity for most organizations. For the general M365 community of users, security and protecting their data is, at most, an afterthought. Employees commonly assume their organization has put the proper guardrails to ensure their identity and data are safe. Unfortunately, this is not a safe assumption.

In this blog, we will look at some of the SaaS security implications of M365 (based in Azure) versus the traditional Microsoft Office, which resides on the end user’s desktop. We will also provide nine M365 security best practices for ensuring proper governance and security around Microsoft 365 admin accounts.

Understanding the Security Implications of M365

Long-time MS Office and Windows users and admins will recognize some technologies and terminology across M365. This familiarity provides a level of comfort. As a Windows administrator, seeing Active Directory, Office, and other technologies feels like you should be able to get a handle on security. In practice, this seeming familiarity conveys a false, and potentially dangerous, sense of security.

Any time spent managing an organization’s tenant on Azure (where Microsoft Office and other cloud offerings from Microsoft are hosted) demonstrates, what you thought was familiar, is unique. Getting a handle on the differences and their implications takes some education and understanding of the technology and processes.

I’ve spoken with many adopters of M365, Teams, and other cloud offerings from Microsoft. Time and time again, there are inherent configurations and settings in place and could potentially expose their identities and data to unwanted attention (from the likes of hackers).

For instance, Microsoft Teams allows team owners to invite external guests to attend meetings and collaborate within Teams channels. This sounds innocuous, and could be quite useful. However, many users are surprised to find once a guest’s invitation is accepted, the guest user can access files on SharePoint and delete messages from the conversations. To their credit, Microsoft does call this out and provide guidance on how to tune down the access guests receive. The point here is, if you are familiar with on-premises Microsoft products, you probably have different expectations and make some security assumptions.

What Administrative Tools Does Microsoft 365 Have?

Let’s now look at the functionality around administering and managing M365. Sounds simple enough, but there are myriad admin roles—from the all-powerful Global Admin to specific application administrators (like SharePoint admin and Teams Admin) and even Helpdesk and User admins. In addition to managing credentials, each of these admin roles comes with discreet permissions, which you call ‘entitlements,’ in the cloud. These entitlements can be problematic, if not properly understood and managed.

Figuring out who can do what takes combing through a few Microsoft Knowledge Base articles, and a table or two to decipher it. A simple dialog box, like the one pictured below, belies the complexity of configuring password management, and what roles can affect users.

Back in the days when we managed a network perimeter and a finite number of users, you controlled access by managing a hundred or so permissions. The Wipro State of Cybersecurity Report 2020 found the number of discreet entitlements has grown exponentially, to more than 40,000 permissions. With each new service introduced, it provides a collection of new entitlements with a default setting.

Trying to get a handle on a privileged access sprawl can induce panic or dread in the most staid of IT security practitioners. As the number of entitlements skyrockets, it’s incumbent on an already overtaxed Security Team and Cloud Operations group to ensure people have access to the things they need to accomplish their jobs.

When an organization adopts any new services, security teams really should be reviewing defaults and determining what’s right for them and whether there needs to be a tightening down of access rights for human and/or machine accounts.

This points to the number one challenge we hear from cloud adopters at every stage of a digital transformation project – visibility. Gaining a good overview of all identities, and who has access to what – along with the more difficult question of “Is this really required” – can be a daunting task. One way to approach this and ease the burden is to adopt the principle of least privilege and apply a default of very limited (or no) access. The fewer highly privileged users to maintain, the less chance a compromised account can inflict significant damage. Even better, implement least privilege as part of a zero trust cloud security strategy.

How to Implement Azure and Microsoft 365 Security Best Practices with BeyondTrust

BeyondTrust helps you gain holistic visibility, control, and auditability over your Azure cloud identities and privileged access, including locking down access to M365. Our platform unifies privileged access management (PAM) and cloud infrastructure entitlements management (CIEM) solutions, helping you enable a zero trust security architecture (ZTA) across your multicloud and hybrid environment.

Leverage BeyondTrust solutions to apply the following 9 M365 security best practices:

Gain visibility into entitlements to pinpoint privilege sprawl and ensure privileges are managed and right-sized.

1. Vault and manage all M365 administrative credentials.
2. Auto-inject the credentials to initiate a session to ensure they are never revealed to the end user
3. Provide an unimpeachable audit trail of the entire session in which the credentials were used
4. Alert when a session using the M365 credentials has been initiated and when it ends
5. Host a locked down web interface that is used only for M365
6. Implement an access control list (ACL) to only allow administrative access to M365 from trusted sources
7. For all connectivity, enforce 2FA regardless of password management and hardening
8. Create a break glass M365 administrative account, with a highly complex password
9. Integrate with ITSM tools to layer on additional governance around the usage of M365 admin accounts, and with SIEM solutions for advanced threat analytics.

To learn more about how BeyondTrust can help you seamlessly apply granular zero trust security principles across M365, Azure, and beyond, contact us today.

I also encourage you to check out our on-demand webinar with Randy Franklin Smith: Understanding Security and Privileged Access in Azure Active Directory. Azure AD is at the core of security for M365, Azure VMs, Storage, and much more. The webinar explores the security features of Azure AD, addresses key technical areas, and identifies the risks you need to mitigate.