I'm looking at Office365 security for our organisation and am wondering how best to secure it, what defaults I should apply?
We have bought Office365 E3 and I work for a Local Authority, so what should I look for and are there any good/best practice resources I should look at? I have already looked at the UK NCSC guidance documentation and that looks good, but what have other applied?
p.s. sorry If I've posted this in the wrong place.
One issue that I have found time in and out is that Office 365 inherently has some vulnerabilities. I chose to move to a spam filtration system that does anti-impersonation as a backbone. If you choose to keep O365 I would suggest just a short list of the following.
* Highly suggest investing in a spam filtration system that sits behind the 0365 console*
- disable OWA or enable MFA with app authentication (no matter what else you do)
- Set to strip all hyperlinks in messages
- One nice feature of Office 365 is that in the Admin portal, under the security it has a rating system from 0-365 (cute) which will give you different check offs you can do that will allow you too increase your security score.
*the key is to remember that training your staff is the one of the if not the most important part of email and infrastructure security, if you do not have their buy in for the changes made, as each change will make it more time consuming for them to log in, then you will have a rather hard time*
I would like to also emphasize 2FA. Cloud 2FA is expected in a high-regulatory environment like Healthcare and that if you have O365 you will should have MFA. In Microsoft's " mobile-first, cloud-first world" you must actively take steps to secure access.