Microsoft 365 and Entra ID security
Microsoft 365 tenants, and the underlying authentication system Entra ID (Azure AD), have many different configuration options to allow your business to implement different levels of security. Many of these options aren't enabled by default. While this document doesn't cover every security option available, or discuss other technologies such as device management and data loss prevention (DLP), it provides guidance to our customers about recommended settings that will help improve identity protection and reduce the chance of Business Email Compromise (BEC).
The guidance is in two sections, recommended settings and optional settings. We urge all customers to implement recommended settings. We also suggest you consider and investigate the optional settings, and apply them as suitable for your environment.
Any change to your environment you're considering should be reviewed and tested in your organization after referring to the appropriate documentation from Microsoft. We recommend that you do any changes in batches, using test accounts, pilot users and small departments before the entire organization. Ensure you have an emergency access account available, as documented below, to avoid being locked out.
License guidance
Some of the configuration items below are available in all M365 tenants, regardless of the licenses being used. However most will require at least 'Entra ID P1' licenses to be available in your tenant, with some requiring 'Entra ID P2' licenses. 'Entra ID P1' is included with the M365 Business Premium E3/A3 bundles, with 'Entra ID P2' licenses available in M365 E5/A5 bundles.
If you're not using licensing that includes at least 'Entra ID P1' licensing, then we strongly recommend the use of Microsoft's 'Security Defaults'. This is a basic set of security policies that are controlled by Microsoft. See Providing a default level of security in Microsoft Entra ID - Microsoft Entra.
When integrating Microsoft alerts to the Sophos MDR service, 'Entra ID P1' is the minimum license that you should use, however we recommend the use of 'Entra ID P2', due to the increased amount of alerts generated by Microsoft. See these articles for examples of these alerts:
- Microsoft 365 alert policies
- What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection
We recommend asking your Microsoft licensing specialist for additional licensing information.
Recommended configuration items
-
Apply principles of least privilege
Use separate admin accounts & RBAC roles to limit admin privileges. Grant only the roles required for job function. Microsoft recommends a maximum of five global admin accounts. Do not reuse admin credentials across domains or services.
Impact: Users should only have access to areas allowed for their job function. Admins should use separate accounts.
Location: Entra ID > Roles & admins
References:
-
Configure authentication methods
This setting configures the authentication methods available for your users to access the environment. We recommend setting at least Microsoft Authenticator, email one-time passcode, and temporary access pass, disabling call-to-phone as an option.
Location: Entra ID > Protect & secure > Authentication methods > Policies
References:
-
Replace 'Security Defaults' with conditional access policies
When using 'Entra ID P1' licenses and later, you'll be able to create custom Conditional Access policies to enhance your security. To create these policies, you'll need to disable 'Security Defaults' and create Conditional Access Policies from Microsoft templates to do things such as enforcing MFA. Be sure to exclude any 'Emergency Access' accounts or groups when creating these policies.
Location:
- Entra ID > Overview > Properties
- Entra ID > Protect & secure > Conditional access
References:
-
Conditional Access Templates:
- Block Legacy Authentication: Block legacy authentication with Conditional Access - Microsoft Entra ID
- Require MFA For Admins: Require MFA for administrators with Conditional Access - Microsoft Entra ID
- Require MFA for Azure Management: Require MFA for Azure management with Conditional Access - Microsoft Entra ID
- Require MFA for All Users: Require MFA for all users with Conditional Access - Microsoft Entra ID
-
Conditional Access Policies Guidance:
-
Require MFA to register or join device
This ensures that users who attempt to join new Windows devices to Entra ID must perform multifactor authentication.
Location: Entra ID > Protect & secure > Conditional access
- Name: Require MFA to register or join devices.
- Users: All users, be sure to exclude any 'Emergency Access' accounts or groups.
- Cloud apps or actions: User actions > Register or join devices.
- Conditions: None.
- Access controls > Grant: Require multifactor authentication.
-
Only allow sign-ins from authorized countries
We recommend reducing the risk of account compromise by limiting the number of countries from which users can sign in to your environment. If you have no staff that travel abroad, then prevent all users in your organization from accessing your environment outside of your home country. If you do have users that travel, then these policies can be implemented per group. For example, you can allow access from all countries, or a sub-set of countries for a specific group of users that travel, or break users into geographical regions, limiting their access by region.
You achieve this by using Conditional Access Policies. Create a Named Location list, for example "Allowed Countries", and add countries that you want to have access. Then create a Conditional Access Policy to block access for All Users, for all Cloud Apps, excluding "Allowed Countries" and any "Emergency Users or Groups".
Warning
Test this policy carefully before applying to all users.
Location: Entra ID > Protect & secure > Conditional access
-
Block high-risk users
The M365 User risk level is a feature that helps to determine the risk of a user account in Entra ID. It is a part of Entra ID Identity Protection, and is done by analysing various signals from the user account such as IP addresses, device state, suspicious activity and known compromised credentials.
The user risk level is divided into three categories:
- Low Risk: Low risk user accounts are considered to be legitimate.
- Medium Risk: Medium risk user accounts may be legitimate, but are also more likely to be compromised or targeted by a threat actor.
- High Risk: High risk user accounts are considered to be compromised.
We recommend blocking user accounts that are deemed high risk, and requiring a secure password change on a user deemed medium risk.
Location: Entra ID > Protect & secure > Conditional access
Reference:
-
Block high-risk sign-ins
The M365 Sign-In Risk level is a feature that helps determine the risk of an individual sign-in attempt to Entra ID. It is a part of Entra ID Identity Protection, and analyses multiple signals as part of the sign-in process to determine the risk level.
The Sign-In Risk level is divided into three categories:
- Low Risk: Low-risk sign-in attempts are considered to be legitimate.
- Medium Risk: Medium-risk sign-in attempts may be legitimate, but are also more likely to be compromised or targeted by a threat actor.
- High Risk: High-risk sign-in attempts are considered to be compromised.
We recommend blocking sign-in attempts that are deemed high risk, and requiring MFA on medium risk sign-ins.
Location: Entra ID > Protect & secure > Conditional access
Reference:
Optional configuration items
-
Emergency access accounts
Microsoft recommends emergency access admin accounts which are excluded from Conditional Access Policies. These accounts should have the 'global admin' role, and be secured with extremely long and complex passwords with passwords stored in a secure password vault and only used for emergencies.
Reference:
-
Configure password expiration policy
Ensure that your password expiration is in alignment with corporate policy and compliance requirements.
Note
Microsoft recommends that passwords are set to 'never expire' if MFA is enforced organization wide.
Location: Microsoft 365 Admin centre > Settings > Security & Privacy
-
Manage application consent and permissions
By default, all users can grant permissions to third-party applications and add-ins. This can be risky, as threat actors may create malicious apps and send phishing emails to users, prompting your users to provide unintentional access to their mailboxes and files. We recommend limiting this to trusted publishers or blocking it, requiring admin consent.
Location: Entra ID > Applications > Enterprise applications > Consent and permissions
Reference:
-
Require MFA for guests
We recommend requiring MFA for guests that are invited to access resources within your environment to reduce the chance of your data being accessed by a compromised third-party account. This is can be deployed using a Conditional Access Policy Template.
Location: Entra ID > Protect & secure > Conditional access