News headlines related to personal information leaks or websites being defaced due to security misconfigurations are becoming more and more common.  As an MCSE and CISSP, I wanted to share some simple, easy to implement tips and tricks to help you with protecting Office 365 and Azure environments.  

Global Banned Password List: With 123456 being one of the top weak passwords in use on the Internet for the 7th year running, use this feature to block the use of weak passwords. Microsoft is constantly updating this list, but if you want to go a step further then custom lists are an option. There are some licencing caveats depending on your Azure AD configuration, so be sure to verify what that means for you.  

Azure Multi-Factor Authentication: This provides an extra layer of security for Users and Administrators, leveraging the Microsoft Authenticator app on a trusted device such as a smartphone. Even if an attacker obtains a User’s password, they can’t get in. This is included for free at a basic level with both Azure AD Free and Office 365. 

Block Legacy Authentication: Turning on Multi-Factor Authentication is not enough. Old versions of Office or POP/IMAP mail clients are still able to sign in using a basic username and password, bypassing your extra security. You can block legacy authentication using Azure AD Conditional Access.  

Role-Based Access Control: While giving your power-users full access to Azure may seem like the path of least resistance, it is a huge risk. A compromised account or disgruntled employee could bring an organization to its knees. RBAC makes it easy to delegate only the minimum permissions required for a user to perform their role. The feature is a bit fragmented, but Microsoft maintains comprehensive, easy to follow documentation.  

Azure Security Score: Found within the Azure Security Centre, this feature acts like a Virtual Security Analyst. Advanced algorithms are used to review your security posture and provide security recommendations on any vulnerabilities found. An overall score is calculated and displayed in the overview section.  

Implementing the above is a good starting point for any organization, the next steps will really depend on the size of your environment/user count and business requirements. I would suggest exploring the logging and alerting capabilities of Azure to give visibility into security events as they happen. These are more advanced features that will have a licencing impact in some areas. 

References:

• Most common passwords
• Global Banned Password List
• Azure Multi-Factor Authentication
• Block Legacy Authentication
• Role-Based Access Control
• Azure Security Score
• Logging and Alerting