Protect access to data and services in Office 365

Protecting access to your Office 365 data and services is crucial to defending against cyber-attacks and guarding against data loss. The same protections can be applied to other SaaS applications in your environment and even to on-premises applications published with Azure Active Directory Application Proxy.

Step 1: Review recommendations

Recommended capabilities for protecting identities and devices that access Office 365, other SaaS services, and on-premises applications published with Azure AD Application Proxy.

PDF | Visio | More languages

Step 2: Configure MFA

Use these resources to orient yourself to MFA, decide which version is right for you, and then plan and deploy MFA for your environment.

Step 3: Enforce MFA with Azure AD conditional access rules

If you are using Azure AD MFA, create a conditional access rule to require MFA for access to Office 365 and other SaaS apps in your environment.

Step 4: Configure privileged access management

Privileged access management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings.

Step 5: Configure SharePoint device access policies

Device access policies for SharePoint Online and OneDrive for Business are recommended for protecting sensitive, classified, and regulated data. Coming soon is the ability to apply device access policies to individual team sites.

Step 6: Configure app and data protection for devices

You can manage applications on mobile devices regardless of whether the devices are enrolled for mobile device management. This protects against accidental leakage of data in Office 365, including mail and files.

For Windows 10, configure Windows Information Protection (WIP) to prevent accidental data leaks.

Step 7: Manage devices with Intune

Managing devices allows you to ensure that they are healthy and compliant before allowing them access to resources in your environment. Device based conditional access rules help ensure attackers can't gain access to your resources from unmanaged devices.

Step 8: Configure additional Intune policies and conditional access rules for your environment

Use these recommended configurations as a starting point for enterprise scale or sophisticated access security scenarios.