Protect access to data and services in Office 365
Protecting access to your Office 365 data and services is crucial to defending against cyber-attacks and guarding against data loss. The same protections can be applied to other SaaS applications in your environment and even to on-premises applications published with Azure Active Directory Application Proxy.
Step 1: Review recommendations
Recommended capabilities for protecting identities and devices that access Office 365, other SaaS services, and on-premises applications published with Azure AD Application Proxy.
Step 2: Configure MFA
Use these resources to orient yourself to MFA, decide which version is right for you, and then plan and deploy MFA for your environment.
Step 3: Enforce MFA with Azure AD conditional access rules
If you are using Azure AD MFA, create a conditional access rule to require MFA for access to Office 365 and other SaaS apps in your environment.
Step 4: Configure privileged access management
Privileged access management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that may use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings.
Step 5: Configure SharePoint device access policies
Device access policies for SharePoint Online and OneDrive for Business are recommended for protecting sensitive, classified, and regulated data. Coming soon is the ability to apply device access policies to individual team sites.
Step 6: Configure app and data protection for devices
You can manage applications on mobile devices regardless of whether the devices are enrolled for mobile device management. This protects against accidental leakage of data in Office 365, including mail and files.
- For iOS and Android: Protect app data using app protection policies with Microsoft Intune
For Windows 10, configure Windows Information Protection (WIP) to prevent accidental data leaks.
For un-managed devices: Create and deploy Windows Information Protection (WIP) app protection policy with Intune
Step 7: Manage devices with Intune
Managing devices allows you to ensure that they are healthy and compliant before allowing them access to resources in your environment. Device based conditional access rules help ensure attackers can't gain access to your resources from unmanaged devices.
Step 8: Configure additional Intune policies and conditional access rules for your environment
Use these recommended configurations as a starting point for enterprise scale or sophisticated access security scenarios.