Security best practices for Office 365
Minimize the potential of a data breach or a compromised account by following these recommended best practices.
This article contains a quick list of best practices. For more in-depth analysis and information on setting up security, see Office 365 security roadmap: Top priorities for the first 30 days, 90 days, and beyond. In that article, you'll find information based on investigations of real-world attacks, where our top Microsoft Office 365 cybersecurity experts provide coaching on how to assess risk and implement the most critical security, compliance, and information protection controls to protect your Office 365 tenant. You'll learn how to prioritize threats, translate threats into technical strategy, and then take a systematic approach to implementing features and controls.
Use Office 365 Secure Score
Secure Score is a security analytics tool that recommends what you can do to further reduce risk. Secure Score looks at your Office 365 settings and activities and compares them to a baseline established by Microsoft. You'll get a score based on how aligned you are with best security practices. For more information about how to get Secure Score and use it to increase the security of your Office 365 organization, see Introducing the Office 365 Secure Score.
Want to try out Secure Score?
Access Secure Score at https://SecureScore.office.com.
Use multi-factor authentication (MFA)
MFA adds an additional layer of protection to a strong password strategy by requiring users to acknowledge a phone call, text message, or an app notification on their smart phone after correctly entering their password. With MFA in place, Office 365 user accounts are still protected against unauthorized access even if a user's password is compromised. Accounts are protected because access is not granted to an account until after the additional challenge has been satisfied. A compromised or stolen password is not enough.
Use Office 365 Cloud App Security
Set up policies based on your business needs to track anomalous activity and act on it. Set up alerts with Office 365 Cloud App Security so that admins can review unusual or risky user activity, such as downloading large amounts of data, multiple failed sign-in attempts, or sign-ins from an unknown or dangerous IP address. For organizations with an Office 365 Enterprise E5 plan, you can start using Office 365 Cloud App Security right away. If you have a different enterprise plan, you can purchase Office 365 Cloud App Security as an add-on.
Secure mail flow
Implement the rich feature set in Exchange Online Protection and gain greater assurance about the identity of the sender of each email message, and protect against unknown malware, viruses, and malicious URLs transmitted through emails.
Configure Office 365 Email Anti-Spam Protection policies for your organization.
Learn about and then use Advanced threat protection for safe attachments and safe links.
Learn about and enable Safety tips in email messages in Office 365 for your users.
If you're using a custom domain for your organization in Office 365, set up SPF, DKIM, and then DMARC to validate mail sent by your organization and to help prevent spoofing:
Enable mailbox audit logging
Some audit logging is automatically enabled for you in Office 365; however, mailbox audit logging is not turned on by default. You turn on audit logging for all user mailboxes in Office 365 by using Exchange Online PowerShell. For information, see Enable mailbox auditing in Office 365.
After you've enabled audit logging you can Search the audit log in the Office 365 Security & Compliance Center to find out who has logged into your user mailboxes, sent messages, and other activities performed by the mailbox owner, a delegated user, or an administrator. For a list of mailbox activities that are included in the Office 365 audit log by default, see Exchange mailbox activities.
For information about other actions you can perform with the audit log, such as changing the amount of time to save entries in the audit log, see Mailbox audit logging in Exchange 2016.
Configure Data Loss Prevention (DLP)
DLP allows you to identify sensitive data and create policies that help prevent your users from accidentally or intentionally sharing the data. DLP works across Office 365 including Exchange Online, SharePoint Online, and OneDrive so that your users can stay compliant without interrupting their workflow. For more information, see Overview of data loss prevention policies.
Use Customer Lockbox
As an Office 365 admin, you can use Customer Lockbox to control how a Microsoft support engineer accesses your data during a help session. In cases where the engineer requires access to your data to troubleshoot and fix an issue, Customer Lockbox allows you to approve or reject the access request. If you approve it, the engineer can access the data. Each request has an expiration time, and once the issue is resolved, the request is closed and access is revoked. Customer Lockbox is included in the Office 365 Enterprise E5 plan, or you can purchase a separate subscription with any other Office 365 enterprise plan. For information, see Office 365 Customer Lockbox Requests.
Try it yourself
See these security features working in an Office 365 trial subscription prior to adopting them in production.
Check the Office 365 Secure Score for your trial subscription for each of the above steps