Configure your Office 365 tenant for increased security
This topic walks you through recommended configuration for tenant-wide settings that affect the security of your Office 365 environment. Your security needs might require more or less security. Use these recommendations as a starting point.
Check Office 365 Secure Score
Office 365 Secure Score analyzes your Office 365 organization's security based on your regular activities and security settings and assigns a score. Begin by taking note of your current score. Adjusting some tenant-wide settings will increase your score. The goal is not to achieve the max score, but to be aware of opportunities to protect your environment that do not negatively affect productivity for your users. See Introducing the Office 365 Secure Score.
Tune threat management policies in the Office 365 Security & Compliance Center
The Office 365 Security & Compliance Center includes capabilities that protect your environment. It also includes reports and dashboards you can use to monitor and take action. Some areas come with default policy configurations. Some areas do not include default policies or rules. Visit these policies under threat management to tune threat management settings for a more secure environment.
|Area||Includes a default policy||Recommendation|
||If you have a custom domain, create an anti-phishing policy to protect the email accounts of your most valuable users, such as your CEO, and to protect your domain. Review Set up an anti-phishing policy and create a policy using the example as a guide: "Example: Anti-phishing policy to protect a user and a domain."|
||Edit the default policy:
• Common Attachment Types Filter — Select On
You can also create custom malware filter policies and apply them to specified users, groups, or domains in your organization.
• Anti-malware protection
• Configure anti-malware policies
|ATP Safe Attachments
||On the main page for safe attachments, protect files in SharePoint, OneDrive, and Microsoft Teams by checking this box:
• Turn on ATP for SharePoint, OneDrive, and Microsoft Teams
Add a new safe attachment policy with these settings:
• Block — Block the current and future emails and attachments with detected malware (choose this option)
• Enable redirect — (Check this box and enter an email address, such as an admin or quarantine account)
• Apply the above selection if malware scanning for attachments times out or error occurs (check this box)
• Applied To — The recipient domain is (select your domain)
More information: Set up Office 365 ATP safe attachments policies
|ATP Safe Links
||Add this setting to the default policy for the entire organization:
• Use safe links in: Office 365 ProPlus, Office for iOS and Android (select this option).
Recommended policy for specific recipients:
• URLs will be rewritten and checked against a list of known malicious links when user clicks on the link (select this option).
• Use Safe Attachments to scan downloadable content (check this box).
• Applied To — The recipient domain is (select your domain).
More information: Office 365 ATP safe links.
|Anti-Spam (Mail filtering)
||What to watch for:
• Too much spam — Choose the Custom settings and edit the Default spam filter policy.
• Spoof intelligence — Review senders that are spoofing your domain. Block or allow these senders.
More information: Office 365 Email Anti-Spam Protection.
||Email authentication includes techniques that use the Domain Name System (DNS) to add verifiable information to email messages about the sender of an email message. Office 365 has set up defaults that should work for most organizations. More advanced Office 365 admins can make use of these email authentication methods for their custom domains:
Sender Policy Framework (SPF) validates the origin of email messages by verifying the IP address of the sender against the alleged owner of the sending domain. For a quick introduction to SPF and to get it configured quickly, see Set up SPF in Office 365 to help prevent spoofing. For a more in-depth understanding of how Office 365 uses SPF, or for troubleshooting or non-standard deployments, such as hybrid deployments, start with How Office 365 uses Sender Policy Framework (SPF) to prevent spoofing.
DomainKeys Identified Mail (DKIM) lets you attach a digital signature to email messages in the message header of emails you send. Email systems that receive email from your domain use this digital signature to determine if incoming email that they receive is legitimate. For information about DKIM and Office 365, see Use DKIM to validate outbound email sent from your custom domain in Office 365. After you've configured DKIM, you can enable it for your organization in the Security & Compliance Center.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) helps receiving mail systems determine what to do with messages that fail SPF or DKIM checks and provides another level of trust for your email partners. For information on setting up DMARC, see Use DMARC to validate email in Office 365.
View dashboards and reports in the Security & Compliance Center
Visit these reports and dashboards to learn more about the health of your environment. The data in these reports will become richer as your organization uses Office 365 services. For now, be familiar with what you can monitor and take action on. For more information, see : Reports in the Office 365 Security & Compliance Center.
|Threat management dashboard
||In the Threat management section of Security & Compliance center, use this dashboard to see threats that have already been handled, and as a handy tool for reporting out to business decision makers on what Threat Intelligence has already done to secure your business.
||This is also in the Threat management section of Security & Compliance center. If you are investigating or experiencing an attack against your Office 365 tenant, use the threat explorer to analyze threats. Threat explorer shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. You can also mark any suspicious email for the Incidents list.
|Reports — Dashboard
||In the Reports section of Security & Compliance center, view audit reports for your SharePoint Online and Exchange Online organizations. You can also access Azure Active Directory (AD) user sign-in reports, user activity reports, and the Azure AD audit log from the View reports page.
Configure additional Exchange Online tenant-wide settings
Many of the controls for security and protection in the Exchange admin center are also included in the Security and Compliance Center. You do not need to configure these in both places. Here are a couple of additional settings that are recommended.
|Area||Includes a default policy||Recommendation|
|Mail Flow (Transport rules)
||Add a mail flow rule to help protect against ransomware. See "How to use Exchange Transport Rules to track or block emails with file extensions used by ransomware" in this blog article: How to deal with ransomware.
Create a transport rule to prevent auto-forwarding of email to external domains. For more information, see Mitigating Client External Forwarding Rules with Secure Score.
More information: Mail flow rules (transport rules) in Exchange Online
|Enable modern authentication
||Modern authentication in Office 365 is a prerequisite for using multi-factor authentication (MFA). MFA is recommended for securing access to cloud resources, including email.
See these topics:
• Enable or disable modern authentication in Exchange Online
• Skype for Business Online: Enable your tenant for modern authentication
Modern authentication is enabled by default for Office 2016 clients, SharePoint Online, and OneDrive for Business.
More information: Using Office 365 modern authentication with Office clients
Configure tenant-wide sharing policies in SharePoint admin center
Microsoft recommendations for configuring SharePoint team sites at increasing levels of protection, starting with baseline protection. For more information, see Secure SharePoint Online sites and files
SharePoint team sites configured at the baseline level allow sharing files with external users by using anonymous access links. This approach is recommended instead of sending files in email.
To support the goals for baseline protection, configure tenant-wide sharing policies as recommended here. Sharing settings for individual sites can be more restrictive than this tenant-wide policy, but not more permissive.
|Area||Includes a default policy||Recommendation|
|Sharing (SharePoint Online and OneDrive for Business)
||External sharing is enabled by default. These settings are recommended:
• Allow sharing to authenticated external users and using anonymous access links (default setting).
• Anonymous access links expire in this many days. Enter a number, if desired, such as 30 days.
• Default link type — select Internal (people in the organization only). Users who wish to share using anonymous links must choose this option from the sharing menu.
More information: External sharing overview
SharePoint admin center and OneDrive for Business admin center include the same settings. The settings in either admin center apply to both.
Configure settings in Azure Active Directory
Be sure to visit these two areas in Azure Active Directory to complete tenant-wide setup for more secure environments.
Configure named locations (under conditional access)
If your organization includes offices with secure network access, add the trusted IP address ranges to Azure Active Directory as named locations. This feature helps reduce the number of reported false positives for sign-in risk events.
Block apps that don't support modern authentication
Multi-factor authentication requires apps that support modern authentication. Apps that do not support modern authentication cannot be blocked by using conditional access rules.
For secure environments, be sure to disable authentication for apps that do not support modern authentication. You can do this in Azure Active Directory with a control that is coming soon.
In the meantime, use one of the following methods to accomplish this for SharePoint Online and OneDrive for Business:
Use PowerShell, see Block apps that do not use modern authentication.
Configure this in the SharePoint admin center on the "device access' page — "Control access from apps that don't use modern authentication." Choose Block.
Get started with Cloud App Security or Office 365 Cloud App Security
Use Office 365 Cloud App Security to evaluate risk, to alert on suspicious activity, and to automatically take action. Requires Office 365 E5 plan.
Or, use Microsoft Cloud App Security to obtain deeper visibility even after access is granted, comprehensive controls, and improved protection for all your cloud applications, including Office 365.
Because this solution recommends the EMS E5 plan, we recommend you start with Cloud App Security so you can use this with other SaaS applications in your environment. Start with default policies and settings.
These articles and guides provide additional prescriptive information for securing your Office 365 environment:
Microsoft security guidance for political campaigns, nonprofits, and other agile organizations (you can use these recommendation in any environment, especially cloud-only environments)
Recommended security policies and configurations for identities and devices (these recommendations include help for AD FS environments)