Best practices for securing Microsoft 365 for business

If you are a small or medium-size organization using one of Microsoft's business plans, the guidance in this article helps you tighten the security of your organization. Among your choices, Microsoft 365 Business Premium leads the way since it now includes Microsoft Defender for Business and other security protections. The recommended actions included here will help you achieve the goals described in the Harvard Kennedy School Cybersecurity Campaign Handbook.

Tip

If you need help with the steps in this article, consider working with a Microsoft small business specialist. With Business Assist, you and your employees get around-the-clock access to small business specialists as you grow your business, from onboarding to everyday use.

Watch: A quick overview of security

All the Microsoft 365 plans offer baseline protection and security with Defender Antivirus, but with Microsoft 365 Business Premium you also have threat protection, data protection, and device management features due to the inclusion of Microsoft Defender for Business. These additional capabilities protect your organization from online threats and unauthorized access, as well as allow you to manage company data on your phones, tablets, and computers.

Security features comparison

To learn about one of the service plan features, click on the heading in the following table.

Task Microsoft 365 Business Standard Microsoft 365 Business Premium
Protect against lost or stolen passwords Included. Included.
Train your users Included. Included.
Use dedicated admin accounts Included. Included.
Protect against malware Included.
(protection for email)
Included.
(increased protection for email and devices)
Protect against ransomware Included.
(protection for email and cloud storage)
Included.
(increased protection for devices, email, and cloud storage)
Encrypt sensitive emails Included. Included.
Protect your email from phishing attacks Included.
(anti-phishing protection)
Included.
(advanced anti-phishing protection)
Protect against malicious attachments, files, and URLs in email and Office files Included.
(Safe Links and Safe Attachments)
Increase protection for your organization's devices Included.
(enterprise-grade device protection)

You can quickly set up security and begin collaborating safely with the guidance we provide in the Microsoft 365 Business Premium library. The Business Premium information was developed in partnership with the Microsoft Defending Democracy team to protect all small business customers against cyber threats launched by sophisticated cyber attacks and hackers.

About the Microsoft 365 Secure Score

It's important that before you begin, you check your Microsoft 365 Secure Score in the Microsoft 365 Defender portal. From a centralized dashboard, you can monitor and improve the security for your Microsoft 365 identities, data, apps, devices, and infrastructure. You are given points for configuring recommended security features, performing security-related tasks (such as viewing reports), or addressing recommendations with a third-party application or software. With added insights and more visibility into a broader set of Microsoft products and services, you can feel confident reporting about your organization's security health.

Screenshot of Microsoft Secure Score.

Set up multi-factor authentication

Protect against lost or stolen passwords by using multi-factor authentication (MFA). When multi-factor authentication is set up, it requires people to use a code on their phone to sign into Microsoft 365. This extra step can prevent hackers from taking over if they know your password.

Multi-factor authentication is also called 2-step verification. Individuals can add 2-step verification to most accounts easily, for example, to their Google or Microsoft accounts. Here's how to add two-step verification to your personal Microsoft account.

For businesses using Microsoft 365, add a setting that requires your users to log in using multi-factor authentication. When you make this change, users will be prompted to set up their phone for two-factor authentication next time they log in. To see a training video for how to set up MFA and how users complete the setup, see set up MFA and user set up.

Turn on security defaults

For most organizations, security defaults offer a good level of added sign-in security. For more information, see What are security defaults?. If your subscription is new, security defaults might already be turned on for you automatically.

Enable or disable security defaults from the Properties pane for Azure Active Directory (Azure AD) in the Azure portal.

  1. Sign in to the Microsoft 365 admin center with global admin credentials.

  2. In the left nav choose Show All and under Admin centers, choose Azure Active Directory.

  3. In the Azure Active Directory admin center, choose Azure Active Directory > Properties.

  4. At the bottom of the page, choose Manage Security defaults.

  5. Choose Yes to enable security defaults or No to disable security defaults, and then choose Save.

After you set up multi-factor authentication for your organization, your users will be required to set up two-step verification on their devices. For more information, see Set up 2-step verification for Microsoft 365.

Tip

If you need more granular control of multi-factor authentication, you can enable Conditional Access with Microsoft 365 Business Premium. If you do this, we recommend implementing the equivalent policies to Security Defaults. Go here for more information about security defaults.

For more details and recommendations, see Set up multi-factor authentication for users.

Train your users

The Harvard Kennedy School Cybersecurity Campaign Handbook provides excellent guidance on establishing a strong culture of security awareness within your organization, including training users to identify phishing attacks.

In addition, Microsoft recommends that your users take the actions described in this article: Protect your account and devices from hackers and malware. These actions include:

  • Using strong passwords
  • Protecting devices
  • Enabling security features on Windows 10 and Mac PCs

Microsoft also recommends that users protect their personal email accounts by taking the actions recommended in the following articles:

Use dedicated admin accounts

The administrative accounts you use to administer your Microsoft 365 environment include elevated privileges. These are valuable targets for hackers and cyber attackers. Use admin accounts only for administration. Admins should have a separate user account for regular, non-administrative use and only use their administrative account when necessary to complete a task associated with their job function. Additional recommendations:

  • Be sure accounts are added to Azure Active Directory.
  • Be sure admin accounts are also set up for multi-factor authentication.
  • Before using admin accounts, close out all unrelated browser sessions and apps, including personal email accounts.
  • After completing admin tasks, be sure to log out of the browser session.

Protect against malware

Your Microsoft 365 environment includes protection against malware. You can increase your malware protection by:

  • Using pre-set policies for Microsoft Office 365.
  • Blocking attachments with certain file types.
  • Using antivirus/anti-malware protection on your devices, especially Microsoft Defender for Business. It includes features such as automated investigative reporting (AIR) and the Threat and Vulnerability Management (TVM) Dashboard. When Microsoft Defender for Business is not your primary anti-virus software, you can still run it in passive mode and use endpoint protection and response (EDR), especially in block mode where it works behind the scenes to remediate malicious artifacts that were detected by EDR's capabilities, and missed by the primary virus detector software.

Block attachments with certain file types

You can increase your malware protection by blocking attachments with file types that are commonly used for malware. To bump up malware protection in email, view a short training video, or complete the following steps:

  1. In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > Anti-malware in the Policies section.
  2. On the Anti-malware page, double-click on Default. A flyout appears.
  3. Select Edit protection settings at the bottom of the flyout.
  4. In the next page, under Protection settings, select the checkbox next to Enable the common attachments filter. The file types that are blocked are listed directly below this option. To add or delete file types, select Customize file types at the end of the list.
  5. Select Save.

For more information, see Antimalware protection in EOP.

Use antivirus and anti-malware protection

Microsoft Defender Antivirus provides strong antivirus and antimalware protection, and is built into the Windows operating system.

If your organization is using Microsoft 365 Business Premium, you get additional device protection that includes:

  • Next-generation protection
  • Firewall protection
  • Web content filtering

These capabilities are included in Microsoft Defender for Business, an offering that will begin rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022.

Learn more about Microsoft Defender for Business.

Protect against ransomware

Ransomware restricts access to data by encrypting files or locking computer screens. It then attempts to extort money from victims by asking for "ransom," usually in form of cryptocurrencies like Bitcoin, in exchange for access to data.

You get ransomware protection for email hosted in Microsoft 365 and for files that are stored in OneDrive. If you have Microsoft 365 Business Premium, you get additional ransomware protection for your organization's devices.

You can protect against ransomware by creating one or more mail flow rules to block file extensions that are commonly used for ransomware, or to warn users who receive these attachments in email. A good starting point is to create two rules:

  • Use OneDrive for moving files, so that they are always access-controlled and protected.

  • Warn users before opening Office file attachments that include macros. Ransomware can be hidden inside macros, so we'll warn users to not open these files from people they do not know.

  • Block file types that could contain ransomware or other malicious code. We'll start with a common list of executables (listed in the table below). If your organization uses any of these executable types and you expect them to be sent in email, add them to the previous rule (warn users).

To create a mail transport rule, view a short training video, or complete the following steps:

  1. Go to the Exchange admin center.

  2. In the mail flow category, select rules.

  3. Select +, and then Create a new rule.

  4. Select **** at the bottom of the dialog box to see the full set of options.

  5. Apply the settings in the following table for each rule. Leave the rest of the settings at the default, unless you want to change them.

  6. Select Save.

Setting Warn users before opening attachments of Office files Block file types that could contain ransomware or other malicious code
Name
Anti-ransomware rule: warn users
Anti-ransomware rule: block file types
Apply this rule if . . .
Any attachment . . . file extension matches . . .
Any attachment . . . file extension matches . . .
Specify words or phrases
Add these file types:
dotm, docm, xlsm, sltm, xla, xlam, xll, pptm, potm, ppam, ppsm, sldm
Add these file types:
ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif
Do the following . . .
Prepend a disclaimer
Block the message . . . reject the message and include an explanation
Provide message text
Do not open these types of files—unless you were expecting them—because the files may contain malicious code and knowing the sender isn't a guarantee of safety.

Tip

You can also add the files you want to block to the anti-malware list in Protect against malware.

For more information, see:

Protect sensitive emails

Microsoft 365 includes Office Message Encryption which allows you to send and receive encrypted email messages between people inside and outside your organization, and only the intended recipients may view them. The encryption works with Outlook.com, Yahoo!, Gmail, and other email services.

Tip

If a more stringent security level is needed, your organization should also configure and use sensitivity labeling for emails or files. Sensitivity labels allow control over content, no matter where it goes.

Send encrypted email

To encrypt your email:

  1. With a new email open, select the Options menu.
  2. From the Encrypt drop-down choose the appropriate permission level.

Email message encryption in Outlook

Receive encrypted email

If the recipient has Outlook 2013 or Outlook 2016 and a Microsoft email account, they'll see an alert about the item's restricted permissions in the Reading pane. After opening the message, the recipient can view the message just like any other.

If the recipient is using another email client or email account, such as Gmail or Yahoo, they'll see a link that lets them either sign in to read the email message or request a one-time passcode to view the message in a web browser. If users aren't receiving the email, they should check their Spam or Junk email folder.

Protect the organization

If you've configured one or more custom domains for your Microsoft 365 environment, you can configure targeted anti-phishing protection. Anti-phishing protection is included in Microsoft Defender for Office 365, and can help protect your organization from malicious impersonation-based phishing and other attacks.

Note

If you haven't configured a custom domain, you don't need to do this.

We recommend you get started with this protection by creating a policy for your most important users and your custom domain. A good place to do this is in Microsoft 365 Defender, included with Microsoft Business Premium. To create an anti-phishing policy in Defender for Office 365, complete the following steps:

  1. Go to Microsoft 365 Defender portal.

  2. Go to Email & collaboration > Policies & rules > Threat policies > Anti-phishing in the Policies section.

  3. On the Anti-phishing page, select + Create. A wizard launches that steps you through defining your anti-phishing policy.

  4. Specify the name, description, and settings for your policy as recommended in the chart below. For more information, see Learn about anti-phishing policy in Microsoft Defender for Office 365 options.

  5. After you've reviewed your settings, select Create this policy or Save, as appropriate.

Setting or option Recommended setting
Name Domain and most valuable campaign staff
Description Ensure most important staff and our domain aren't being impersonated.
Add users to protect Select + Add a condition, The recipient is. Type user names or enter the email address of the candidate, campaign manager, and other important staff members. You can add up to 20 internal and external addresses that you want to protect from impersonation.
Add domains to protect Select + Add a condition, The recipient domain is. Enter the custom domain associated with your Microsoft 365 subscription, if you defined one. You can enter more than one domain.
Choose actions If email is sent by an impersonated user: select Redirect message to another email address, and then type the email address of the security administrator; for example, securityadmin@contoso.com.
If email is sent by an impersonated domain: select Quarantine message.
Mailbox intelligence By default, mailbox intelligence is selected when you create a new anti-phishing policy. Leave this setting On for best results.
Add trusted senders and domains For this example, don't define any overrides.
Applied to Select The recipient domain is. Under Any of these, select Choose. Select + Add. Select the check box next to the name of the domain, for example, contoso.com, in the list, and then select Add. Select Done.

Protect against malicious attachments, files, and URLs

People regularly send, receive, and share attachments, such as documents, presentations, spreadsheets, and more. It's not always easy to tell whether an attachment is safe or malicious just by looking at an email message. Microsoft Defender for Office 365 includes Safe Attachment protection, but this protection isn't turned on by default. We recommend that you create a new rule to begin using this protection. This protection extends to files in SharePoint, OneDrive, and Microsoft Teams.

Set up Safe Attachments

You can use pre-set Safe Attachments policies, or create your own. To create a Safe Attachments policy, view a short training video, or complete the following steps:

  1. Go to Microsoft 365 Defender portal, and sign in with your admin account.

  2. Go to Email & collaboration > Policies & rules > Threat policies > Anti-malware in the Policies section.

  3. Select + Create to create a new policy.

  4. Apply the settings in the following table.

  5. After you've reviewed your settings, select Create this policy or Save, as appropriate.

Setting or option Recommended setting
Name Block current and future emails with detected malware.
Description Block current and future emails and attachments with detected malware.
Save attachments unknown malware response Select Block - Block the current and future emails and attachments with detected malware.
Redirect attachment on detection Enable redirection (select this box)
Enter the admin account or a mailbox setup for quarantine.
Apply the above selection if malware scanning for attachments times out or error occurs (select this box).
Applied to The recipient domain is . . . select your domain.

Hackers sometimes hide malicious websites in links in email or other files. Safe Links, part of Microsoft Defender for Office 365, can help protect your organization by providing time-of-click verification of web addresses (URLs) in email messages and Office documents. Protection is defined through Safe Links policies.

Do the following to protect against attacks:

  • Modify the default policy to increase protection.

  • Add a new policy targeted to all recipients in your domain.

To get to Safe Links, view a short training video, or complete the following steps:

  1. Go to Microsoft 365 Defender portal, and sign in with your admin account.

  2. Go to Email & collaboration > Policies & rules > Threat policies > Anti-malware in the Policies section.

  3. Select + Create to create a new policy, or modify the default policy.

To modify the default policy:

  1. Double-click the Default policy. A flyout appears.

  2. Select Edit protection settings at the bottom of the flyout.

  3. After modifying the default policy, select Save.

Setting or option Recommended setting
Name Safe links policy for all recipients in the domain
Select the action for unknown potentially malicious URLs in messages Select On - URLs will be rewritten and checked against a list of known malicious links when user clicks on the link.
Apply real-time URL scanning for suspicious links and links that point to files Select this box.
Applied to The recipient domain is . . . select your domain.

Tip

For more information, see Safe Links in Microsoft Defender for Office 365.

Increase protection for your organization's devices

Microsoft Defender Antivirus is built into the Windows operating system and provides good protection against viruses and malware. However, you can increase protection for your organization's devices by onboarding them to Microsoft Defender for Business which is a new offering for small and medium-sized businesses like yours, and is included with Microsoft 365 Business Premium. With Defender for Business, your organization's devices are better protected from ransomware, malware, phishing, and other threats.

With Microsoft 365 Business Premium you get heightened security features such as device management and advanced threat protection. When you enroll devices to Microsoft 365 Business for Defender, the devices are monitored and protected by InTune.

To learn more, see the following resources:

Multi-factor authentication for Microsoft 365 (article)
Manage and monitor priority accounts (article)
Microsoft 365 Reports in the admin center (video)
Microsoft 365 Business Premium — cybersecurity for small business (article)\