Securing Office 365 with better configuration – advice from The NCSC

From small businesses through to large enterprises, implementing measures such as Multi-factor Authentication (MFA) should be a high priority.

Microsoft’s new guidance aims to address the increased level of unwanted attention that is generated by Office 365’s popularity. The guidance provides advice on how to implement Office 365 installations so they meet NCSC cloud security principles and and recommended configurations.

The guidance covers all Office 365 services. The measures it suggests will give you confidence that you are safely using newer, cloud-only features, and familiar tools such as SharePoint and Exchange.

There are two parts to Microsoft’s guidance:

  • The first document is a response to the NCSC’s 14 cloud security principles. It also explains how certain configurations map to those security principles.
  • The second document describes the recommended configurations for an Office 365 service, including step-by-step implementation instructions. 

In short, Microsoft are recommending that you move your authentication to cloud-native authentication, bypassing any on-premises versions of Active Directory and using Azure AD for access control and management.

The NCSC explains why this will lower risk in their blog post:

Implementing Microsoft’s guidance

The NCSC are strongly recommending that organisations that are using Office 365 review their deployments against the new guidance and make changes at least at the level Microsoft recommend.

We can support you through the process, or make the changes on your behalf, as part of our Office 365 audit and management service.

Is it enough?

The NCSC are also advising all businesses to implement multi-factor authentication (MFA) for all account logins.

MFA sometimes called two-factor authentication, or 2FA, is your first line of defence for securing your network. By using a different device (i.e a phone) to generate a single-use access code, even if the username and password are compromised the hacker won’t have access to the device that generates the code.

If you aren’t already protecting against the risk of password guessing and leaked credentials using something like MFA or Conditional Access, it’s worth repeating – you should get started, right now!

Leave a Comment