During Ignite 2018 in Orlando there was a lot of focus on security in Office 365 and Azure Active Directory. That makes sense, a cloud solution is accessible for everyone. Not only your own internal users, but also the bad guys that are out for your data, accounts or money. And not only your user accounts are at risk, your admin accounts even more, and when losing your admin accounts, you are pretty much out of business.
It was shocking to hear that there are 6,000 compromised admin accounts each month, and only 4% of all admin accounts have MFA enabled. And the number of compromised admin accounts decreases with 99,9% with MFA enabled. Go figure!
Other issues that impact security negatively is weak passwords. Everybody knows about brute force attacks, but ever heard of password spray attacks? Based on user lists and (default) weak passwords all combinations of usernames and passwords are tried, without you as an admin even knowing what’s going on.
The list with security issues is impressive…. Weak (legacy) authentication, no password changes, phishing attacks, spoofing, auto-forwarding, too many global admins, permissions and roles, unmanaged devices, etc. etc.
So, you want to improve security, but where do you begin? What’s a proper baseline and what are appropriate actions?
Have a look at the Microsoft Secure Score in the Security and Compliance admin center. The Secure Score gives you a baseline of your security and assigns a number to it. Obviously, a score of “0” is the worst possible, the maximum score is “822”.
Looking at my own tenant… shocking… 70, with a target score of 547…
There’s some low hanging fruit on the action list, other items are not applicable. The list of action items includes, but is not limited to:
- Enable MFA for Azure AD privileged roles
- Enable MFA for users
- Enable audit data recording
- Enable Client Rules Forwarding Block
- Set outbound spam notifications
- Enable mailbox auditing for all users
- Ensure all users are registered for multi-factor authentication
- Review permissions & block risky OAuth applications connected to your corporate environment
- Enable Information Rights Management (IRM) services
- Use audit data
- Do not use transport rule to external domains
- Do not use transport white lists
- Review mailbox forwarding rules weekly
- Enable policy to block legacy authentication
- Enable Advanced Threat Protection safe attachments policy
So, starting with a score of “70” I’m curious to see how this increase when various action items are executed. Stay tuned for more…. Enough to blog about 😊