M365 Security Recommendations

The suggestions from Microsoft Entra are intended to improve the security posture of your company and provide useful information for identifying and successfully reducing threats.

The recommendations are -

• Protect your tenant with Insider Risk condition in Conditional Access policy
• Protect all users with a user risk policy
• Protect all users with a sign-in risk policy
• Enable self-service password reset
• Use least privileged administrative roles
• Designate more than one global admin
• Enable password hash sync if hybrid
• Do not expire passwords
• Ensure all users can complete multifactor authentication
• Do not allow users to grant consent to unreliable applications
• Enable policy to block legacy authentication
• Require multifactor authentication for administrative roles

Additionally, it should be standard procedure and advice for all Microsoft 365 users to adhere to the following:

1. Remove Global admin access from the licensed user and create a Global Admin account without any license.
2. Enable Multifactor authentication for the Global Admin account.
3. Enable security defaults / MFA for all users accounts from the admin panel.
4. Enable External Tag for all incoming mails which are sent from outside domain.
5. Ensure the domain health by adding proper SPF, DKIM, DMARC records
6. Educate the user regarding phishing and Spoofing mail, and inform the IT Admin once anything found suspicious.
7. Educate the user if they received any email which contains a link and ask for user credential so as to prevent falling in this kind of phishing trap.