Configure your Microsoft 365 tenant for increased security

Tip

Did you know you can try the features in Microsoft 365 Defender for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft 365 Defender portal trials hub. Learn about who can sign up and trial terms here.

Applies to

• Exchange Online Protection
• Microsoft Defender for Office 365 plan 1 and plan 2
• Microsoft 365 Defender

Your organizational needs require security.

Specifics are up to your business.

This topic will walk you through the manual configuration of tenant-wide settings that affect the security of your Microsoft 365 environment. Use these recommendations as a starting point.

Tune threat management policies in the Microsoft 365 Defender portal

The Microsoft 365 Defender portal has capabilities for both protection and reporting. It has dashboards you can use to monitor and take action when threats arise.

Keep in mind that some areas come with default policy configurations. Some areas do not include default policies or rules.

For example, the recommended setup of Microsoft Defender for Office 365 (plan 1 and plan 2) is described by this handy step-by-step guide, right here: 'Ensuring you always have the optimal security'. But, even so, some admins opt for a more hands-on approach to this product.

To automate your setup of Microsoft Defender for Office 365 visit the Standard and Strict policies under Email & collaboration > Policies & rules > Threat policies to tune threat management settings for a more secure environment.

Area	Default policy?	Recommendation
Anti-phishing	Yes	Configure the default anti-phishing policy as described here: Configure anti-phishing protection settings in EOP and Defender for Office 365. More information: Anti-phishing policies in Microsoft 365 Recommended anti-phishing policy settings in Microsoft Defender for Office 365 Impersonation insight Spoof intelligence insight in EOP Manage the Tenant Allow/Block List.
Anti-Malware Engine	Yes	Configure the default anti-malware policy as described here: Configure anti-malware protection settings in EOP. More information: Anti-malware protection Recommended anti-malware policy settings Configure anti-malware policies
Safe Attachments in Defender for Office 365	No	Configure the global settings for Safe Attachments and create a Safe Attachments policy as described here: Configure Safe Attachments settings in Microsoft Defender for Office 365. More information: Recommended Safe Attachments settings Safe Attachments in Microsoft Defender for Office 365 Set up Safe Attachments policies Safe Attachments for SharePoint, OneDrive, and Microsoft Teams Safe Documents in Microsoft 365 E5
Safe Links in Microsoft Defender for Office 365	No	Create a Safe Links policy as described here: Configure Safe Links settings in Microsoft Defender for Office 365. More information: Safe Links policy settings Set up Safe Links policies Safe Links in Microsoft Defender for Office 365
Anti-spam (mail filtering)	Yes	Configure the default anti-spam policy as described here: Configure anti-spam protection settings in EOP More information: Recommended anti-spam policy settings Anti-spam protection in EOP Configure anti-spam policies in EOP
Email Authentication	Yes	Email authentication uses DNS records to add verifiable information to email messages about the message source and sender. Microsoft 365 automatically configures email authentication for its default domain (onmicrosoft.com), but Microsoft 365 admins can also configure email authentication for custom domains. Three authentication methods are used: Sender Policy Framework (or SPF). For setup, see Set up SPF in Microsoft 365 to help prevent spoofing. DomainKeys Identified Mail (DKIM). See Use DKIM to validate outbound email sent from your custom domain. After you've configured DKIM, enable it in the Microsoft 365 Defender portal. Domain-based Message Authentication, Reporting, and Conformance (DMARC). For DMARC setup Use DMARC to validate email in Microsoft 365. After you've configured DKIM, enable it in the Microsoft 365 Defender portal. Authenticated Received Chain (ARC) in Microsoft 365 Defender for Office. List your Trusted ARC sealers so legitimate intermediaries will be trusted even if they modify mail.

Note

For non-standard deployments of SPF, hybrid deployments, and troubleshooting: How Microsoft 365 uses Sender Policy Framework (SPF) to prevent spoofing.

View dashboards and reports in the Microsoft 365 Defender portal

Browse to security.microsoft.com. The menu of Microsoft 365 Defender is divided into sections that begin, in order, Home, Email & Collaboration, Cloud Apps, and Reports (you may see some or all of these depending on your Plan). You're looking for Reports.

1. Browse to security.microsoft.com.
2. Click Reports on the menu.
   1. Here you can view information about security trends and track the protection status of your identities, data, devices, apps, and infrastructure.

The data in these reports will become richer as your organization uses Office 365 services, keep that in mind if you are in pilot or testing. For now, be familiar with what you can monitor and take action on.

Inside each report, you'll see cards for the specific areas monitored.

1. Click the Email & Collaboration reports.
2. Take note of the report cards available.
   1. Everything from Malware detected in email, to Spam detections, Compromised users, to User reported messages and Submissions the final two, with a button that links to Submissions.
3. Click a report, for example Mailflow status summary and the click the View details button to dig into the data (which even includes a funnel view for easier interpretation of total mail flow vs. blocked, spam, and phishing emails, and more).

Dashboard	Description
Security reports	Identities and device security reports such as users and devices with malware detections, device compliance, and users at risk.
Defender for Office 365 reports	The reports are available only in Defender for Office 365. For more information, see View Defender for Office 365 reports in the Microsoft 365 Defender portal.
Mail flow reports and insights	These reports and insights are available in the Exchange admin center (EAC). For more information, see Mail flow reports and Mail flow insights.
Threat Explorer (or real-time detections)	If you are investigating or experiencing an attack against your tenant, use Explorer (or real-time detections) to analyze threats. Explorer (and the real-time detections report) shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. You can also mark any suspicious email for the Incidents list.

Configure additional Exchange Online tenant-wide settings

Here are a couple of additional settings that are recommended.

Area	Recommendation
Mail flow rules (also known as transport rules)	Add a mail flow rule to help protect against ransomware by blocking executable file types and Office file types that contain macros. For more information, see Use mail flow rules to inspect message attachments in Exchange Online. See these additional topics: Protect against ransomware Malware and Ransomware Protection in Microsoft 365 Ransomware incident response playbooks Create a mail flow rule to prevent auto-forwarding of email to external domains. For more information, see Mitigating Client External Forwarding Rules with Secure Score. More information: Mail flow rules (transport rules) in Exchange Online
Modern authentication	Modern authentication is a prerequisite for using multi-factor authentication (MFA). MFA is recommended for securing access to cloud resources, including email. See these topics: Enable or disable modern authentication in Exchange Online Skype for Business Online: Enable your tenant for modern authentication Modern authentication is enabled by default for Office 2016 clients, SharePoint Online, and OneDrive for Business. More information: How modern authentication works for Office 2013 and Office 2016 client apps

Configure tenant-wide sharing policies in SharePoint admin center

Microsoft recommendations for configuring SharePoint team sites at increasing levels of protection, starting with baseline protection. For more information, see Policy recommendations for securing SharePoint sites and files.

SharePoint team sites configured at the baseline level allow sharing files with external users by using anonymous access links. This approach is recommended instead of sending files in email.

To support the goals for baseline protection, configure tenant-wide sharing policies as recommended here. Sharing settings for individual sites can be more restrictive than this tenant-wide policy, but not more permissive.

Area	Includes a default policy	Recommendation
Sharing (SharePoint Online and OneDrive for Business)	Yes	External sharing is enabled by default. These settings are recommended: Allow sharing to authenticated external users and using anonymous access links (default setting). Anonymous access links expire in this many days. Enter a number, if desired, such as 30 days. Default link type — select Internal (people in the organization only). Users who wish to share using anonymous links must choose this option from the sharing menu. More information: External sharing overview

SharePoint admin center and OneDrive for Business admin center include the same settings. The settings in either admin center apply to both.

Configure settings in Azure Active Directory

Be sure to visit these two areas in Azure Active Directory to complete tenant-wide setup for more secure environments.

Configure named locations (under conditional access)

If your organization includes offices with secure network access, add the trusted IP address ranges to Azure Active Directory as named locations. This feature helps reduce the number of reported false positives for sign-in risk events.

See: Named locations in Azure Active Directory

Block apps that don't support modern authentication

Multi-factor authentication requires apps that support modern authentication. Apps that do not support modern authentication cannot be blocked by using conditional access rules.

For secure environments, be sure to disable authentication for apps that do not support modern authentication. You can do this in Azure Active Directory with a control that is coming soon.

In the meantime, use one of the following methods to accomplish this for SharePoint Online and OneDrive for Business:

• Use PowerShell, see Block apps that do not use modern authentication.
• Configure this in the SharePoint admin center on the "device access' page — "Control access from apps that don't use modern authentication." Choose Block.

Get started with Defender for Cloud Apps or Office 365 Cloud App Security

Use Office 365 Cloud App Security to evaluate risk, to alert on suspicious activity, and to automatically take action. Requires Office 365 E5 plan.

Or, use Microsoft Defender for Cloud Apps to obtain deeper visibility even after access is granted, comprehensive controls, and improved protection for all your cloud applications, including Office 365.

Because this solution recommends the EMS E5 plan, we recommend you start with Defender for Cloud Apps so you can use this with other SaaS applications in your environment. Start with default policies and settings.

More information:

• Deploy Defender for Cloud Apps
• More information about Microsoft Defender for Cloud Apps
• What is Defender for Cloud Apps?

Additional resources

These articles and guides provide additional prescriptive information for securing your Microsoft 365 environment:

• Microsoft security guidance for political campaigns, nonprofits, and other agile organizations (you can use these recommendations in any environment, especially cloud-only environments)

• Recommended security policies and configurations for identities and devices (these recommendations include help for AD FS environments)