Top 12 tasks for security teams to support working from home
If you are like Microsoft and suddenly find yourself supporting a primarily home-based workforce, we want to help you ensure your organization is working as securely as possible. This article prioritizes tasks to help security teams implement the most important security capabilities as quickly as possible.
If you are a small or medium-size organization using one of Microsoft's business plans, see these resources instead:
- Best practices for securing Microsoft 365 for business plans
- Microsoft 365 for Campaigns (includes a recommended security configuration for Microsoft 365 Business)
For customers using our enterprise plans, Microsoft recommends you complete the tasks listed in the following table that apply to your service plan. If, instead of purchasing a Microsoft 365 enterprise plan, you are combining subscriptions, note the following:
- Microsoft 365 E3 includes Enterprise Mobility + Security (EMS) E3 and Azure AD P1
- Microsoft 365 E5 includes EMS E5 and Azure AD P2
Before you begin, check your Microsoft 365 Secure Score in the Microsoft 365 Defender portal. From a centralized dashboard, you can monitor and improve the security for your Microsoft 365 identities, data, apps, devices, and infrastructure. You are given points for configuring recommended security features, performing security-related tasks (such as viewing reports), or addressing recommendations with a third-party application or software. The recommended tasks in this article will raise your score.
1: Enable Azure AD Multi-Factor Authentication (MFA)
The single best thing you can do to improve security for employees working from home is to turn on MFA. If you don't already have processes in place, treat this as an emergency pilot and make sure you have support folks ready to help employees who get stuck. As you probably can't distribute hardware security devices, use Windows Hello biometrics and smartphone authentication apps like Microsoft Authenticator.
Normally, Microsoft recommends you give users 14 days to register their device for Multi-Factor Authentication before requiring MFA. However, if your workforce is suddenly working from home, go ahead and require MFA as a security priority and be prepared to help users who need it.
Applying these policies will take only a few minutes, but be prepared to support your users over the next several days.
|Microsoft 365 plans (without Azure AD P1 or P2)||Enable Security defaults in Azure AD. Security defaults in Azure AD include MFA for users and administrators.|
|Microsoft 365 E3 (with Azure AD P1)||Use Common Conditional Access policies to configure the following policies:
- Require MFA for administrators
- Require MFA for all users
- Block legacy authentication
|Microsoft 365 E5 (with Azure AD P2)||Taking advantage of Azure AD Identity Protection, begin to implement Microsoft's recommended set of conditional access and related policies by creating these policies:
- Require MFA when sign-in risk is medium or high
- Block clients that don't support modern authentication
- High risk users must change password
2: Protect against threats
All Microsoft 365 plans include a variety of threat protection features. Bumping up protection for these features takes just a few minutes.
- Anti-malware protection
- Protection from malicious URLs and files
- Anti-phishing protection
- Anti-spam protection
See Protect against threats in Office 365 for guidance you can use as a starting point.
3: Configure Microsoft Defender for Office 365
Microsoft Defender for Office 365, included with Microsoft 365 E5 and Office 365 E5, safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. This can take several hours to configure.
Microsoft Defender for Office 365:
- Protects your organization from unknown email threats in real time by using intelligent systems that inspect attachments and links for malicious content. These automated systems include a robust detonation platform, heuristics, and machine learning models.
- Protects your organization when users collaborate and share files, by identifying and blocking malicious files in team sites and document libraries.
- Applies machine learning models and advanced impersonation-detection algorithms to avert phishing attacks.
For an overview, including a summary of plans, see Defender for Office 365.
Your Global Administrator can configure these protections:
- Set up Safe Links policies
- Configure global settings for Safe Links
- Set up Safe Attachments policies
You'll need to work with your Exchange Online administrator and SharePoint Online administrator to configure Defender for Office 365 for these workloads:
4: Configure Microsoft Defender for Identity
Microsoft Defender for Identity is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Focus on this next because it protects your on-prem and your cloud infrastructure, has no dependencies or prerequisites, and can provide immediate benefit.
- See Microsoft Defender for Identity Quickstarts to get setup quickly
- Watch Video: Introduction to Microsoft Defender for Identity
- Review the three phases of Microsoft Defender for Identity deployment
5: Turn on Microsoft 365 Defender
Now that you have Microsoft Defender for Office 365 and Microsoft Defender for Identity configured, you can view the combined signals from these capabilities in one dashboard. Microsoft 365 Defender brings together alerts, incidents, automated investigation and response, and advanced hunting across workloads (Microsoft Defender for Identity, Defender for Office 365, Microsoft Defender for Endpoint, and Microsoft Defender for Cloud Apps) into a single pane in the Microsoft 365 Defender portal.
After you have configured one or more of your Defender for Office 365 services, turn on MTP. New features are added continually to MTP; consider opting in to receive preview features.
6: Configure Intune mobile app protection for phones and tablets
Microsoft Intune Mobile Application Management (MAM) allows you to manage and protect your organization's data on phones and tablets without managing these devices. Here's how it works:
- You create an App Protection Policy (APP) that determines which apps on a device are managed and what behaviors are allowed (such as preventing data from a managed app from being copied to an unmanaged app). You create one policy for each platform (iOS, Android).
- After creating the app protection policies, you enforce these by creating a conditional access rule in Azure AD to require approved apps and APP data protection.
APP protection policies include many settings. Fortunately, you don't need to learn about every setting and weigh the options. Microsoft makes it easy to apply a configuration of settings by recommending starting points. The Data protection framework using app protection policies includes three levels you can choose from.
Even better, Microsoft coordinates this app protection framework with a set of conditional access and related policies we recommend all organizations use as a starting point. If you've implemented MFA using the guidance in this article, you're half way there!
To configure mobile app protection, use the guidance in Common identity and device access policies:
- Use the Apply APP data protection policies guidance to create policies for iOS and Android. Level 2 (enhanced data protection) is recommended for baseline protection.
- Create a conditional access rule to Require approved apps and APP protection.
7: Configure MFA and conditional access for guests, including Intune mobile app protection
Next, let's ensure you can continue to collaborate and work with guests. If you're using the Microsoft 365 E3 plan and you implemented MFA for all users, you're set.
If you're using the Microsoft 365 E5 plan and you're taking advantage of Azure Identity Protection for risk-based MFA, you need to make a couple of adjustments (because Azure AD Identity protection doesn't extend to guests):
- Create a new conditional access rule to require MFA always for guests and external users.
- Update the risk-based MFA conditional access rule to exclude guests and external users.
Use the guidance in Updating the common policies to allow and protect guest and external access to understand how guest access works with Azure AD and to update the affected policies.
The Intune mobile app protection policies you created, together with the conditional access rule to require approved apps and APP protection, apply to guests accounts and will help protect your organization data.
If you've already enrolled PCs into device management to require compliant PCs, you'll also need to exclude guest accounts from the conditional access rule that enforces device compliance.
8: Enroll PCs into device management and require compliant PCs
There are several methods to enroll your workforce's devices. Each method depends on the device's ownership (personal or corporate), device type (iOS, Windows, Android), and management requirements (resets, affinity, locking). This can take a bit of time to sort out. See: Enroll devices in Microsoft Intune.
The quickest way to get going is to Set up automatic enrollment for Windows 10 devices.
You can also take advantage of these tutorials:
- Use Autopilot to enroll Windows devices in Intune
- Use Apple's Corporate Device Enrollment features in Apple Business Manager (ABM) to enroll iOS/iPadOS devices in Intune
After enrolling devices, use the guidance in Common identity and device access policies to create these policies:
- Define device-compliance policies — The recommended settings for Windows 10 include requiring antivirus protection. If you have Microsoft 365 E5, use Microsoft Defender for Endpoint to monitor the health of employee devices. Be sure compliance policies for other operating systems include antivirus protection and end-point protection software.
- Require compliant PCs — This is the conditional access rule in Azure AD that enforces the device compliance policies.
Only one organization can manage a device, so be sure to exclude guest accounts from the conditional access rule in Azure AD. If you don't exclude guest and external users from policies that require device compliance, these policies will block these users. For more information, see Updating the common policies to allow and protect guest and external access.
9: Optimize your network for cloud connectivity
If you are rapidly enabling the bulk of your employees to work from home, this sudden switch of connectivity patterns can have a significant impact on the corporate network infrastructure. Many networks were scaled and designed before cloud services were adopted. In many cases, networks are tolerant of remote workers, but were not designed to be used remotely by all users simultaneously.
Network elements such as VPN concentrators, central network egress equipment (such as proxies and data loss prevention devices), central internet bandwidth, backhaul MPLS circuits, NAT capability and so on are suddenly put under enormous strain due to the load of the entire business using them. The end result is poor performance and productivity coupled with a poor user experience for users who are adapting to working from home.
Some of the protections that have traditionally been provided by routing traffic back through a corporate network are provided by the cloud apps your users are accessing. If you've reached this step in this article, you've implemented a set of sophisticated cloud security controls for Microsoft 365 services and data. With these controls in place, you may be ready to route remote users' traffic directly to Office 365. If you still require a VPN link for access to other applications, you can greatly improve your performance and user experience by implementing split tunneling. Once you achieve agreement in your organization, this can be accomplished within a day by a well-coordinated network team.
See these resources on Docs for more information:
- Overview: Optimize connectivity for remote users using VPN split tunneling
- Implementing VPN split tunneling for Office 365
Recent blog articles on this topic:
- How to quickly optimize traffic for remote staff & reduce the load on your infrastructure
- Alternative ways for security professionals and IT to achieve modern security controls in today's unique remote work scenarios
10: Train users
Training users can save your users and security operations team a lot of time and frustration. Savvy users are less likely to open attachments or click links in questionable email messages, and they are more likely to avoid suspicious websites.
The Harvard Kennedy School Cybersecurity Campaign Handbook provides excellent guidance on establishing a strong culture of security awareness within your organization, including training users to identify phishing attacks.
Microsoft 365 provides the following resources to help inform users in your organization:
|Microsoft 365||Customizable learning pathways
These resources can help you put together training for end users in your organization
|Microsoft 365 security||Learning module: Secure your organization with built-in, intelligent security from Microsoft 365
This module enables you to describe how Microsoft 365 security features work together and to articulate the benefits of these security features.
|Multi-factor authentication||Two-step verification: What is the additional verification page?
This article helps end users understand what multi-factor authentication is and why it's being used at your organization.
In addition to this guidance, Microsoft recommends that your users take the actions described in this article: Protect your account and devices from hackers and malware. These actions include:
- Using strong passwords
- Protecting devices
- Enabling security features on Windows 10 and Mac PCs (for unmanaged devices)
Microsoft also recommends that users protect their personal email accounts by taking the actions recommended in the following articles:
11: Get started with Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services. Once you get started with Defender for Cloud Apps, anomaly detection policies are automatically enabled, but Defender for Cloud Apps has an initial learning period of seven days during which not all anomaly detection alerts are raised.
Get started with Defender for Cloud Apps now. Later you can set up more sophisticated monitoring and controls.
- Quickstart: Get started with Defender for Cloud Apps
- Get instantaneous behavioral analytics and anomaly detection
- Learn more about Microsoft Defender for Cloud Apps
- Review new features and capabilities
- See basic setup instructions
12: Monitor for threats and take action
Microsoft 365 includes several ways to monitor status and take appropriate actions. Your best starting point is the Microsoft 365 Defender portal, where you can view your organization's Microsoft Secure Score, and any alerts or entities that require your attention.
Congratulations! You have quickly implemented some of the most important security protections and your organization is much more secure. Now you're ready to go even further with threat protection capabilities (including Microsoft Defender for Endpoint), data classification and protection capabilities, and securing administrative accounts. For a deeper, methodical set of security recommendations for Microsoft 365, see Microsoft 365 Security for Business Decision Makers (BDMs).
Also visit Microsoft's new Defender for Cloud in Security documentation.
Submit and view feedback for