Security recommendations for priority accounts in Microsoft 365

Tip

Did you know you can try the features in Microsoft Defender XDR for Office 365 Plan 2 for free? Use the 90-day Defender for Office 365 trial at the Microsoft Defender portal trials hub. Learn about who can sign up and trial terms on Try Microsoft Defender for Office 365.

Not all user accounts have access to the same company information. Some accounts have access to sensitive information, such as financial data, product development information, partner access to critical build systems, and more. If compromised, accounts that have access to highly confidential information pose a serious threat. We call these types of accounts priority accounts. Priority accounts include (but aren't limited to) CEOs, CISOs, CFOs, infrastructure admin accounts, build system accounts, and more.

Microsoft Defender for Office 365 supports priority accounts as tags that can be used in filters in alerts, reports, and investigations. For more information, see User tags in Microsoft Defender for Office 365.

For attackers, ordinary phishing attacks that cast a random net for ordinary or unknown users are inefficient. On the other hand, spear phishing or whaling attacks that target priority accounts are very rewarding for attackers. So, priority accounts require stronger than ordinary protection to help prevent account compromise.

Microsoft 365 and Microsoft Defender for Office 365 contain several key features that provide additional layers of security for your priority accounts. This article describes these capabilities and how to use them.

The summary of the security recommendations in icon form

Task All Office 365 Enterprise plans Microsoft 365 E3 Microsoft 365 E5
Increase sign-in security for priority accounts
Use Strict preset security policies for priority accounts
Apply user tags to priority accounts
Monitor priority accounts in alerts, reports, and detections
Train users

Note

For information about securing privileged accounts (admin accounts), see this topic.

Increase sign-in security for priority accounts

Priority accounts require increased sign-in security. You can increase their sign-in security by requiring multi-factor authentication (MFA) and disabling legacy authentication protocols.

For instructions, see Step 1. Increase sign-in security for remote workers with MFA. Although this article is about remote workers, the same concepts apply to priority users.

Note: We strongly recommend that you globally disable legacy authentication protocols for all priority users as described in the previous article. If your business requirements prevent you from doing so, Exchange Online offers the following controls to help limit the scope of legacy authentication protocols:

It's also worth noting that Basic authentication is in the process of being deprecated in Exchange Online for Exchange Web Services (EWS), Exchange ActiveSync, POP3, IMAP4, and remote PowerShell. For details, see this blog post.

Use Strict preset security policies for priority accounts

Priority users require more stringent actions for the various protections that are available in Exchange Online Protection (EOP) and Defender for Office 365.

For example, instead of delivering messages that were classified as spam to the Junk Email folder, you should quarantine those same messages if they're intended for priority accounts.

You can implement this stringent approach for priority accounts by using the Strict profile in preset security policies.

Preset security policies are a convenient and central location to apply our recommended Strict policy settings for all of the protections in EOP and Defender for Office 365. For more information, see Preset security policies in EOP and Microsoft Defender for Office 365.

For details about how the Strict policy settings differ from the default and Standard policy settings, see Recommended settings for EOP and Microsoft Defender for Office 365 security.

Apply user tags to priority accounts

User tags in Microsoft Defender for Office 365 Plan 2 (as part of Microsoft 365 E5 or an add-on subscription) are a way to quickly identify and classify specific users or groups of users in reports and incident investigations.

Priority accounts is a type of built-in user tag (known as a system tag) that you can use to identify incidents and alerts that involve priority accounts. For more information about priority accounts, see Manage and monitor priority accounts.

You can also create custom tags to further identify and classify your priority accounts. For more information, see User tags. You can manage priority accounts (system tags) in the same interface as custom user tags.

Monitor priority accounts in alerts, reports, and detections

After you secure and tag your priority users, you can use the available reports, alerts, and investigations in EOP and Defender for Office 365 to quickly identify incidents or detections that involve priority accounts. The features that support user tags are described in the following table.

Feature Description
Alerts The user tags of affected users are visible and available as filters on the Alerts page in the Microsoft Defender portal. For more information, see Alert policies in the Microsoft Defender portal.
Incidents The user tags for all correlated alerts are visible on the Incidents page in the Microsoft Defender portal. For more information, see Manage incidents and alerts.
Custom alert policies You can create alert policies based on user tags in the Microsoft Defender portal. For more information, see Alert policies in the Microsoft Defender portal.
Explorer

Real-time detections

In Explorer (Defender for Office 365 Plan 2) or Real-time detections (Defender for Office 365 Plan 1), user tags are visible in the Email grid view and the Email details flyout. User tags are also available as a filterable property. For more information, see Tags in Threat Explorer.
Email entity page You can filter email based on applied user tags in Microsoft 365 E5 and in Defender for Office 365 Plan 1 and Plan 2. For more information, see Email entity page.
Campaign Views User tags are one of many filterable properties in Campaign Views in Microsoft Defender for Office 365 Plan 2. For more information, see Campaign Views.
Threat protection status report In virtually all of the views and detail tables in the Threat protection status report, you can filter the results by priority accounts. For more information, see Threat protection status report.
Top senders and recipients report You can add this user tag to the top 20 message senders in your organization. For more information, see Top senders and recipients report.
Compromised user report User accounts that are marked as Suspicious or Restricted in Microsoft 365 organizations with Exchange Online mailboxes shows up in this report. For more information, see Compromised user report.
Admin submissions and user reported messages Use the Submissions page in the Microsoft Defender portal to submit email messages, URLs, and attachments to Microsoft for analysis. For more information, see Admin submissions and user reported messages.
Quarantine Quarantine is available to hold potentially dangerous or unwanted messages in Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations for Priority accounts. For more information, see Quarantine email messages.
Attack simulation To test your security policies and practices, run a benign cyberattack simulation for your target users. For more information, see Attack simulation.
Email issues for priority accounts report The Email issues for priority accounts report in the Exchange admin center (EAC) contains information about undelivered and delayed messages for priority accounts. For more information, see Email issues for priority accounts report.

Train users

Training users with priority accounts can help save those users and your security operations team much time and frustration. Savvy users are less likely to open attachments or click links in questionable email messages, and they're more likely to avoid suspicious websites.

The Harvard Kennedy School Cybersecurity Campaign Handbook provides excellent guidance for establishing a strong culture of security awareness within your organization, including training users to identify phishing attacks.

Microsoft 365 provides the following resources to help inform users in your organization:

Concept Resources Description
Microsoft 365 Customizable learning pathways These resources can help you put together training for users in your organization.
Microsoft 365 security Learning module: Secure your organization with built-in, intelligent security from Microsoft 365 This module enables you to describe how Microsoft 365 security features work together and to articulate the benefits of these security features.
Multi-factor authentication Download and install the Microsoft Authenticator app This article helps end users understand what multi-factor authentication is and why it's being used at your organization.
Attack simulation training Get started using Attack simulation training Attack simulation training in Microsoft Defender for Office 365 Plan 2 allows admin to configure, launch, and track simulated phishing attacks against specific groups of users.

In addition, Microsoft recommends that users take the actions described in this article: Protect your account and devices from hackers and malware. These actions include:

  • Using strong passwords
  • Protecting devices
  • Enabling security features on Windows and Mac PCs (for unmanaged devices)

See also