The Top 5 Microsoft 365 Security settings that you NEED to switch on NOW!

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] this time around we're going to take a look at the top five security settings that you not only need to know but you need to switch on now in microsoft 365. so stay with me you never know you might learn something [Music] greetings everyone andy malone microsoft mvp as well as a microsoft certified trainer welcome to the channel i really appreciate you stopping by just before i get started i just wanted to address a couple of comments that i got this week on my youtube channel number one andy you're a microsoft mvp i think it's hilarious that you use a mac really come on are we past that seriously look guys um i'm a mac user yes i'm an apple device i've got apple everywhere okay but i love microsoft i'm a passionate microsoft mvp in microsoft 365 azure active directory and cloud security uh and it's because it's available on every device okay just wanted to get that out of the way okay so the second comment that i sometimes get is andy your videos are in low res this is not true youtube always doesn't matter what you upload youtube always seemed to rend my videos in low res fight then in hd and then finally in 4k which is what they're recorded in so uh just be a little bit patient sometimes when if you especially if you're uh one of the first people to check out the video if it's you know not great on your 77-inch tv then just give it kind of you know an hour come back and check it out again okay so for this week's episode what i thought i would do is take a look at what i think are the top five features and microsoft security in terms of microsoft 365 that you must switch on and not only switch on but you also need to understand as well so we're going to take a little bit of time uh taking a look at those uh specific features now i've got to be honest with you there are literally hundreds hundreds of security features so what i think are you know out of the box these are things that you really need to switch on so stick with me because you will definitely learn something here now if you've not subscribed to the channel i would really appreciate you clicking up there on the subscribe button ringing that bell so that you don't miss out on future videos and as always i love your comments questions and feedback so please just get them down below there and of course if you've got any session suggestions for the future then by all means go ahead and let me know what you think um just one thing as always i time code all of my sessions so feel free to jump in and out as you will and i've also included demos in everything here as well so i think without any more jibber jabber i think it's time for some demos don't you so i want to kick off my demo here in microsoft 365. and we're going to go down into the admin center now from the admin center we're going to go and take a look at the security and compliance area so i'm going to click into security and i want to show you this is my number five so number five is threat policies and something called the configuration analyzer now if you've not looked at the security center for quite some time there have been quite a lot of changes here now i'd just like to point out by the way that some of the features that i'm showing you here are only available in the e5 subscription but what i've tried to do with my top five is i've tried to look at features that will be available in a vast majority of um tenants so hopefully you'll find these uh first of all so what i'm gonna do is i'm gonna come in here to the admin center and in the past i've done sessions on this and again it's been newly dem named it's now called the microsoft 365 defender and the idea is that microsoft have lots of these different security products that they're what they're essentially trying to do is bring them under a single brand so what i'm going to do is i'm going to come down to policies and rules and the threat policies you can find here in the admin center now um you have got something called the anti-phishing the anti-spam and the anti-malware policies now these are basically something called eop exchange online protection now irrespective of the version of microsoft 365 that you have whether it be business whether it be enterprise typically you will get all of these uh features all right um so you can go in and you can configure um anti-malware policies anti-virus policies you definitely want to go in and have a look at that all right now just a little tip from andy is when you go in and you set this up um very important that from your settings and domains area when you're setting up your custom domain name which i'm not in this case and during the configuration of this dns domain it will ask you do you want to include dns records for things like security so definitely make sure that you include your security dns records otherwise your clients will not know where to go for those and they're all included in here and that's actually taken care when you do the the actual setup now you can see out of the box microsoft provides you with a fairly robust um set of default settings of course you can go in you can edit any of these features if you want to you can edit the protection settings um and you can customize this if you want to but the key thing is not really that it's here the fact is that you need to switch it on and make sure that you've configured it correctly now um jeff i'll just go back to threat policies the two options here that you don't get with the standard subscriptions are the safe attachments and safe links now both of these i have covered in um defender for 365 in a video that i've done in the past and what i'll do is i'll include that link to the video um in the description here okay so you can go and check that out but again safe attachments and safe web links very very useful now and something that's starting to creep in to microsoft 365 which i love so if you're not sure whether you've configured these correctly then definitely go into the configuration analyzer and what this does is it goes ahead and it and it does exactly as it says on the tin it will go off and it will have a look at your settings so it looks at all the different configuration settings see anti-phishing anti-spam and it's pulling out all of these rules and you can see um it's giving you a score and it will say hey you know do you want to improve this so if you want to and it's making some recommendations so these are all recommendations that you can you can actually do in order to improve your score now of course as well as the standard recommendations there are also some stricter options as well uh and the stricter options you know that they're as it says on the tin a lot stricter so again to implement these rules i can just simply click onto this click into the message here and you can you can it tells you a little bit about the actual rule what type of rule it is um and it says hey do you want to go ahead and apply this recommendation okay now you can also view the policy here and i said i'm gonna go ahead i'm gonna say yeah um i'm gonna say that's fine i'm happy with that recommendation go ahead and do that now and what we also have here is something called configuration drift so if that what that means is if any administrators have made changes away from the standard configuration or they've maybe lowered some uh configuration settings you would get those here and you can see in this my example i don't have anything so like i said definitely check out the configuration analyzer really powerful feature and it makes some great recommendations on how to improve your security and just to mention by the way of course as with all of these tools if you click on learn more it will actually take you through to docs.microsoft.com and you can read all about it for my number four option what i'm going to do is i'm going to come in here to the microsoft 365 admin center i'm going to come into organizational settings and i'm going to go into something called security and privacy now here we this is a relatively new feature it's called privileged access now in the past you may have wanted to give um users in your organization admin access or admin control and i've talked at length about this in a few in previous videos and it's called our back role based admin control this is where you can assign or elevate users permissions to become an admin so for example if i wanted john to be a teams administrator or peter to be an exchange administrator and so on well what this feature does is it this is a slightly more version of that tool because what you can do here is once you switch it on you can basically say hey i'm going to allow privileged access not just to roles but also specific and individual tasks now i'm going to search for a group that i can use as um an approval group and you can see here i've got a group called my oslo head office now if you want to know more about this feature then check out the link here that will take you through to docs.microsoft.com but essentially it provides a way for people in your organization to perform tasks that otherwise would require a higher level of permission or an admin role so this is a fantastic way of saying hey you know john just wants to do this particular task and so on so once you've switched that feature on i can now go in and create some policies and requests so in here i'm going to click on request access and you can see it can be based on an individual task an individual role or you can give them a role group now um so if i chose a role group you can see that there is only one product at the moment this will be expanded on in future versions but for now i'm going to click into the exchange role and of course within exchange there are a number of sub-roles that you can assign someone so for example if i wanted to give somebody the help desk role but only that particular role of that particular task for let's say two hours so and i can just put in a reason for the reason why i'm doing this so i'm just gonna say for testing purposes okay so now that i've done that i'm going to go off and create that role so now should anybody want to gain access to that role and off it goes and and it's now done now depending on the task um you can automatically approve you can again depending on the task or the role or whatever you've set up um so those that oslo team would get notifications they were then going to manage that and policy and either accept or reject it and that's that's it essentially really really simple and really granular way to give just enough access but just in time for my number three tip i definitely have to come back here into the microsoft 365 admin center and this is the 365 defender admin center and i'm going to come into secure score now i have covered this previously and it's amazing how many people don't know about this and don't implement it but secure score is a great not only a great way of improving your security posture but also comparing your kind of score with your industry peers so what we have here we have the secure score dashboard and you've got overview um improvement history um or actions history and then you've got general trends at the moment now you can see here that you get we've got a score here of 37 percent uh and it's showing me that i've got 46 to 49 out of a possible 125 points so it's okay but i feel that we could do better now you can see that we also have a number of different categories you've got apps you've got um identity and so on and you can you can customize that if you want to now the important thing that we have here is uh not only that your score um but you can also get a number of recommendations here and you can either get though get those here or you can go into recommended improvement actions and you can see that recommendation number one is always ensure that you've got mfa for admin roles okay now um to implement this or to implement any features or things like hey do you want to create a safe links policy or turn on safe attachments um how do you want to implement this so for example what i can do is i can click onto the option here it tells you a little bit about the feature and it also tells you how to implement it and it shows you which users if any would be affected by this all right and more than that it shows you how many points that you can gain now the one thing about secure score is and you might be interested in this every year microsoft have a secure school competition and it basically involves companies like yourselves um enforcing or creating a scenario where you have the highest workable score where you're making it still easy for your users to do their work because remember good security should be invisible so that's essentially what that is now in terms of implementation it shows you there are links here shows you exactly how to get started you've got step-by-step guides and anything that you have done previously you'll get a history of that all right so essentially that is essentially how that works now um if you've got other users or let's say a support team in your company you can go ahead you can email this to them you can set it up in microsoft teams you can share it in planner and you can even copy the link so really powerful uh feature there now you've also got a history so anything that you've gone ahead and implemented and finally these are the trends so this is where microsoft are actually comparing your score with your industry peers all right and it shows you whether your score is improved or it's increased or and so on it shows you the trends so ladies and gentlemen that is something you must take a look at it can really help improve your security posture for my number two solution i'm gonna come into users and i'm going to come into active users in microsoft 365. um i mentioned that this was in my last video actually and i cannot honestly put my hand to my heart and do a top five security uh feature set without having this in here so this is multi-factor authentication you can implement it in a number of ways it's available in most uh microsoft 365 plans and office 365 plans and in essence we essentially just select a user here so i'm going to let's say i've got a user called uh diego and diego i want to enable multi-factor authentication so it couldn't be more simple simply go in enable multi-factor authentication for this user and what will now happen of course is that the user will that get prompted they'll say we need more information from you the user can go in they can set up multi-factor authentication if they're using windows hello great if they're using a mobile device let's say an iphone then they can download the multi-factor authentication app do remember that you don't have to just use the microsoft one you can also use the google and amazon ones as well they're absolutely fine and so once you've done that diego will now have 14 days in which to register for mfa beyond that his account would be disabled if he doesn't um one thing that you can do though is you can override that 14 days and i can actually say hey i want to enforce that so that means immediately configure multi-factor authentication now when you consider the problems with passwords and password cracking tools this is a is an absolute godsend just bearing in mind one thing if you can also go to the service settings here um so if i just come up here into the service settings you can skip multi-factor authentication for any request in these locations so if let's say you've got different branch offices london new york let's say delhi then you can put in the ip address ranges here and it will skip multi-factor authentication brilliant how do you want to verify so do you want to send a text message do you want to do a mobile app or a verification code from a let's say a hardware token so you can give essentially what this is doing it's giving the users um the choice so it's giving the users the choice here now you can see here excuse me you can also allow the users to remember multi-factor authentications on devices that they trust for x number of days so 90 days and you can decrease that you can have it less if you want to and that basically prevents user frustration okay the other place to deploy multi-factor authentication is of course in azure active directories conditional access again i've covered that in previous sessions and i'll place a link in my description below if you want to go off and check out that video so there we go ladies and gentlemen multi-factor authentication in microsoft 365 is definitely my number two so i know what many of you are thinking you're probably thinking hang on a minute andy surely mfa is the number one security thing that you can do to improve your security and hands up you're absolutely right but i gotta say um this goes hand in hand with that so i'm kicking off the demo here i've come into azure active directory i'm gonna come into the directory and i'm gonna scroll down now this particular feature you can't do from the microsoft 365 admin center i'm going to come down to the security node here and we're going to talk about this authentication methods first up now one of the big kind of things that microsoft have been pushing in the last few years or so actually is the concept of passwordless authentication so um rather than using mfa which is great um you know it's very good but you can also add in something that you are and something that you physically have so for example if you're using windows hello for business of course you can either push that out within your organization through active directory and if you're you've got users just in azure active directory then you can push that out through intune of course but there are some other really cool features here and these include things like fido keys so if you're using these new um kind of next-gen uh fido keys which are like these hardware tokens and you don't need a username don't need a password really really simple to set up i'm going to do in fact i did a session on this previously i'll bring you up to date and i'll do one in the future so i can go ahead and say yes hey i want to enable a fido key do you want to give up for all users or just specific users so i can say yeah i want this to let's say go to bianca i'll say brian and i'm gonna say who else will we say we will say jean-luc i'm gonna click on them and i'm gonna say at the moment it's optional um you know so they can choose whether they want to uh use this uh and i'm gonna go ahead and i'll click on save and that's it really really simple to set up if i just click on back into configure you can choose allow self service setup you've got things like enforce and any key restrictions if you want to remove any keys you can remove those access as well okay so that is definitely something that you want to take a look at of course everybody knows the microsoft authenticator app so again i can select specific users or groups within my organization to deploy that and of course i can also if you've got the capabilities you can set up text messaging and this is quite useful as well if the user forgets their username and password or loses their mobile device then you can issue what we call a temporary access pass and this will force the user to re-sign up um and recreate within mfa on a brand new device so that's great in there we also have the new certificate based authentication this is where you can deploy a digital certificate either to the user or to the user's device so when the user signs in they must have a valid certificate and this replaces um or this is is very very useful uh for things like smart cards which is something that we we always struggled with in the past so that's really nice to see that coming in here now um as well as the authentication policies here there's a couple of other things that i in fact i'll just stay in there for a second um we also have some monitoring tools here so for example activity and this will just give you kind of you know how many of your users have registered maybe somebody started to register but abandoned it maybe they had problems so this this is really useful and it will show you how the user is authenticated here now i honestly can't talk about security top tips without going back into security here and in fact actually let's go back into azure ad you must have a look here at the sign in logs individual users you can go to my sign ins dot microsoft.com and you can look at your own sign-in logs and of course what you're looking for is any what shall we say unscrupulous activity so you can see if i scroll down here most of these sign-ins are um successful but what we're typically looking for is failures to sign in so if there is a particular if there is a failure to sign in it shows me who's coming in um there is a diet a very good diagnostic tool here so for example if somebody's logging in um trying to steal your your password of course we already know your username it's your email address and what hackers will typically try and do is they will try and hack in and obviously use your password but of course mfa and this passwordless authentication this completely removes that threat and it's absolutely brilliant so the sign in show you where the user is coming in from the ip address the location what device what browser they're using what authentication method they're using and also as always if they're being hit by a conditional access policy so um just be familiar with those sign-in logs and also um like i just mentioned in the security area definitely think about either mfa or some of those other authentication methods they will increase your security standing a thousand percent so there you have it my top five security tips i really hope you found that useful if you did i'd really appreciate you hitting that like button giving me a big thumbs up it really does help my channel so um top five things um comments questions like anything like that get them down below and i'll do my best to answer them of course and if you're not subscribed go ahead click on that subscribe button ring the bell and you won't miss out on any future postings all right so that's it for this week i really appreciate you stopping by and you stay safe and i'll see you soon take care hey thanks so much for dropping by today here's a couple of videos that you may enjoy and while you're here go ahead click on the subscribe button and you won't miss out [Music]
Info
Channel: Andy Malone MVP
Views: 27,991
Rating: undefined out of 5
Keywords: Microsoft 365 Security tips, microsoft 365 security center, MFA, Microsoft 365 Admin Tips, Andy Malone MVP
Id: kGaqw7i5TOI
Channel Id: undefined
Length: 30min 3sec (1803 seconds)
Published: Sat Feb 05 2022
Related Videos
Microsoft 365 - What NOT to do when Employees Leave!
Andy Malone MVP
47K
Don’t do this! Top 7 Microsoft 365 Admin Nightmares
Andy Malone MVP
30K
Phishing Resistant MFA How it Works!
Andy Malone MVP
10K
Is Microsoft Loop the End of OneNote?
Jonathan Edwards
255K
How to Check if Someone is Remotely Accessing Your Computer
Britec09
446K
Social Engineering - How Bad Guys Hack Users
IBM Technology
42K
Microsoft 365 DLP (Data Loss Prevention Policies) How they work & Why YOU need them NOW!
Andy Malone MVP
28K
Understanding Microsoft 365 Groups Vs Teams Deep Dive
Andy Malone MVP
29K
My 12 Favourite Microsoft 365 Security Features
Jonathan Edwards
2.6K
OneDrive for Business - How it Really Works!
Andy Malone MVP
46K
Microsoft 365 New external access features that you MUST know!
Andy Malone MVP
15K
Microsoft Defender for Office 365 - How to Protect Your Email from Hackers
Jonathan Edwards
5.3K
Microsoft 365 Guest Access: How it really works, and how to avoid the big mistakes!
Andy Malone MVP
38K
Don't get Hacked! Essential Admin Skills for Defender for Endpoint
Andy Malone MVP
9.8K
Don’t get Locked Out of Azure AD! Use Emergency Access Accounts
Travis Roberts
2.8K
Entra ID (Formally Azure AD) - A beginner's guide!
John Christopher
7.9K
Stop hackers from stealing your Microsoft 365 user's passwords
Merill Fernando
12K
Get Started with Microsoft Defender for 365
Andy Malone MVP
34K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.