Back to blog

How to Properly Establish and Maintain Office 365 Security for Tenants

Sep 23, 2019 by Natalie Frith

On-demand webinar: Office 365 Security for the busy Admin

A couple of months ago we hosted a webinar on Microsoft Office 365 security with Doug Davis, who heads up Reporting and Analytics here at Quadrotech. When organizations migrate to the cloud, security becomes a major concern and the undertaking can understandably seem daunting. With an estimated 50 billion access points, anything that can connect to the web can try to access your Office 365 tenant. However, controlling the entry points is not as complex as one might think. If you diligently utilize the proper tools and follow a set of guidelines, as an Office 365 Administrator on your tenant you can efficiently keep your environment secure. We thought it would prudent to explore this topic more in-depth and provide you with some information and tools to get you started down the right path.


In the webinar, Doug discusses what types of tools are at your fingertips and outlines some general best practices. He reviews his definition of what is considered a ‘secure’ Office 365 tenant, why some tools can give a false sense of security, what Microsoft’s Secure Score means for your organization, how to determine if your tenant is truly secure, how to mitigate risk and lock down your Office 365 Tenant, and how to prevent a secure tenant from creeping back to insecurity. This blog will recap some of the key takeaways and provide additional resources around the subject so you can better educate yourself on Office 365 Security.

Getting Started

Before starting the process of configuring and securing an environment with a tenant, consider reviewing the Microsoft security roadmaps first. These resources outline what a company should do in the first 30 days and 90 days, setting a baseline configuration for security and governance. Within the first 30 days, the recommended tasks will help you rapidly configure basic admin protections, logging, and analytics, basic identity protections while configuring tenants and prepping stakeholders – all with minimal impact to users. The 90-day roadmap recommendations are more comprehensive, offering advanced protections around admin, data and user accounts. The 90-day roadmap also provides increased visibility into compliance, threats and user needs, allowing you to adapt and implement default policies and protections.

Defining a Secure Office 365 Environment

Once you’ve got a grasp on your security roadmap, you’ll want to establish some guiding principles as you begin configuring your secure Office 365 environment. Here’s a snapshot of the five filters that Doug has identified as crucial cornerstones for security: first, you literally need to “lock the door” – make sure you have things structured to only allow approved logins. Second, you need to ensure that your settings are security-centric and configured in as secure a model as possible. Third, you should be tracking all instances of intrusions. Fourth, you’ll want to make sure that significant security areas are being monitored, and that you’ve set up alerts on main threats. Lastly, it’s important that Governance is applied and automated.

Granted, Microsoft has built-in some effective security settings, but it is important to know that they are “evergreen” – meaning Microsoft can update them at any time.  The settings are also not centralized in one location, so depending on your role, or the tier, you must go to multiple sections for configuration. While these settings will help initially secure your environment, it is not a stable, long-term solution. Threats to your organization are not always external; sometimes the threat can come from accidental or intentional employee behavior.

Quadrotech’s Unique Auditing Log

Doug explains how Quadrotech’s Office 365 Reporting & Auditing tool can mitigate these risks by enabling you to detect and investigate suspicious activity in Office 365. You can validate that security policies are working effectively, and then create new policies based on a clear understanding of activity and vulnerabilities. It allows you to identify external attacks on your environment, such as brute force password attacks or user credential leaks. The tool can also generate an audit log of activity in Office 365 for a particular user, or a particular timeframe. As a feature within our new Nova platform, our Office 365 security and auditing solution enables you to quickly see all activity in your environment in a clear, customizable timeline view, with a range of audit reports highlighting different areas of vulnerability. The audit data is retained for a year, with the option to extend this further.

Microsoft Secure Score

Another robust tool that Doug recommends to gauge and improve your security posture is Microsoft Secure Score. With Secure Score, you are given points for configuring recommended security features, performing security-related tasks like viewing reports or addressing the improvement action with a third-party application or software. Some actions are scored for partial completion, like enabling multi-factor authentication (MFA) for your users. The name Secure Score can be a little misleading – “It’s actually a little bit of a misnomer because your Secure Score is not an indication of how secure your Office 365 might be,” Doug explains. What that means is a high score does not necessarily mean that you are secure, and a low score doesn’t mean that you aren’t secure. Scores are determined differently for each organization. This feature takes into account all of your services and settings and calculates the score based on whether or not the settings have been configured correctly. Doug provides a demo of Secure Score in the webinar and highlights the importance of leveraging this tool to minimize exposure to significant risks.

Avoiding ‘Creep’ in your security/configurations

Your job doesn’t end there. Once you’ve taken all the proper precautions to secure your environment, you’ll need to get serious about Governance in order to avoid the “Insecurity Creep.” You need to review settings occasionally to make sure that your environment doesn’t creep back into being insecure. The creep can happen when user permissions access is changed to allow everyone access to a directory or file for a temporary project, MFA is turned off, or difficult battlefield decisions come into play. In the webinar, Doug outlines a simple governance list to eliminate any guesswork.

To learn more about Doug’s governance list, his definition of security, and our Office 365 Reporting & Auditing Tool, download the on-demand webinar here. For more information around our Office 365 Reporting and Analytics tool, please contact us

For additional clarity, we’ve paraphrased some of the Q&A from the webinar below:

Q. Can you search by compliance controls under the improvement action screen?
A. So, unfortunately, not as I can see it. Even though every “action” has a list of compliance controls that it applies to you can’t filter or search by those. This would be a good feature in Secure Score that Microsoft would have to implement.

Q. Doug’s simple governance list goes against some of Microsoft’s specific guidelines
A. My list is exactly that, a simple list to get you started then you can expand and dig into all the big lists out there. Some of which have 1000s of items, so this is just a starting point but closed a lot of the initial doors that are left open.

Q. What’s your advice on updating your on-premise security policies to adapt to cloud platforms?

A. So my main advice would be to start using Secure Score, as well as the new exposure score recently rolled out, then apply a proactive governance tool, like the Governance Dashboard in Nova.

Exposure score – Your exposure level reflects how vulnerable your organization is to cybersecurity threats. Apply the Threat & Vulnerability Management security recommendations to keep your exposure level low. More information can be found on this Microsoft doc on Secure Score.

Q. Is there a way to change the default 90 days of logs to 365 days? I heard this was going to change to default 365 but have not seen it available

A. Don’t think you can change the defaults, those are controlled by Microsoft. According to this article which was recently updated, it’s still in private preview.

Q. Doesn’t E5 have 365 days of logs?

A. Again, looks like it’s still in private preview. Also, E5 is very expensive so if you don’t need all the other features you will get in the 90/180-day range then this might not be the right fit. If you’re just looking for longer data retention, our auditing tool would still cover you after 1 year.

If you’re a time-poor Admin looking for ways to increase your tenant’s security, don’t miss this must-watch webinar. Download Doug’s on-demand session here.