By Ari Apedaile   /   Jun 23rd, 2020

Microsoft Office 365 Security Best Practices to Protect Your Organization

You’ve likely heard the saying, “There is no cloud, only other peoples’ computers.” Hosted environments like Microsoft Office 365 for email, calendars, file sharing, and so on are a great option for many organizations world-wide. However, Microsoft hosting does not absolve you from the responsibility of securing your environment; Microsoft offers some great tools to help you up your security. Here’s the Office 365 security best practices you need to know to keep your users as safe as possible.

Basic Office 365 Security Best Practices

Enable Unified Audit Logging – Logs are key to tracking, monitoring, and searching for configuration changes, failed and successful user logins, and permission changes. Enabling Unified Audit Logging is a gamechanger in the event of an incident. Enabling Unified Audit Logging is easy. Go to as an Administrator, click on Search, Audit Log Search and if it is not already enabled, you will see a banner allowing you to “Turn on auditing”.

Create Strong Password Requirements and Account Lockouts – Longer passwords are harder to guess or crack and reduce the likelihood that an account can be accessed.  LMG Security recommends a minimum of 16 characters in length. This is not only an Office 365 security best practice, but also a best practice for any password. Encourage your users to think in terms of passphrases. Music lyrics, the opening line of a favorite novel, movie quotes – include spaces and punctuation for complexity – and you’ll have a strong, but easy to remember password. Having Account Lockouts (available only in combination with Azure Active Directory Sync – see below) can mitigate the amount of times an incorrect password can be entered. Typically, a policy with 3-5 password failures within a 30-60 minute window will deter or eliminate brute-force password guessing attacks.

Enable Multi Factor Authentication (MFA) – MFA is a second layer of defense against account compromise; it requires a secondary authentication method to access an account. If you aren’t able to do that for all accounts initially, start with high-risk Administrator accounts and highly-targeted accounts, such as accounting, executives, and human resources. For the best security, enable MFA for all accounts.

Utilize the Message Trace Utility – Using Message Trace can help you identify a compromise to an account, by identifying what IP address emails are being sent from and determine if messages were sent from legitimate locations. Message trace can also help identify any phishing or spam emails that were sent from specific accounts within your tenant.

Advanced Threat Protection (ATP) – ATP is typically a paid feature unless you have a E5 or above subscription. ATP includes functions like safe attachments and safe links that will catch any type of malicious threat before it can be opened or launched. It also has robust anti-phishing protection that can detect attempts to impersonate users, and internal or custom domains. Adding ATP is an Office 365 security best practice and is helpful if your organization can afford it.

Advanced Office 365 Security Best Practices

Setup Alerts for New-Inbox Rule Creation and Permission Changes – Alerts can be configured for multiple failed login attempts, new rule setup forwarding emails outside of the domain, and password changes, all of which can help you detect an incident instantly. Attackers often set up rules to forward incoming emails to an external email address. With alerts setup, you can detect any new inbox or forwarding rules put in place and disable or delete them before messages are forwarded.

Setup Geological Location IP Blocks – If your business model allows it, reduce international logins or logins from specific countries to drastically reduce your risk of compromise. The blocks can incorporate exceptions in the event of travel to those locations. Communication from and account logins from can be enabled per IP or specific location.

Setup Azure Active Directory (AD) Sync – Allowing this sync to your on-premise AD can help further monitor activity by users, as well as provide lots of additional security and usage reports. Azure AD is included with Office 365 subscriptions and can be used as a second layer of defense in securing your environment. Depending on licensing, there are some excellent products that can be used, such as identity protection and privileged identity management. Azure AD also allows for a more granular level of group and user management than Office 365.

Expert Office 365 Security Best Practices

Setup Anti-Malware and Ransomware Protection in Office 365 – In the Security and Compliance Center at, choose Threat Management and enable policies for Anti-Malware. You can control which types of attachments to allow or block. To protect against ransomware, choose the Exchange Admin Center and configure Mail Flow to create rules to notify users of increased threats from attachments by filtering on common ransomware extensions. You can also configure the rule to block mail entirely based on business needs and necessity.

Restrict Auto-Forwarding for Email – Mail Flow in the Exchange Admin Center allows you to create rules that will restrict any type of auto-forwarding to external domains. Put these restriction policies in place to ensure that no rules can be created and greater strengthen your security posture when it comes to threats.

Use Office 365 Message Encryption – Encryption is available within all Office 365 subscriptions and can be utilized to encrypt outgoing email so that the recipient is required to use a secure link or password in order to read it.

Take your security to the next level by implementing these Office 365 security best practices by using tools that are already available and putting them to work for you. If you need help securing your systems or advice on developing cybersecurity policies and procedures, call us. Our expert team can help.

About the Author

Ari Apedaile

Ari Apedaile is a Cybersecurity consultant for LMG Security. Ari has experience in cloud engineering, networking, server farm hosting, incident response and digital forensics. Ari also works as a Cybersecurity Intelligence Analyst as part of the Montana National Guard Defense Cyber Operations Team and assists with securing operations for the State of Montana. As a forensics professional, Ari specializes in incident response, ransomware cases, Office 365 business email compromises and wire fraud transactions. Ari has a Bachelor’s Degree in Computer Science from Hawaii Pacific University and previously worked as a cloud engineer/network administrator for over 7 years.