top of page
  • Writer's pictureChaz Vossburg

7 Best Practices for Office 365 Administration

We all know Office 365 is an enormously powerful productivity suite that simplifies the day-to-day for end users, but what’s often overlooked are the “out of the box” settings, which can leave your critical data and communications vulnerable. Conversely, locking down access and permissions within the environment can eliminate many of the advantages that Office 365 provides.

Properly administering Office 365 is essential in order to strike a balance between security, ease-of-use, and availability.  While there is plenty to consider when deploying Office 365, especially related to your unique business needs, this post will help find that balance by highlighting what we continue to see as the seven critical best practices for administrating Office 365.

Enable Multi-Factor Authentication (MFA)

This is a must-do for practically every Microsoft 365 install and, unfortunately, not something that is turned on by default.  Office 365 multi-factor authentication adds an additional layer of security, making it exponentially more difficult for an attacker to successfully compromise your environment.  With it, users can authenticate via mobile app, text messaging, or via voice call, and for apps that do not support MFA, app passwords may be created.

Configure Office 365 Company Branding

According to Verizon’s 2019 Data Breach Investigations Report, 81% of hacking-related breaches are due to end-user error; weak credentials or using credentials on a spoofed landing page.  Company branding doesn’t necessarily perform any type of security function, but branded pages indicate to users that they are on the correct page, as opposed to a fake phishing page, and can supply their credentials safely.

Configure Office 365 Auditing

In addition to regular data protection and compliance settings, Office 365 has several auditing and reporting features, such as alerts, permissions, threat management, and eDiscovery that can be used to track user and administrative activity within their tenant.  This includes any tenant configuration settings that have been made in Exchange Online or SharePoint Online, as well as changes made by users to documents and other items.  Additionally, for organizations in regulated industries that are subject to extensive compliance requirements, Office 365 Service Assurance provides the ability to perform regulatory risk assessments to help stay in compliance.

Review Secure Scores

A more recent feature enhancement of Office 365 provides dashboards that check your tenant configuration against the latest best practices.  As an administrator, you can either take immediate action or get advice on the steps necessary to improve an individual score.  As these are continuously evolving, regular review and remediation are highly recommended.

To learn more and view a sample page: Microsoft Secure Score

Limit Administrator Access

It is highly recommended that Office 365 administrators perform periodic checks to understand the access granted for each user and determine if changes need to be made. In addition to Global Administrators, there are specific workload administrator roles, like Exchange, user management, and license administrators, that need to be reviewed regularly.  Best practices provide the following recommendations:

  1. Have at least two, but not more than four, global admins

  2. Assign the least permissive role necessary, which means to provide only the access needed for a specific purpose. If you want to maintain an account to be able to reset passwords but not perform other admin functions, assign a limited admin role, like Password admin.

  3. Maintain a single ‘break glass’ account, which is a synced Active Directory account with Global admin, does not have MFA and is disabled in Active Directory. As we’ve previously stated, MFA is recommended for all users, but in the event of MFA failure, you can still enable this account and access as an admin.

Perform Phishing Checks

According to Small Business Trends, 1 in 99 emails is a phishing attack.  This is roughly five emails per employee per week.  CNBC reports that cyberattacks are costing small businesses $200,000 on average, and can cost large enterprises tens of millions of dollars in data and productivity losses.  Office 365 has a number of tools in place to prevent these emails from reaching end users, so it is imperative that you familiarize yourself with and utilize the resources available in the Microsoft Security Center, as well as educating users on how to protect themselves from phishing attempts.  Recently, Microsoft launched Attack Simulator in Office 365, which allows you to start a fake phishing attack on your users.  It provides built-in reports that pinpoint the most vulnerable users and proactively works to secure and educate them.

Redirect Windows Common Folders to OneDrive for Business

Administrators have long struggled with end-users storing important documents and data locally on their desktop or in the My Documents folders.  Despite the existence of network drives and assigned home folders, users still like to keep things where they are most comfortable.  Administrators can now enforce redirection of these folders to OneDrive via Group Policy, while not affecting any change for the end-user.  They can still use these folders as they’ve always done, while in the background the OneDrive client will sync the files with the cloud.

Implementing these seven best practices for Office 365 Administration help to protect your investment and your data, but nothing replaces experience.  Contact one of our Office 365 experts and see what Wellforce can do for you.


Recent Posts
bottom of page