One of the most obvious ways to improve your cyber security is to ensure you have set up your Microsoft 365 environment in the best way possible. There are a number of different areas to consider, and each organisation is different in how it wishes to deal with each of these issues.

Getting your core security right for you

You need to decide your security posture before you can apply it to your Microsoft 365 environment.

  • How locked down, do you need each system or environment?
  • Do you want your employees to be able to access things outside of your office, outside of the country?
  • What devices can users login from, corporate devices or all devices?
  • Can employees access their emails on their mobile devices, and how would you like them to do that?
  • What is your approach to passwords going to be?

There is a long list of things you could consider as part of your security posture that can be applied to Microsoft 365.

SharePoint security

Another core element of Microsoft 365 security is SharePoint. SharePoint holds a lot of your sensitive data and documents and needs to be treated as a separate permission exercise.

One of the most common mistakes is not to consider permission inheritance meaning users get access to areas of SharePoint by accident that can lead to breaches.

Consider the key HR and finance document libraries in particular and how you can fully secure these, remove them from search and ensure only key people have access to them.

Roles and responsibilities

Managing roles and permissions effectively within Microsoft 365 is a cornerstone of a strong cybersecurity posture. The principle of least privilege should be your guiding star: grant users only the necessary access to perform their tasks, nothing more.

Microsoft 365 offers a granular system of roles, from broad administrative rights to specific permissions within applications like SharePoint, Teams, and Exchange. Carefully assigning these roles minimises the potential impact of a compromised account.

For instance, instead of granting everyone global administrator rights, assign specific administrative roles tailored to individual responsibilities. Regularly review these assignments and remove unnecessary permissions as roles evolve.

Implementing custom roles can further refine control, allowing you to define precise levels of access for specific tasks. This reduces the attack surface by limiting what a compromised user can do. Moreover, consider implementing Privileged Identity Management (PIM) to provide just-in-time, time-bound access to sensitive roles, requiring approval and audit trails for elevated privileges.

By meticulously managing roles and permissions, you create a layered security model where unauthorised access and accidental data breaches are significantly reduced. Bridgeall can assist you in auditing your current permissions structure and implementing a robust role-based access control strategy within your Microsoft 365 environment.

Guest access

Effectively managing guest access in Microsoft 365 tenants is crucial for secure and seamless collaboration.  The importance of this will depend on your business model, some organisations can get away without having guests in their environment and some require lots of collaboration with other companies.

The key with guests is to create a process to grant guest access and restrict it to just the access that they require. This can all be managed by Entra ID but having an understanding of what you would like to do is critical. Also noting that you can enforce things like conditional access and multi factor authentication.

Having an approval process and a regular review of guest access is key here. By carefully planning and consistently managing guest access through Entra ID and established policies, businesses can foster effective external collaboration while maintaining a secure Microsoft 365 environment.

Microsoft 365 is an extremely flexible platform and how secure and locked down you wish yours to be is critical to designing an approach for your business. The great thing is it is possible to meet your exact criteria throughout the platform. Most organisations do not put enough care into configuring their Microsoft 365 security so reviewing your approach is a must have.

At Bridgeall we have certified Microsoft 365 security consultants that carry out independent reviews for our clients, find out more here.