Microsoft has every incentive to ease your business into Office 365. Setup wizards, help videos, live telephone support — your transition to the cloud will be met with helping hands from the mothership all along the way. But the process isn’t necessarily foolproof. It’s still very possible to end up with an unsecured, minimally functional Office 365 environment even if you followed all of the helpful guides to the letter.
Also, it’s essential to remember that default settings are built for the lowest common denominator. They’re designed to get the average admin and the average user active in the system with the least amount of fuss. That doesn’t mean these settings are solid decisions, tailored to your optimal environment. They’re simply the easy ones.
And when have our jobs ever been about taking the easy route?
To ensure you have a solid foundation for your Office 365 deployment, you have to get the settings just right. If you want email to arrive safely to its destination free of malware or sensitive information, or your admin portal to be hardened against all but the most complex of tasks or your users’ mobile devices to be more of a productivity booster than a liability, you’ll have to go beyond Office 365’s defaults.
Here’s how to ensure your Office 365 environment is set up right.
When you first set up Office 365, you are prompted to configure your domains’ DNS to work with Office 365. Microsoft provides records for mail routing (MX), autodiscover (CNAME), and SPF (Sender Protection Framework). Failure to apply the correct settings here can mean complete loss of mail flow or lack of client connectivity.
List all authorized domains, including third-party services, as authoritative domains in Office 365’s Exchange admin center to ensure email delivery to all of your recipients.
SPF is a special consideration. This record type is used to inform other mail systems whether email from your domain is coming from an authorized system. The record provided by Microsoft is suitable if the only place your email will ever originate is Office 365. Often this is not the case, however, because you might use third-party tools such as Salesforce or MailChimp to send email on behalf of your domain or apps. In order to ensure delivery to your recipients, be sure to include any of these services in your SPF record. More information on SPF syntax can be found at The SPF Project.
Once you have full access to the Exchange admin center, you should verify that all of your domain names are listed and declared as authoritative (or of the appropriate relay type as necessary) under Mail Flow > Accepted Domains, as shown in the screenshot above.
Secure Mail Flow
You or your clients and vendors may require TLS encryption for email exchanges. Financial and health care providers will often be subject to government regulations that require this additional layer of protection. The default configuration provides opportunistic TLS encryption; in other words, Exchange Online will first try to connect to another mail system with TLS encryption and fail back to plain text if that doesn’t work.
To ensure enhanced TLS encryption for email sent between Office 365 and a partner organization, establish a mail flow connector.
If you require enforced TLS encryption, you will need to create two connectors: one for sending mail and one for receiving mail. To do so, open the Exchange admin center and navigate to Mail Flow > Connectors. Creating the sending connector is very straightforward. Click on the + (plus) sign and select “Sending from Office 365 to a partner organization.” Give the new connector a name and type an optional description. Finally, you will enter your partner organization’s domain name(s) and save the connector.
The connector for receiving mail is slightly more complicated but still rather straightforward. You begin as before by clicking the + sign. This time you will select sending from your partner organization to Office 365. You will then be prompted to specify whether you want to set this connector to apply to specific domain names or IP addresses. Choose whichever is appropriate for your scenario and enter the information on the next screen. Choose to reject any messages not sent using TLS encryption and optionally verify the TLS certificate. If you want to scope this domain to a specific IP range, you can do so here and save the connector.
The full details of configuring these connectors is available on Microsoft’s TechNet Library.
Finally, you will want to ensure line-of-business applications, multifunction copiers, ticketing systems, and other applications and devices will be able to send through your new Office 365 account. There are three options available to you, and Microsoft has documented them all with step-by-step guides.
Now that all of your email and service settings are stored in the cloud, you must pay very close attention to your security settings. It takes only one lucky phishing attempt or social engineering call to give up the keys to the kingdom.
At a minimum, you should establish and use a separate account from your main mailbox as an administrator account and configure your other administrators in the same fashion. In addition, each administrator account should have an enforced minimum password length and expiration period (Service Settings > Passwords), and use multifactor authentication (Users > Active Users > Set multi-factor authentication requirements > Set up), and only the minimum set of permissions required to do the job through Role Based Access Control (RBAC) settings (Exchange admin center > Permissions > Admin roles).
Administrator accounts should be set with the bare minimum number of permissions required to do the job through RBAC.
The security of your mail is equally important. The built-in Exchange Online Protection offers basic forms of protection against spam and malware but doesn’t prevent address spoofing. You should spend some time evaluating third-party products to provide a solid email security foundation for your Office 365 environment.
You should also consider creating transport rules to match against common financial and personal data types. You can do this using Data Loss Prevention (DLP) templates that create transport rules you can tweak, or you can create transport rules directly using sensitive information types. To create a transport rule to block the sending of unencrypted credit card numbers and Social Security numbers, open the Exchange admin center and navigate to Mail Flow > Rules. Click on the + sign and choose “Generate an incident report when sensitive information is detected …” Choose the type of sensitive information you want to detect, select a recipient to notify and the information included in the notification, and (optionally) add an extra action to block the message with or without a Non-Delivery Receipt (NDR).
Mobile device settings
Most of your users will probably want to use their own mobile devices to access company email. This benefits the user in that they will only need to carry one device, and it benefits the company in that it doesn’t have to purchase and manage devices and contracts for its users. Those mobile devices, however, are now portable access points into your mail system or, if you use line-of-business applications or have a mobile VPN, your entire network.
If your users will be accessing Office 365 or email from their own devices, setting up Office 365 MDM is essential.
Once you have completed MDM setup, click on “Manage device security policies and access rules.” Click on the + sign to create a new policy, providing it with a name and optional description. There are a number of options available to you here. You can enforce PIN locking (or more complex passwords), sign-in failure counts, inactivity locks, device encryption, and preventing “rooted” or “jailbroken” devices from connecting.
You should at least configure a six-digit PIN, wipe after 10 tries, force data encryption, and disallow hacked devices. This should prevent the largest number of basic attacks against your devices without greatly inconveniencing your users.
Data and disaster recovery
It’s important to note that Office 365 does not back up your email. Microsoft offers native data protection, which includes multiple passive copies (lagged copies) split between two data centers. That is a fantastic solution for providing availability of existing data, but it doesn’t ensure a point-in-time recovery of data deleted that has gone past the deleted item retention period. In addition, that retention period is 14 days by default and can be extended to 30 days (you read that correctly: 30 days) through a remote PowerShell connection. You should be aware that your data can be lost.
Luckily there are ways to mitigate this. For starters, Microsoft recommends you put all mailboxes on legal hold. To do so requires a more expensive Office 365 plan (E3), which may make this solution prohibitive for some organizations. In addition, it’s not an interactive, read-only archive solution for your users, but it does ensure that all data is held and discoverable. It also doesn’t give you the ability to do a point-in-time restore, so it’s not a backup solution in the traditional or modern sense of the word.
Knowing these limitations may mean you need to look to a third-party backup/recovery solution for Office 365 or a solid online archive solution. You want to know your data is safe and discoverable (for compliance and more). This is another area, like security, where you may need to look to the Office 365 partner ecosystem to find the solution that bolts on and can resolve these concerns.
As you put together your optimal Office 365 environment, remember that the above settings recommendations are merely the basics. Consider them the absolute must-have settings to get you up and running. If your organization has a security operations center, you should consult with them about further improving your security. Compliance team? Check on adding more transport rules and setting up further data loss prevention.