Microsoft 365 Security and Compliance – How to Start, Simply

Microsoft’s unending stream of updates help you keep up with Microsoft 365 security and compliance. We take a step-by-step look at the best practices to guide you on your M365 journey, from laying the groundwork for initial benchmarking and implementation, through advanced configurations and other enhancements, and finally on to preparing for and anticipating future performance refinements.

Ensuring security and compliance within Microsoft 365 demands ongoing adjustment to accommodate the evolving features and functionalities regularly introduced by Microsoft. This is best accomplished in small, well-ordered steps, grouped into two timeframes: the first 30 days and the subsequent 90 days. During this period, the focus is on establishing a robust security framework, allowing employees to operate without concerns that their data will be accessed by unauthorized persons or bad actors.

Beyond that is a process of continuous system checks and policy refinements intended to position your company for all conceivable future challenges.

Dividing these steps into manageable and meaningful groups is the best way to achieve timely, efficient, and effective Microsoft 365 security and compliance. Our recommended roadmap for securing content in M365 looks like this:

The First 30 Days of Establishing the Security of M365

The first month begins with establishing the stakeholders in security and governance and identifying those within the enterprise who are charged with promoting and supporting them.

After that, it’s necessary to evaluate the existing Security and Compliance environment by checking the Microsoft Secure Score, which measures the organization’s security stance. The higher the number, the better your security position since it shows that more Security Score recommendations have been taken to protect against threats.

Secure Score gives you a complete view of the organization, detecting problems and providing guidance and control for solving them. (Tip: Record the original Secure Score and use it to mark the extent of future progress.)

At this point, Microsoft provides several tools to begin basic protection:

M365 Audit Logging

The first one to come into play, M365 Audit Logging, is activated by default for M365 organizations and logs user and admin activity within the Tenant. Default retention has been extended from 90 to 180 for all audit logs generated on or after October 17, 2023, while those logs created before that date receive Audit logging for 90 days. Organizations that prefer not to record and retain audit log data can have a global admin deactivate auditing.

Microsoft Cloud App Security

Microsoft Cloud App Security should be next. It’s deployed by default and has advanced analytics that detect and thwart cyber threats across the entire cloud services environment. Specifically, it provides single-dashboard monitoring and management that reveals and controls shadow IT, questionable activity, compliance hazards, and safeguards sensitive cloud information.

MCAS integrates seamlessly with other Microsoft security solutions, such as Microsoft Defender for Endpoint and Microsoft 365 Defender, to provide a unified security posture across the organization’s entire digital estate. It also supports integration with third-party security solutions through APIs and connectors.

Multifactor Authentication

At this point, administrative accounts should be secured quickly by turning on multifactor authentication (MFA) for administrative accounts. Microsoft 365 for business gives you a choice to activate MFA for administrative and user accounts with either security defaults – which should suffice as sign-in security for most organizations – or conditional access policies in companies with more exacting requirements.

Conditional access users can establish and define policies that respond to sign-in events and ask for additional actions before someone can gain access to a service or application. Since Windows 11 is a very secure platform, it should be used for administration tasks.

Among other things, this newest Windows iteration gives IT teams the power to eliminate the day one password-entry option and creates more passkey functionality (e.g., once a passkey is created, users can access a website or application with their face, fingerprint of a device PIN).

Microsoft Purview Information Protection

Finish the first month’s tasks by enabling Microsoft Purview Information Protection, which became the successor to Azure Information Protection as of May 2024. It has several security enhancement features that you can deploy:

• Data discovery lets you scan active and resting data so it can be classified across on-premises file shares, SharePoint, Microsoft Teams, and other Microsoft platforms, endpoints, and non-Microsoft apps.
• Data classification attaches labels that identify hundreds of types of sensitive information or proprietary data. This embeds a permanent tag into a document that indicates its value to your organization and extends multiple protective actions to the data.
• Activity explorer gives you more insight into user activities involved with sensitive data, including how the data is being used.
• Content explorer provides a more extensive view of documents that contain sensitive data as well as context for developing data protection policies.

The Next 90 Days

At 90 days, or roughly three months, following the initial steps implemented during the first 30 days involves a more extensive series of tasks to ensure an even safer security posture.

For starters, it’s necessary to stay current with all software updates so that Microsoft can furnish you with ongoing protection. It’s also important to review the Secure Score to make sure you address the recommended actions and to remain diligent in securing all admin accounts.

There are additional tools to deploy during this 90-day period:

Microsoft Purview Compliance Manager

Microsoft Purview Compliance Manager will help align Microsoft’s Security and Compliance activity to any policies that may apply within your organization. Compliance Manager provides several security refinements:

• Multicloud regulatory assessment happens through your choice of more than 320 ready-for-use and customizable templates that help satisfy multicloud regulatory compliance requirements of M365 and non-M365 products or services. Some of the regulations, as they’re also known, are available by default in Compliance Manager, depending upon subscription level, and customers at all subscription levels get the Microsoft Data Protection Baseline in this way.
• Continuous control assessment delivers continuous status and automatic credit results for technical controls as Compliance Manager scans the environment and identifies system settings.
• Continuous regulatory updates give the most current advice on regulatory, product or control mapping changes that affect security scoring so that users can make improvements to meet necessary certification requirements.
• Common control mapping lets you take one action and meet multiple requirements for several regulations and standards so that you don’t have to update the same control over and over.
• Compliance score yields a quantifiable, risk-based score to help you sequence the most consequential actions for compliance. And, you can filter the score for a specific standard, regulation or solution category.

Attack Simulation Training

Attack simulation training for M365 plots and executes simulated attacks by sending realistic but innocuous phishing messages to users and, in this way, helps uncover previously undiscovered areas of vulnerability. The simulation stipulates who gets the message and when it’s delivered, the training users receive according to how they respond to the message, what the message says and its payload (a link or an attachment), and the social engineering technique used.

Privileged Identity Management

Configuring Privileged Identity Management (PIM) makes available limited-time data access to users so that they take the necessary corrective action to protect sensitive data.

Privileged Access Workstation

Creating and configuring Privileged Access Workstation (PAW) for admin tasks establishes the greatest possible security for extremely sensitive roles whose accounts, if breached, could significantly damage an organization. PAW is so effective because its security controls and policies limit local administrative access, and its productivity tools shrink the attack surface to the absolute minimum necessary to conduct sensitive tasks.

MFA, Again

Now, turning on MFA for all users further enhances the security posture across your user base.

And, configuring information protection policies during this period will make all your content more secure in two ways:

• Configuring General Data Protection Regulation (GDPR) compliance allows you to align your information policies to GDPR and other standards. The GDPR empowers people to manage personal data that an organization collects if they submit – and get approval for – a Data Subject Request. Here, a data subject asks a controller for permission to take action (i.e., changing, restricting, accessing) concerning their personal data. Examples of such data are names, Social Security and other ID numbers, IP addresses, location data, online cookies, email messages, and images.

• Securing SharePoint Online allows for three levels of protection: basic, sensitive, and confidential, and using the new, API-only SharePoint Embedded cloud-based solution enables app developers to deploy the power of the M365 file and document storage platform for any app. (Security and compliance solutions will work within the Embedded platform in the same way they work within the M365 platform. These include audit capabilities, eDiscovery tools for searching, holding and exporting content, data lifecycle management, and setting and removing sensitivity labels on containers.)

Ongoing Responsibilities for M365 Security and Compliance

It’s imperative to monitor and act upon your Secure Score, dashboards, reports, software updates, and the M365 Roadmap to ensure effective ongoing and long-term security and compliance. Additionally, continue refining the policies that were put in place earlier. This practice will tailor the tools to meet evolving needs.

Future-proofing your security and compliance posture could include adopting Microsoft Sentinel (previously Azure Sentinel). This is a cloud-native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution that lets you analyze security events in cloud and on-premises environments.

It’s commonly used to visualize log data, detect and alert to anomalies, investigate security incidents, proactively hunt down threats, and automate responses to security events.

Conclusion: It’s a Matter of Trust and Accountability

Establishing, maintaining and enhancing Microsoft 365 security and compliance is essential if organizations are going to retain the trust of their customers, stakeholders and partners and avoid legal and financial penalties. Building that trust, in turn, preserves and enhances a company’s reputation and competitive strength, demonstrates transparency, and provides assurance that data is being handled properly and necessary security measures are being implemented.

Do you want to fully tap into all of the security and compliance features Microsoft 365 has to offer? Our Modern Workplace experts can guide you through best practices to make your collaboration efforts seamless and secure. Talk to an expert