Office 365 has a good deal of security available out of the box, however much of it needs to be fully configured from the defaults. Add to this the additional security options Microsoft 365 Business brings to the table on top of what Office 365 provides as standard. Services like Office 365 Advanced Threat Protection (ATP), Data Loss Prevention (DLP), Legal Hold and so on are included with Microsoft 365 Business and most also still need to be configured appropriately.
Configuring security options is nothing new. IT Professionals have been doing it for years. That won’t change just because services are now in the cloud.
Even after you have configured all of these services appropriately, there are more security options you can add on from Microsoft. I think that probably the best add on security service you can bolt on to your Microsoft/Office 365 environment is Office 365 Cloud App Security.
You can simply add the Office 365 Cloud App Security to any existing tenant and then assign it to your users. As you can see from the above (in $AUD), it is pretty cheap for what I’ll show it can do for you.
Now before I get too far down the path of explaining Office 365 Cloud App Security I need to let you know there is a more advanced version of this service called Microsoft Cloud App Security that I’ll cover in more detail in an upcoming article. Here, I’m going to focus on Office 365 Cloud App Security. If you want to know the differences between the two services take a look at:
Once you purchase a subscription to Office 365 Cloud App Security and assign the licenses, you will see an extra option appear the Alerts section of the Security and Compliance center, as shown above. Selecting the new Manage advanced alerts menu item will display the Managed advanced alerts screen on the right. Like most security option in Microsoft 365, you’ll need to go in there and enable it the first time you visit.
Once it has been enabled select the Go to Office 365 Cloud App Security button.
You’ll now be taken to the Office 365 Cloud App Security console and a list of policies as you can see above. These are the default policies that are created for you and it is possible to create your own policies which I’ll cover soon.
Take a moment to have look through the list of default policies and you’ll find the cover some very common scenarios.
In this case, I’ve click on the Mass downloaded by a single user policy to view the details.
The real heart of the policy is the Create Filter for the policy section a little down the page as shown above. This is where you create the rules to determine when an alert should be activated.
A little bit further down the screen you’ll find the section to manage the alerts. Here you’ll see the option to send an email, text message and the new preview option to trigger a Microsoft Flow. This new Microsoft Flow feature will allow you to automate just about any action if the alert is triggered.
The Governance section at the bottom of the page shows you the default actions that you can take when an alert is triggered, including the ability to suspend the user and force them to sign in again.
The above shows you a custom policy that I have created that will alert me when an Office 365 administrator logs on outside my corporate network.
Once you have customised the default policies and add any custom ones all you need to do is wait until an alert is triggered.
When you receive an alert via email it will look like the above with links to take you straight to the policy match.
You can now view any alerts in the console as shown above.
When you select an alert you can dig deeper into the details as shown above as well as Dismiss or Resolve it by recoding how it was (these are in the top right corner of the screen).
Not only can you configure and view very detailed alerts but you can also view the Office 365 Activity Log as shown above. This is very, very handy and much easier than having to use the interface in the Security and Compliance center or an exported CSV file.
If you click on an item you again get a huge amount of information as shown above.
The buttons in the top right of the item allow you to search on similar:
- Activity types (i.e. here Log on)
- Activity from the same user
- Activity from same IP
- Activity from same country and region
- Activity in the same time frame
The above shows you the failed logon activities, each of which you can drill into for more information.
So the second things the Office 365 Cloud App Security can provided is a detailed way to browse and investigate the Office 365 Activity log.
Another thing Office 365 Cloud App Security can do is ingest the logs from on premises firewalls and UTM devices and display them in a dashboard as shown above. Here you can see exactly what cloud apps are being used in your environment. The idea is that it helps you identify shadow IT and prevent the leakage of corporate data from non authorised applications.
That’s a lot of power for a very small price in my books and makes Office 365 Cloud App Security a worthwhile investment for your environment. If you want even more power then you can look at Microsoft Cloud App Security which I’ll detail in an upcoming article.
If you are serious about monitoring your Microsoft/Office 365 environment quickly and easily, then nothing beats Cloud App Security. For most, Office 365 Cloud App Security will do what is required but remember that for only about $1 more, Microsoft Cloud App Security has even more power.
You can of course sign up for a 30 day trial of either product in your tenant today and try it for yourself. I’m pretty confident when you see everything that it can do you’ll happy add to the tenant going forward.
So when you get Microsoft/Office 365, I suggest Cloud App Security (either Office 365 or Microsoft) as something that you should add for sure if you are serious about security (and who isn’t these days??).