Microsoft is constantly adding more features to their product offering.  Some are to enable features & capabilities to your end users, while some are to help admins secure and audit their environment.

I know when organizations were first starting to embrace Office 365, some admins were concerned about job security.  However, I always have looked at it as their job role is just changing and in fact evolving.  Instead of having to worry about a database getting too large or patching a server, they can focus on how to help leverage more features to solve the business goals of their end-users.  In addition, hosting in Office 365 usually makes it easier to enable more auditing controls since Microsoft is handling the storage of that information, etc.

Mailbox Auditing

One of the easiest steps to take is to make sure you have mailbox auditing enabled with all your options.   You can easily see if you’re missing auditing with:

Get-Mailbox -ResultSize Unlimited | where {$_.AuditEnabled -eq $false}

To enable auditing and set options for those without any auditing currrently:

Get-Mailbox -ResultSize Unlimited | where {$_.AuditEnabled -eq $false} | Set-Mailbox –

AuditEnabled $true -AuditLogAgeLimit 365 -AuditOwner

Create,HardDelete,MailboxLogin,MoveToDeletedItems,SoftDelete,Update

Since we don’t have to worry about audit log sizes in this environment, might as well gather everything you can in case you need it later!

Depending on business requirements, you can also look into solutions to help archive this data or feed it into a SIEM.

Blocking spoofed emails

With all the phishing attempts going on, one of the simplest methods to reduce some of the evilness coming in is to block mail coming into Office 365 from the outside that has your domain in it.

In the Office 365 – Exchange Admin Center, create a new rule.  Choose the following options:

  • Sender’s address domain portion belongs to any of these domains:
    • [add the list of your valid email domains]
  • and Is received from ‘Outside the organization’
  • Deliver the message to the hosted quarantine
  • and Stop processing more rules
  • The rule should be moved so it is near the top of the list.

This will allow you to move things out of the quarantine if necessary, but should help reduce evil mail from coming in.  Keep in mind that if you get mails sent to you from other services using your domain (your own marketing mails from your Salesforce subscription for example), you’ll need to make an exception rule for vendor’s public IPs, etc.

Office 365 helps shift the focus of admins from managing disk space on a server to helping provide business solutions and improved security to the organization.  If you need help improving the security posture of your Office 365 environment, email info@peters.com. We are happy to help!