Microsoft 365 Security for IT Pros Published

The New Microsoft 365 Security for IT Pros eBook is now available from The book is modeled after Office 365 for IT Pros and covers the essential steps tenant administrators should take to secure and defend their organizations. Security is something that everyone involved in tenant administration needs to think about, so it’s good to have some solid advice from the pros.

Why Basic Authentication for Exchange Online is So Bad

Some doubt that Exchange Online will disable basic authentication for five email connection protocols in October 2020. The refrain is that it will be too hard for customers. Well, it might be hard to prepare to eliminate basic authentication, but if you don’t, your Office 365 tenant will be increasingly threatened by attacks that exploit known weaknesses.

Using Password-Protected Sharing Links with SharePoint Online

SharePoint Online and OneDrive for Business support the ability to protected Anyone links with passwords. The idea is good and the feature works well, but some Office 365 tenants have problems with the idea of using Anyone links because, as the name implies, anyone who has the link can use it to open a document.

Finding Azure Active Directory with Admin Roles Not Protected with MFA

Microsoft makes a strong case that all Azure Active Directory accounts should be protected with multi-factor authentication (MFA). That’s a great aspiration, but the immediate priority is to check accounts holding admin roles. This post explains how to use a PowerShell script to find and report those accounts.

CISA Report Only Scratches Surface of Securing Office 365

The CISA report titled “Microsoft Office 365 Security Observations” makes five recommendations to improve security of an Office 365 tenant. The recommendations are valid, but competent administrators won’t take long to implement them. In fact, the worst thing is that consultants brought in to help organizations didn’t seem to have much expertise in securing Office 365.

Unified Labelling Version of Azure Information Protection Client Now Generally Available

Microsoft has released the GA version of the Azure Information Protection client, which reads information about Office 365 sensitivity labels and policies from the Security and Compliance Center. It’s one more step along the path to making it easy for Office 365 tenants to protect their data. Work still has to be done, but at least we can see light at the end of the encryption tunnel.

Microsoft 365 Security and Compliance Centers Now Generally Available

The Microsoft 365 Security and Microsoft 365 Compliance Centers are now generally available. The new consoles will eventually replace the Office 365 Security and Compliance Center (SCC) but some work is needed to fill out their functionality and make the switchover possible. In the meantime, the Office 365 for IT Pros eBook writing team will stay focused on the SCC. And when the time’s right, we’ll switchover.

Eliminating Basic Auth for Exchange Online with AAD Conditional Access Policies

Exchange Online protocol authentication policies control what protocols a user can connect to mailboxes with, but it would be much better if we didn’t have to worry about some old and insecure protocols. Azure Active Directory gives Office 365 tenants the chance to clamp down on IMAP4 and POP3 connections and close off some of the holes that attackers try to exploit. Microsoft says that this can lead to a 67% reduction in account compromises, so that’s a good thing.

Phishing: Your Document Has Been Completed

Phishing attacks through email happen all the time. A new relatively crude one arrived today. It’s easy for the trained eye to detect phishing, but do your Office 365 admins know how to use the tools available in Exchange Online Protection to suppress malware, and do your users know the signs of bad email? In this case, it’s an invitation to click to get to a PDF document to bring you to Some interesting things might happen afterwards, but I really don’t want to find out what occurs when I click the link.

Applying Autosignatures with Transport Rules

Office 365 tenants can use Exchange transport rules to apply autosignatures to outbound email, including messages protected with encryption. You can even include some properties of the sender extracted from Azure Active Directory, and you can add an exception so that the autosignature isn’t applied to replies.