How to Establish Security Baselines for Microsoft 365

How to Establish Security Baselines for Microsoft 365

By
April 1, 2024

According to a Vectra survey, 71% of businesses using Microsoft 365 suffered an average of seven account takeovers in 2020. 

IT leaders moving to Microsoft 365 assume that the platform offers out-of-the-box protection. But many essential security components — like conditional access policies, multi-factor authentication, and data loss prevention — are disabled by default or require additional configuration to work.

That’s because each organization has its own hierarchy, structure, and compliance needs. Microsoft’s built-in security defaults offer a decent framework to build upon, but they’re not production-ready as is. 

So, how do you get it to production stage? For most IT teams, it involves poring through thousands of security settings across hundreds of screens to configure each tenant manually. But this process is error-prone, with limited visibility in case there’s an incident. 

There’s a better way to handle security configuration in Microsoft 365. You can create a baseline to serve as a starting point, then roll it out across all your organization’s tenants. Here’s how.

Microsoft 365 Security Baselines: What They Are & How They Work

Microsoft 365 security baselines are pre-configured groups of security settings and best practices that organizations can use as a starting point to secure their cloud environment. 

Security baselines cover a wide range of Microsoft 365 services and apps, including:

  • Office 365 (Microsoft Teams, Exchange Online, Security & Compliance)
  • Entra ID (Previously known as Azure AD)
  • Microsoft Intune
  • Azure
  • Microsoft Admin Center

Each baseline contains settings that have been tested and validated based on feedback from leading experts in cloud security. They offer organizations a way to quickly apply best practices without having to research each setting manually. 

Under the hood, security baselines use native configuration capabilities in Microsoft 365 to apply and enforce the recommended security settings. This is an example of "configuration-as-code", where the desired state of the environment is defined in a structured format and then automatically applied.

5 Ways a Baseline Can Enforce Better Microsoft 365 Security

Microsoft 365 security baselines cover a wide range of apps, modules, and security settings to help organizations quickly apply best practice configurations. Apart from covering Azure AD, Intune, and Office 365, it also includes configuration options for Microsoft Teams, SharePoint, Exchange Online, etc.

Here are 5 important ways a baseline can enforce better Microsoft 365 security, based on real-life use cases and scenarios:

1. Enable Multi-Factor Authentication (MFA) for All Users

One of the most effective ways to prevent unauthorized access to Microsoft 365 accounts is to enable multi-factor authentication (MFA) for all users, especially those with administrative roles.

MFA requires users to provide an additional form of verification beyond just a password, such as a code from a mobile app or a fingerprint scan. This significantly reduces the risk of account compromise due to stolen or guessed passwords. Security baselines can enforce MFA across the organization and ensure that it is consistently applied to all users.

2. Enable and Configure Microsoft Defender for Office 365

Microsoft Defender for Office 365 provides advanced threat protection for email, documents, and collaboration tools. Security baselines can enable and configure key policies like safe links and safe attachments to boost Defender.

Safe links protect users from malicious URLs in emails and documents by scanning them in real-time and blocking access if a threat is detected. Safe attachments, on the other hand, quarantine suspicious email attachments and analyze them in a secure environment before delivering them to users. Together, these policies significantly reduce the risk of phishing attacks and malware infections.

3. Deploy Windows 10/11 Security Baselines to Managed Devices

Securing end-user devices is critical to protecting the overall Microsoft 365 environment. Security baselines can be used to deploy a consistent set of Windows 10 and 11 security configurations to all managed devices via Microsoft Intune.

This includes settings like enabling BitLocker disk encryption, configuring Microsoft Defender Antivirus with cloud-delivered protection, and enforcing a strong Windows Update policy. By ensuring that all devices meet a minimum security standard, baselines reduce the risk of compromise and data loss from endpoint vulnerabilities.

4. Enable Attack Surface Reduction Rules in Microsoft Defender

Attack surface reduction (ASR) rules in Microsoft Defender for Endpoint are a powerful way to prevent common attack techniques used by malware and hackers. 

ASR rules can block executable content from email attachments, restrict scripts from downloading payload from the Internet, prevent Office apps from creating child processes, and much more. Security baselines can enable a carefully tested set of ASR rules that provide strong protection without interfering with legitimate user workflows. This proactively hardens endpoints against a wide range of threats.

5. Enable Unified Audit Logging in the Microsoft 365 Compliance Center

Comprehensive logging and auditing are essential for detecting and investigating security incidents in Microsoft 365. Security baselines can enable unified audit logging in the Microsoft 365 compliance center, which centralizes activity logs from across Exchange Online, SharePoint Online, OneDrive, Azure AD, etc. 

This provides visibility into user and admin actions, mailbox access, file modifications, permission changes, and more. With unified audit logging, security teams can more easily detect suspicious behavior, identify compromised accounts, and respond to threats in a timely manner.

Common Sources for Microsoft 365 Security Baselines

Microsoft isn’t the only source for obtaining security baselines for Office 365. Different vendors, agencies, and organizations release their own security baselines too. Depending on your requirements you may find one of them more suited to your needs than the others. For example:

  • Microsoft Security Compliance Toolkit (SCT): Microsoft provides official security baselines for Windows, Microsoft 365 Apps, and Microsoft Edge as part of the SCT. It also includes group policy objects (GPOs), policy analyzer tools, and detailed documentation to help organizations assess, compare, customize, and deploy the recommended baseline configurations.
  • CIS Benchmarks: The Center for Internet Security (CIS) publishes security configuration benchmarks for Microsoft 365 components like Azure AD, Exchange Online, SharePoint, and OneDrive. CIS Benchmarks are widely used best practice guides developed by a community of cybersecurity experts.
  • DISA STIGs: The Defense Information Systems Agency (DISA) publishes Security Technical Implementation Guides (STIGs) which are security baselines used by the US Department of Defense. These also cover several Microsoft 365 components.
  • Third-party Vendors: Vendors like Simeon Cloud provide solutions to help manage and deploy custom security baselines across multiple Microsoft 365 tenants from a centralized dashboard. But, Simeon doesn’t just offer a configuration baseline. It also includes a no-code automation dashboard and admin panel to seamlessly roll out, monitor, diagnose, and remediate the configuration should the need arise.

Automatically Roll Out Security Baselines Across Multiple Tenants With CoreView & Simeon

When you’re an IT lead for a large enterprise, manually configuring each tenant across multiple departments and locations can quickly become impractical. Thankfully, there’s a better way.

By using Simeon Cloud and CoreView, you can roll out security baselines at the click of a button. You can also monitor them, audit them, and customize them as per your needs. All of this is possible with minimal human intervention, plus you can always keep an eye on things using our intuitive no-code platform. Here’s how it works:

  • Start with Simeon Cloud's Configuration Baseline: Simeon offers its own baseline configuration to address 90% of all security and compliance issues in Microsoft 365. Our baseline is a carefully curated combination of settings that cover critical areas like identity and access management, data protection, threat prevention, and more.
  • Roll Out the Baseline Across Tenants with Simeon: With just a few clicks, you can deploy Simeon's baseline configuration to all your Microsoft 365 tenants. Simeon's multi-tenant management platform makes it easy to apply consistent settings, maintain detailed audit trails of all changes, and quickly remediate any drift from the baseline
  • Analyze and Customize with CoreView's AI Assistant: While the baseline is a great starting point, every organization has unique security needs. That's where CoreView's AI Assistant comes in. Since it’s trained extensively on Microsoft 365 data, it can analyze an organization's deployed security baseline and offer intelligent suggestions for further hardening. 

By combining these two platforms, you can save time, reduce risk, and free up resources to focus on other strategic priorities. Ready to take the first step toward automated baseline management for Microsoft 365?  Sign up for a demo with Simeon Cloud, then keep learning about CoreView's AI Assistant.