Protect your Kingdom
Microsoft Office 365 Security Improvements
#1 Licensing Upgrade to Office 365 Premium.
Upgrade Licensing to Premium to take advantage of improved security and deploy Defender for 365 to employee PCs.
After Deployment of Defender for 365, scan all computers for vulnerabilities. Patch and secure any issues. Additionally, create reporting mechanisms that notify Realm Defense of any future vulnerabilities Defender finds on user computers.
#2 Office 365 Security.
Create the following conditional Access Policy Rules:
CA01: Block All Countries except the USA.
Self-explanatory
CA02: Block Legacy Authentication.
Stops automated processes using legacy authentication methods (SMTP, POP, etc) from trying to log in to your accounts.
CA03: Block unapproved Devices.
Stop device types like Linux from accessing your accounts.
CA04: Disable Persistent Browser Sessions.
Creates a login barrier that requires employees to have to login and reauthorize themselves after closing their browser.
CA05: Require Multi-factor Authentication for admins.
MFA for admin accounts (minus break glass emergency account)
CA06: Require Multi-factor Authentication for users.
MFA for all users and any new users moving forward.
CA07: Ensure Device Compliance via Intune.
Enforces device registration, so token theft from phishing scams become useless since the intruders system is not registered.
Additional Tenant Settings:
Restrict non-admin users from creating tenants.
Restrict user access to Microsoft Entra admin center.
Adjust Application installations that access company data to Admin approval only.
Add Break Glass Admin account for emergency access. A Global admin account w/ 50-character password and protected by a physical passkey.
Adjust SharePoint/OneDrive External Sharing settings to require user sign in.
#3 Check DNS and MX records for correct Email service authentication methods.
SPF, DKIM and DMARC are three email service authentication methods that limit impersonators from spoofing your email addresses.
Incorporate any missing elements.
See https://www.realmdefense.com/email-security for details.