CISA Top 5 Office 365 Config Areas

United States Cybersecurity and Infrastructure Agency released a report on the top 5 areas third parties miss when migrating data to Office 365.

you can read the report here

Top 5 Office 365 areas of improvement

• Use multi-factor authentication
• Enable unified audit logging in the Security and Compliance Center
• Enable mailbox auditing for every user
• Ensure Azure AD password sync is planned for and configured before migrating users
• Disable legacy email protocols or limit their use to specific users who need that access

In Detail

• Multi-factor authentication for administrator accounts not enabled by default: Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. This is equivalent to the Domain Administrator in an on-premises AD environment. The Azure AD Global Administrator accounts are the first accounts created so that administrators can begin configuring their tenant and eventually migrate their users. Multi-factor authentication (MFA) is not enabled by default for these accounts.[1] There is a default Conditional Access policy available to customers, but the Global Administrator must explicitly enable this policy in order to enable MFA for these accounts. These accounts are exposed to internet access because they are based in the cloud. If not immediately secured, these cloud-based accounts could allow an attacker to maintain persistence as a customer migrates users to O365.
  
  
• Mailbox auditing disabled: O365 mailbox auditing logs actions that mailbox owners, delegates, and administrators perform. Microsoft did not enable auditing by default in O365 prior to January 2019. Customers who procured their O365 environment before 2019 had to explicitly enable mailbox auditing.[2] Additionally, the O365 environment does not currently enable the unified audit log by default. The unified audit log contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 services.[3] An administrator must enable the unified audit log in the Security and Compliance Center before queries can be run.
  
  
• Password sync enabled: Azure AD Connect integrates on-premises environments with Azure AD when customers migrate to O365.[4] This technology provides the capability to create Azure AD identities from on-premises AD identities or to match previously created Azure AD identities with on-premises AD identities. The on-premises identities become the authoritative identities in the cloud. In order to match identities, the AD identity needs to match certain attributes. If matched, the Azure AD identity is flagged as on-premises managed. Therefore, it is possible to create an AD identity that matches an administrator in Azure AD and create an account on-premises with the same username. One of the authentication options for Azure AD is “Password Sync.” If this option is enabled, the password from on-premises overwrites the password in Azure AD. In this particular situation, if the on-premises AD identity is compromised, then an attacker could move laterally to the cloud when the sync occurs. Note: Microsoft has disabled the capability to match certain administrator accounts as of October 2018. However, organizations may have performed administrator account matching prior to Microsoft disabling this function, thereby synching identities that may be have been compromised prior to migration. Additionally, regular user accounts are not protected by this capability being disabled.
  
  
• Authentication unsupported by legacy protocols: Azure AD is the authentication method that O365 uses to authenticate with Exchange Online, which provides email services. There are a number of protocols associated with Exchange Online authentication that do not support modern authentication methods with MFA features. These protocols include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP). Legacy protocols are used with older email clients, which do not support modern authentication. Legacy protocols can be disabled at the tenant level or at the user level. However, should an organization require older email clients as a business necessity, these protocols will not be disabled. This leaves email accounts exposed to the internet with only the username and password as the primary authentication method. One approach mitigate this issue is to inventory users who still require the use of a legacy email client and legacy email protocols. Using Azure AD Conditional Access policies can help reduce the number of users who have the ability to use legacy protocol authentication methods. Taking this step will greatly reduce the attack surface for organizations.[5]  

Source: https://www.us-cert.gov/ncas/analysis-reports/AR19-133A