Office 365 is a great platform of choice for any collaboration and sharing that you may need as an organization. Over the years Microsoft has added great Security features to help in protecting Office 365. These features cover everything from Authentication, Content Protection; Email controls all the way to Security and Advanced Threat Protection. These services are great, but most require initial setup, configuration as well as purchasing of extra licenses.

Over the past year, I have spent time using the security tools to find out what is missing. Honestly apart from some very specifics, the Security tools that Microsoft have implemented within Office 365 honestly do the job and do it well.

What are Security areas covered within Office 365?

Microsoft released a document a while back called “Assessing Microsoft 365 Security Solutions using the NIST Cybersecurity Framework“, this can be downloaded using the link below:

The NIST Framework outlined in the document, consists of five concurrent and continuous functions: Identify, Protect, Detect, Respond, and Recover. When considered together, these functions provide a high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.

The Framework outlines functions and categories that need consideration for any platform that provides services such as Microsoft 365. Some of the information below is directly from the Microsoft document itself.

Function Categories
Identify Asset Management
Business Environment
Risk Assessment
Risk Management Strategy
Supply Chain Risk Management
Protect Identity Management and Access Control
Awareness and Training
Data Security
Protective Technology
Information Protection Processes and Procedures
Detect Anomalies and Events
Security Continuous Monitoring
Detection Processes
Respond Response Planning

Within each category, tools are available that help you as an organization not only meet the NIST requirements but better control and protect your data. Each category is outlined below with the Microsoft tools to assist in protection.

Identify: “Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

Microsoft 365 provides fundamental and base identity user management that includes Application Access Control, Single Sign-on, Device Management and Control. To add to this, Azure AD Connect can be used to integrate On-premises user directories directly with Azure Active Directory, creating a seamless link between both On-premises and Cloud.

Protect: “Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

Microsoft 365 provides controls for limiting authorization to its services through devices, activities, and actions. Primary protection is Azure Active Directory Conditional Access rules. This component evaluates sets of configurable conditions, such as user, device, the application as well as an associated risk. Based on this evaluation, the correct level of access is assigned.

Detect: “Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Protecting against an actual malicious attack or data breach is a fundamental worry for any organization. Microsoft 365 protects real-time anomalies and events. Using a combination of tools allows for better control and protection. Advanced Threat Protection provides security and audit log management, application whitelisting, as well as policies to control the flow of traffic and data. For device-based attacks, Microsoft provides Windows Defender Advanced Threat Protection, providing almost instant blocking of new and emerging threats. Office 365 Advanced Threat Protection protects email, attachments, online storage, files, as well as providing services for safe attachments and links. Azure Advanced Threat Protection combines information from logs and network events to learn the behavior of users within the organization, building a behavioral profile of normal use. Anormal or suspicious activities can then be detected easily.

Response: “Response processes and procedures are executed and maintained to ensure timely response to detected cybersecurity events.

Azure Active Directory Access Usage Reports allow you to view and asses the overall integrity and security of your organizations Azure Active Directory. Other reports provided are Anomaly, Integrated Application, Error, User-specific and Activity reports.


What is missing then?

For most of the functions that organizations and end users will perform, the tools are all here. However, based on the Cyber Research Project I was involved in earlier this year, most organizations do not enable the required features, either because they don’t know about them or due to cost. You can download the report using the following link:

There is a single area though, that does not have any types of general protections. It is customizations mostly within the SharePoint, OneDrive, Office 365 Groups and Teams services. One of the most powerful features of Office 365, is the extensibility within each component. SharePoint Online, for example, allows full solutions to be developed and deployed easily. These customizations could be simple JavaScript, Add-ins, or even the new SharePoint Framework. Either way, there are no provisions within the Security Tools of Microsoft 365 for controlling and inspecting them.

A second area that is missing is proactive monitoring for configuration changes. There is plenty of monitoring of activities and actions performed within each tool and by each user, however, no monitoring for changes such as a configuration that may have happened. The Secure Score does provide a way to see some of this but has to manually run, then be checked within the Secure Score site to see any changes.

Are there tools available to fill the gap?

Luckily there is a tool available that can help to fill the gap not only of customization inspection but also provide proactive monitoring notifications. It is a product created by the team over at Rencore. It is called Analysis Cloud. In a nutshell, Analysis Cloud provides four key areas of protection and control.

Automatic Environment Configuration Scanning and Monitoring

Scan the current Office 365 Tenant, checking for potential configuration issues, or violations based on defined rules. Proactively scan and be notified for changes or further violations.

Automatic Deprecation and Security Policy Checks

Be notified of potential features that have or are being deprecated, as well as checking common Security configuration settings.

Proactive Security/Policy rules based notifications and alerts

Be actively notified of violations or security risks. Set core reminders on potential violations to help with remedial action.

Application and Customization Governance and Monitoring

Find all customizations deployed to SharePoint Online. Inspect the contents of the code validating the code against industry validated best practice rules, as well as look for the suspicious or malicious code. Be actively notified of changes made to the customizations.

Yeah, Yeah, making me get another tool. Do I need it?

Don’t trust me; well do trust me, just kidding.

The first question I would ask yourself is: Do I know where all the customizations are within my Office 365 Tenant? Do I know how many Script Editor web parts are on the site? Do I know where custom JavaScript is on pages? Do I know who made configuration changes last? Is my Tenant configured for the best Security? Do I know what the code is doing on my site?

If you answer “NO” to any of these questions, then you NEED to head over to the link below and request a trial of Analysis Cloud. Get a Risk Assessment completed, which will outline some of this information for you.