5 Steps to Securing Your Office 365 Migration

A SaaS platform like Office 365 is the perfect catalyst for the modern enterprise with its potential to support powerful collaboration products and inherent capacity for scalability. This one of the many reasons why Office 365 is growing impressively at 27% year-on-year with 180 million users. In the rush to migrate to Office 365, however, enterprises are often overlooking its basic security features, which leads to sub-optimal usage of Office 365. A central aspect of a successful and holistic Office 365 migration is securing the tenant and user data. Among the many advantages of migrating from on-premises to Office 365 are its phenomenal security and compliance attributes. Here are our 5 steps to harnessing them.

#1 Setup Multi-Factor Authentication (MFA)

With the majority of cyber attacks attributed to compromised and weak credentials, MFA is fast becoming an industry-wide security best-practice. It does not rely on a single (hackable) password but combines it with authentication from other levels including other verified devices and biometrics. In my experience guiding organizations through their migrations, I’ve consistently noticed an uptick in phishing attempts post-migration – clever hackers try to break into your tenant. MFA protects your tenant against such attacks.

  • Go to Office 365 Settings and enable Modern Authentication. 
  • After which setup MFA for all global administrators at the very minimum, but preferably for all users. The Microsoft  MFA deployment guide offers great inputs. 
  • Incorporate this at the start of the migration as a part of Identity Management or just before you roll out credentials, so the transition is not so jarring to the users.
  • Educate users about how vital MFA is to prevent compromised attacks due to phishing. 
  • All Office 365 applications work with MFA. If you’re using older versions of the apps, you can get app passwords for specific apps. Note that these wouldn’t be the ones users normally use for login and should be used when necessary to ease the transition.

#2 Setup Retention Policies

Office 365 Retention Policies enable you to secure special classes of content such as corporate records, sensitive information, GDPR or HIPAA materials. More essentially, it allows end-users to self-classify content

  • For example, content can be classified as Transitory (deleted after 1 year), Work In Progress (deleted after 3 years) and Business Records (deleted after 5 years).
  • As end-users classify the content themselves, it ensures that they are aware of the compliance and legal implications.
  • Be aware that the Retention Rules are applied in a hierarchical manner. For example, retention supersedes over deletion, and the longest retention policy wins.

#3 Turn on Security and Audit Logging

Office 365’s audit logging capabilities are another fantastic security mechanism that is not fully utilized.

  • In the Office 365 Security and Compliance Center, Navigate to Search and turn on Audit Log Search (it may take 24 hrs to take effect).
  • It offers a host of features ranging from basic audit log searches about who changed/deleted/shared what content and when it occurred, to more fine-tuned alerts.
  • Advanced features include alerts on suspicious deletions, such as manual clearing of the Recycle Bin. 
  • With it you can monitor user and admin activity in SharePoint Online, OneDrive for Business and Azure Active Directory.
  • You can also create alert policies where specific actions will be triggered if a certain activity occurs, such as emailing a group if files are being shared externally.

#4 Setup Microsoft Search

While the Bing Vs Google Search argument persists, Microsoft Search in the Office 365 context, is very helpful to get a unified and exhaustive snapshot of your files. Particularly in this digital age of mind-numbing content overload, a file is only as good as its findability when you most require it. The direct integration of Office 365 search with Bing provides a one-stop shop for searching the Internet and your domain.


#5 Setup External Sharing Settings

While Office 365 supports external sharing, basic due diligence dictates that an organization should examine external sharing and design and enforce a policy that supports the business securely.

  • Train users on how to share, precautions that should be taken and the importance of assigning access permissions judiciously. Moreover, users can add guests as “external users”. This safeguards the company, while still allowing for flexibility. Once users are trained, they can also be put in a security group where they are permitted to share externally
  • Consider creating “External Sites” for sharing and set expiration dates for the links.

Check that the default link type is set to Internal and that the default link permission is set to View. Users can change it, but only if specifically required on a case-to-case basis.


Also, don’t forget your Office 365 safety net to protect you against data loss at your end due to human error, malicious intent, and malware. Remember, even with all its awesomeness, a SaaS application like Office 365 needs backup too. Keep these pointers in mind and you’re well on your way to a secure migration and optimized adoption of Office 365.

Trusted by 1.4 million users worldwide.

Try Spanning Now

*** This is a Security Bloggers Network syndicated blog from Spanning authored by Matt McDermott. Read the original post at: