10 Top Tips to help secure your Office 365 environment


According to Risk Based Security’s 2017 Data Breach QuickView Report, last year broke the record for the most data breaches and the most data compromised in one year. In all 5,207 breaches were recorded, surpassing the previous high mark by nearly 20% which was set in 2015. The number of records compromised also reached a new high, with over 7.8 billion records exposed, a 24.2% increase over 2016’s previous record of 6.3 billion.

There is no doubt that we will see a similar trend in 2018 meaning that this is a year where security is again a number one priority. For every solution or system being deployed, ensuring it is fully secure is now an absolute business requirement.  Not only could your bottom line be hit but the damage to your reputation could be market critical.

Microsoft has baked-in layers of tools and features to help secure you with Office 365 security.

In Office 365 Security – The Essential Guide, we’ve identified 10 top tips that you can put into practice to increase your protection today.

Tip1: Know Your Estate

Tip2: Control Access

Tip 3: Object Permissions

Tip 4: Permission Inheritance

Tip 5: Granular Permissions

Tip 6: Contribution and Editing

Tip 7: Assessing Security

Tip 8: Sharing Externally

Tip 9: Admin Power

Tip 10: Phones and Tablets

We hope this guide will set you on the path to a more secure Office 365 environment.

NB. You can click on each tip above to go straight to that specific piece of advice. 


Tip 1: Know Your Estate Know Your Estate - Office 365

Knowing where your data is stored and who can access it, is absolutely the best place to start. How can you expect to secure your information if you don’t know what you have and where it is? To enforce policies such as security practices and templates to stay compliant, you’ll need to audit and catalogue your data.

Microsoft provides an ever-evolving public cloud platform that empowers users to create objects and content themselves, so it’s more critical than ever for IT administrators to monitor security within Office 365.

For the traditional file shares, the process is simple. The real concern is in knowing the folder structures and the properties of files throughout. Modern technologies such as Office 365, introduce new challenges, for example, such as the profusion of data within SharePoint Online. SharePoint Online Sites, Groups, Lists and Libraries can easily lead to content sprawl if not managed properly. Common questions to address include:

  • Is data stored in the correct place(s)?
  • Where are your SharePoint sites?
  • What templates do they use?
  • Who has access to them?
  • When was the last time someone accessed the information?

You really can’t go overboard with the amount of information you collect relating to your organisation’s data. The key is knowing what to do with it.

Provided you are comfortable writing scripts, the best way to build a picture of your infrastructure and your Office 365 security is to utilise PowerShell. PowerShell tooling can be used to gain an insight into the security and compliance of your environment both on premises and in the cloud.

Need an expert to help with assessing your data?

Our knowledgeable consultants can classify and map your data to recommend best practice for security, compliance and management.

Tip 2: Control Access Control Access - Office 365 Security

User permissions can be difficult to understand, and Office 365 is no exception. Microsoft provides fail-safe settings on new deployments such as SharePoint Online to ensure that the default site is secure. Taking the time to learn what it means to grant access and apply permissions is critical to the success of adopting new technologies.

All experienced system administrators will know that granting permissions to a group is a far better practice than enabling explicit permissions on a user account. This prevents losing track of who had, or still has access to, which data, and makes it much easier to make changes in the future, such as when a user moves department. With Office 365, the same mentality applies.

SharePoint Online and Delve boast powerful search engines, but they might raise the eyebrow of your security team manager. In Office 365, the potential for accidental access to data is a much more likely scenario than for that stored in file shares. Ensuring that users are always added to groups and permissions are only applied to groups, is the best way to be sure that user permissions are well organised and manageable. User education is a big part of this, as users themselves can grant permissions on their own documents and directories to another individual.

Need an expert to help with securing new deployments?

Our knowledgeable consultants can advise on safeguarding new solutions deployed in your organisation.

Tip 3: Object Permissions Object Permissions

Only specific types of objects within Office 365’s SharePoint Online structure can be assigned permissions: Sites, Lists and Libraries, Folders, List Items and Library Documents. Though many of us wish it could be done at the column level or on views, at the moment, this is not an option.

The most problematic aspect to managing Office 365 permissions is that there are just so many objects in your environment.

As part of your governance policies, you will have different objects that need to be secured inversely based on these policies to stay compliant.

How can you be sure that all HR tagged documents are secured properly? Unfortunately, it must be done manually. It’s not hard to imagine how much disorganisation this can lead to, when employees use the platform to author and edit content of different types across your Office 365 environment.  More importantly, it makes it very hard to manage.

Need an expert to help with securing object permissions?

Our knowledgeable consultants can advise on the best methods of securing objects throughout the Office 365 platform.

Tip 4: Permission Inheritance Permission Inheritance

In contrast to File Shares, in Office 365 when you decide that an object should have different permissions than the parent object it is inheriting from, you need to break the permissions inheritance on it.

Why? Because SharePoint Online runs on SQL behind the scenes. Breaking inheritance creates an impact on how content is stored and retrieved. This can slow your loading performance and it damages the user experience. It can also make it difficult to audit who has access to what on an object, when inheritance has been broken multiple levels above. Generally, users don’t know about the impact they have as they click on the share button or change permissions and nor should they. Enforcing permissions shouldn’t hinder the usability or performance of the platform.

One way to overcome problems of this nature, is to limit who can change permissions, thus breaking inheritance. In the past, and through governance planning, we’ve even prohibited breaking inheritance on anything other than sites. However, this isn’t always easy to maintain and enforce without some kind of custom development

Need an expert to help with security permissions?

Our knowledgeable consultants can help you design and build a secure and best-practice platform for your corporate data.

Tip 5: Granular Permissions Granular Permissions - Office 365 Security

Creating new and custom permission levels in Office 365’s SharePoint Online is inevitable.

Not every SharePoint topology is the same, and requirements differ from one organisation to the next.

Permission levels are what you grant a user or group on a specific object. For example, you can give Bob the “full control” permission level so that he has access to your site, or limited access, so he can only view or edit specific Lists and Libraries.

The few permission levels that are automatically created aren’t always enough. In many cases, customers need granular control. For example, the creation of a new role that grants full control without the right to create sub-sites.

Essentially, depending on what you need to achieve, you can create any different Office 365 custom permission levels to give the right access to the right people.  This can be very useful in making sure too much isn’t granted to someone who only needs minimum access to an object, however it can also be dangerous. For example, who has access to create or edit these permission levels? If you edit an existing permission level, are you aware of the impact it will have, and on how many people or objects? A single checkbox could be the difference in people being allowed to download a copy offline or not.

As a rule, don’t modify any existing permission levels in Office 365 sites. Instead, copy them and then edit the copy to isolate the original and minimise any impact it can have on existing SharePoint objects that are created automatically.

Need an expert to review your custom permissions?

Our knowledgeable consultants can show you how to give the right access to the right people.

Tip 6: Contribution and Editing Contributing and Editing - Office 365 Security

As mentioned previously, permission levels are rights that you grant a user or group to access an object. If you are experienced with a previous version of SharePoint or simply migrating from it, this change in managing access can be quite surprising to you as well.

When you build a ‘Site’ in SharePoint Online, a few groups are automatically created and gain access to the Site in which they were granted. In the past versions of SharePoint, one of the groups, ‘Members’, has always been granted the ‘contribute’ permission level. This allowed people within the group to add, modify, and delete content within Lists and Libraries

Since SharePoint 2013 was introduced, ‘Members’ have been granted the ‘edit’ permission Level. This is an entirely new Level that allows users and groups given this power to also create, change, and delete Lists and Libraries. This is a huge shift in control and can have a massive impact on your security, especially if you are expecting the characteristics of earlier version of SharePoint.

The first step to mitigate this problem is knowing it exists. There are a few solutions, or perhaps workarounds, that can help you ensure users have the right permissions on your objects. Of course, you can simply delete the ‘edit’ permission level. Though not ideal, it solves the issue. Another way would be to make sure that when Sites are created, the ‘Members’ group has its permissions changed from ‘edit’ to ‘contribute’.

Need an expert to verify who has access to what?

Our knowledgeable consultants can show you which people have access to certain data and what level of control they have over that data.

Tip 7: Assessing Security Assessing Security

How can you tell who accessed which files in the last few days? Though not everyone is always aware, Office 365’s SharePoint Online comes with Audit Reports built in to run on the type of content you wish to audit. Want to know who viewed a file or deleted an item in your Document Library? Now you can.

An Office 365 security audit is vital in keeping your environment secure. It allows you to be able to prove or act on any ongoing security breaches. A lot of these are caused by users who have access to data and share it with malicious intent or just by accident

One thing you should know, is that due to the performance needed to enable these audit reports, they are disabled by default. This means that if you decide to view the reports because of a possible breach, or you just want to inspect them, it will be too late. This is a per ‘Site Collection’ feature that also needs to be granularly configured per List or Library and even by Content Type.

There aren’t a million options to solve this, you just need to enable the feature and configure it where needed. Remember not to go audit report crazy! The amount of information generated can slow down your users’ experience on the platform.

Microsoft has also provided a scoring system where vulnerabilities and practices contribute towards a tenant rating. This is called ‘Secure Score’ and can be used to obtain a clear list of tasks to strengthen your defences.

Need an expert to review your Office 365 tenant?

Our knowledgeable consultants can ensure that your cloud environment has the correct levels of protection and is utilising security features appropriately.

Tip 8: Sharing Externally Sharing Externally - Office 365 Security

Office 365 introduced External Users to allow you to share content with people outside of your organisation. This is an incredibly useful feature because working with External Users is pretty much a necessity these days. However, it introduces a very serious potential security threat if not monitored properly. Where are these Office 365 external users and what do they have access to, especially months after they no longer need that access anymore?

The way in which external sharing works can be confusing for users and potentially allow them to make mistakes. The email address of an external user entered when sharing an object, isn’t necessarily the address that will be given authorisation. You still need an Office 365 or a Microsoft Live account to access the information.

There are multiple perspectives to consider when managing External Sharing from your Office 365. Do you have a list of all external users currently accessing data within your environment? What is currently shared with external users? What content has been shared with external user “X”?  Are there documents shared to external users that haven’t been accessed in a “Y” amount of time?

Need an expert advice on externally sharing data?

Our knowledgeable consultants can design and deploy controlled data sharing abilities.

Tip 9: Admin Power Admin Power - Office 365 Security

  Let’s talk about the administrator – the person who has all the power   over your Office 365 environment.

Though the Office 365 administrator doesn’t necessarily have instant access to all sites created, or OneDrive’s owned by users, he or she can grant themselves that power very easily.  This administrator can turn on and off features that benefit them and leave no trace.

How can you find out what this administrator account has access to?

In some security breaches, it is the administrator account’s credentials that have enabled hackers to access and steal the information they were after. Your administrator credentials can be stolen and used to erase any indication that a theft has taken place. The administrator role therefore is one of the biggest security concerns in Office 365.

Have you considered Multi-Factor Authentication for Office 365 to verify that the person accessing this account is the person who should be using it? Office 365 will validate by calling the registered phone number for the administrator or by sending a validation code to that phone.

To reduce the risks, you can also make sure you do not work with an administrator account. Most companies will have an administrator account that no one uses unless required to elevate their privileges, so they can do something on the platform. Otherwise, they use their regular account day to day.

Need an expert to enforce correct administrative control?

Our knowledgeable consultants ensure that your organisation is employing a ‘principle of least privilege’ whereby the correct people have appropriate control only.

Tip 10: Phones and Tablets Phones and Tablets

Microsoft has announced it new vision of “Cloud first, mobile first”. It has recognised that   users are accessing content through a variety of devices. This makes it more difficult from a security perspective since a user’s employer doesn’t always control these devices.

Office 365 has also introduced the ability to Sync content offline with OneDrive for Business, making it even more difficult for a company to enforce its security policies. Combine that with mobile devices and access from anywhere, and you have yourself a recipe for many sleepless nights.

Of course, these features are very important for the organisation to be flexible and innovative and to keep up with the demands of a modern workforce. They allow it to stay competitive and turning them off globally is out of the question.

Simple solutions can help mitigate the risks – like training users to use OneDrive for Business and access the content securely from their mobile devices. Making sure that a password is required to unlock their device will help prevent a breach. A suitable candidate to help protect these company devices would be Microsoft Intune. Intune can provide cost-effective Mobile Device Management for any size of business.

Information Rights Management within Office 365 allows you to add an additional layer of security at the document level. For example, IRM can prevent someone from printing a document or forwarding an email, even when accessed through mobile devices. IRM protected documents also work if sync’d with OneDrive for Business, a great solution to enforce security policies.

Need an expert to provide guidance on Mobile Device Management?

Our knowledgeable consultants can apply Mobile Device Management and Information Rights Management technologies to your organisation.


Applying these basic tasks will set you on the path to a more secure Office 365 environment. The goal is to strike a balance between enabling an ever-more mobile workforce to be agile, whilst maintaining control over corporate data.

Know your estate – Take a look at the current configuration of your environment. Where is company data stored, how is it organised and who can access it? How does your configuration compare against vendor best practices?

Control Access – When giving your users access to data, are you applying permissions directly or using groups? What kind of access is being granted and does it conform to a principle of least privilege?

Object Permissions – Have the correct ‘catch-all’ permission policies been applied to your data containers and directories? SharePoint Online can be customised to compliment user privilege configuration by applying object-level access rules.

Permission Inheritance – When permissions are applied, where are they coming from? Are permissions filtering down via inheritance, and are the expected levels of permissions being granted to your users?

Granular Permissions – Is your organisation using the full capabilities of the Office 365 platform? Newer security features and tools such as Role Based Access Control can offer better methods of protecting your infrastructure.

Contribution and Editing – New Office 365 services can inadvertently empower users and provide access to resources by default. Make sure you understand what it means to deploy a new service and what the experience will be from a user’s perspective.

Assessing Security – By design, audit reporting is not enabled as standard. Does the business require the ability to audit access and configuration change? Secure Score should be used to review security weaknesses, for example, global administrator accounts without Multi-Factor Authentication enrolment.

Sharing Externally – Do you want to ring-fence technologies such as Skype for Business? Are users able to self-manage and share data with third parties?

Admin Power – Does every administrator need access to all areas? Could the use of specific permission level roles offer more appropriate administrative access?

Phones and Tablets – How are your mobile devices managed? Is documentation protected, even once it’s left the business infrastructure?

SystemsUp provides expert consultancy to help you create a modern workplace and encourage collaboration. As a Microsoft Gold Partner, our in-depth knowledge of Office365 enables you to get the most out of the technology while ensuring that you are employing the correct security practices.  

Call us on 020 7448 4615, email enquiries@systemsup.co.uk or fill out our contact form to talk to us about your Office 365 requirements.

Related Post