Overview of Security
Microsoft 365 Business provides threat protection, data protection, and device management features to help you protect your company from online threats and unauthorized access, as well as protect and manage company data on your phones, tablets, and computers.
Microsoft 365 Business includes Office 365 Advanced Threat Protection (ATP), a cloud-based email filtering service that protects you from malware, ransomware, harmful links, and more. ATP Safe Links protects you from malicious URLs in email or Office documents. ATP Safe Attachments protects you from malware and viruses attached to messages or documents.
Multi-factor authentication (MFA), or two-step verification, requires you to present a second form of authentication, such as a verification code, to confirm your identity before you can access resources.
Windows Defender provides comprehensive protection for your system, files, and online activities from viruses, malware, spyware, and other threats.
You can use data loss prevention (DLP) policies to identify and manage sensitive information, such as Social Security or credit card numbers, so that it isn’t mistakenly shared.
Office 365 Message Encryption combines encryption and access rights capabilities to help ensure that only intended recipients can view message content. Office 365 Message Encryption works with Outlook.com, Yahoo!, and Gmail, and other email services.
Exchange Online Archiving is a cloud-based archiving solution that works with Microsoft Exchange or Exchange Online to provide advanced archiving capabilities, including holds and data redundancy. You can use retention policies to help your organization reduce the liabilities associated with email and other communications. If your company is required to retain communications related to litigation, you can use In-Place Holds and Litigation Holds to preserve related email.
Microsoft 365 Business advanced device management features let you monitor and control what users can do with enrolled devices. These features include conditional access, Mobile Device Management (MDM), BitLocker, and automatic updates.
You can use conditional access policies to require additional security measures for certain users and tasks. For example, you can require multi-factor authentication (MFA) or block clients that don’t support conditional access.
With MDM, you can help secure and manage your users’ mobile devices like iPhones, iPads, Androids, and Windows phones. You can create and manage device security policies, remotely wipe a device to remove all company data, reset a device to factory settings, and view detailed device reports.
You can enable BitLocker encryption to help protect data in case a device is lost or stolen, and enable Windows Exploit Guard to provide advanced protection against ransomware.
You can configure automatic updates so that the latest security features and updates are applied to all user devices.
Setup multi-factor authentication
Multi-factor authentication provides more security for your business. Follow these steps to set it up.
- When you sign in to https://office.com, you’ll see the More information required prompt. Choose Next.
- Under Step 1, choose Mobile app from the Authentication phone drop-down list.
- Under How do you want to use the mobile app?, select the method you want to use to sign in:
- Select Receive notifications for verification to authenticate directly from your mobile app, which may include fingerprint authentication.
- Select Use verification code to enter a new verification code each time you authenticate.
- Choose Set up.
- Leave the Configure mobile app window open on your computer.
- On your mobile device, go to the app store, search for “Microsoft Authenticator,” select it, install it, and open it.
- In Authenticator, follow the prompts to complete the wizard, and then choose the plus (+) sign to add your account.
- Choose Work or school account, choose Allow when prompted for permission to take pictures and record video, and then follow the instructions to scan the QR code in the open window on your computer.
- After the account has been added, choose Got It.
- On your computer, choose Next, and then choose Next again.
- Make a note of the code that appears on your mobile device, enter the code on your computer in the box under Step 2, and then choose Verify.
- In the boxes under Step 3, enter a backup phone number, such as your office number, choose Next, and then choose Done.
Stop forwarding emails
If a hacker gains access to a user’s mailbox, they can auto-forward the user’s email to an outside address and steal proprietary information. You can stop this by creating a mail flow rule.
- From the Microsoft 365 admin center, select Exchange, mail flow, and on the rules tab, select the plus sign and choose create a new rule.
- Select More options. Name your new rule.
- Then open the drop-down for apply this rule if, select the sender, and then is external internal.
- Select Inside the organization, and then OK.
- Choose add condition, open the drop-down, select The message properties, then include the message type.
- Open the select message type drop-down, choose Auto-forward, then OK.
- Open the Do the following drop-down, select Block the message, then reject the message and include an explanation.
- Enter the message text for your explanation, then select OK.
- Scroll to the bottom and select Save.
Your rule has been created, and hackers will no longer be able to auto-forward messages.
Manage advanced threat protection (ATP) safe attachments
Microsoft 365 ATP, or Advanced Threat Protection, helps protect your business against files that contain malicious content in Outlook, OneDrive, SharePoint, and Teams.
Follow these steps to set up or modify Microsoft 365 ATP safe attachments.
- Go to the admin center, and select Setup.
- Scroll down to Increase protection from advanced threats. Select View > Manage > ATP safe attachments.
- Select your safe attachments rule, and then choose the Edit icon.
- Select settings, and then verify that Block is selected.
- Scroll down. Choose Enable redirect, and enter your email address or the address of the person you want to review the blocked attachments.
- Select applied to, and then select your domain name.
- Choose any additional domains you own (such as your onmicrosoft.com domain) that you would like the rule applied to. Select add > OK.
- Select Save.
Your ATP safe attachments rule has been updated.
Now that protection is in place, you won’t be able to open a malicious file from Outlook, OneDrive, SharePoint, or Teams. Affected files will have red shields next to them. If someone attempts to open a blocked file, they’ll receive a warning message.
After your policy has been in place for a while, visit the Reports page to see what has been scanned.
Manage advanced threat protection (ATP) safe links
Microsoft 365 ATP, or Advanced Threat Protection, helps protect your business against malicious sites when people click links in Office apps.
Follow these steps to set up or modify Microsoft 365 ATP Safe Links:
- Go to the admin center, and select Setup.
- Scroll down to Increase protection from advanced threats. Select View > Manage > ATP Safe Links.
- Under Policies that apply to the entire organization, choose the Default policy, and then select the Edit icon.
- Enter a URL that you want to block.
- Select Use safe links in Office apps, Office for iOS and Android; select Do not track when users click safe links; and select Do not let users click through safe links to original URL. These might already be selected if you set up the default policy. Select Save.
- Under Policies that apply to specific recipients, choose Recommended safe links rule, and then select the Edit icon.
- Select settings, scroll down, enter the URL that you do not want to be checked, and then select the Add icon.
- Select applied to, and then select your domain name. Select any additional domains that you want the rule applied to. Select add > OK > Save.
ATP Safe Links are now configured. Allow up to 30 minutes for your changes to take effect.
When a user receives an email with links, the links will be scanned. If the links are deemed safe, they’ll be clickable. However, if the link is on the blocked list, users will see a message that it’s been blocked.
Prevent data loss in Microsft 365 Business Premium
Data loss prevention policies help identify and protect your business’s sensitive information, such as Social Security numbers or medical records.
- To get started, go to the admin center, and select Setup.
- Scroll down to Set up data loss prevention, and then select View > Manage.
- To edit a policy, select it, choose Edit policy, then select what to change. For example, select Locations to change what gets scanned.
- To enable scanning for content in Microsoft Teams, turn the toggle switch to the On position, and then select Save.
- To edit policy settings, select Edit.
- You’ll need to set separate rules that apply to small and large amounts of sensitive content detected. Expand your low volume rule. Choose Edit rule.
- Review your settings and adjust them as needed. For example, you can choose to Customize the email text and Customize the policy tip text. Select Save.
- Repeat for the high volume rule. Select Save > Close.
- To create a new policy, select Create a policy.
- You can create a custom policy or start with a template. For example, to create a HIPAA policy, select the Medical and health template, and then select U.S. Health Insurance Act (HIPAA). Select Next.
- Enter a name and description for your policy. Select Next.
- Choose the locations to scan. Select Next.
- Choose the type of content you want protected. Select Next.
- Choose what you want to happen if sensitive information is detected. Select Next.
- Customize your access and override permissions. Select Next.
- Choose when you want the policy to take effect. Select Next.
- Review your settings, and select Create. After your policy takes effect, email that contains the described sensitive information will be blocked, and the sender who attempted to send that information will see a warning message.
Protect documents with sensitivity labels in Microsoft 365 Business Premium
Sensitivity labels allow you to classify and protect content that is sensitive to your business.
Follow these steps to create a sensitivity label and make it available to your users:
- In the admin center, select the Compliance admin center.
- Select Classification > Sensitivity labels.
- Select Create a label, and when the warning appears, select Yes.
- Enter a Label name, Tooltip, and Description. Select Next.
- Turn on Encryption. Choose when you want to assign permissions, whether you want your users’ access to the content to expire, and whether you want to allow offline access.
- Select Assign permissions > Add these email addresses or domains.
- Enter an email address or domain name (such as Contoso.org). Select Add, and repeat for each email address or domain you want to add.
- Select Choose permissions from preset or custom.
- Use the drop-down list to select preset permissions, such as Reviewer or Viewer, or select Custom permissions. If you chose Custom, select the permissions from the list. Select Save >Save > Next.
- Turn on Content marking, and choose the markings you want to use.
- For each marking that you choose, select Customize text. Enter the text you want to appear on the document, and set the font and layout options. Select Save, and then repeat for any additional markings. Select Next.
- Optionally, turn on Endpoint data loss prevention. Select Next.
- Optionally, turn on Auto labeling. Add a condition. For example, under Detect content that contains, select Add a condition. Enter the condition; for example, add a condition that if passport, Social Security, or other sensitive information is detected, the label will be added. Select Next.
- Review your settings, and select Create. Your label has been created. Repeat this process for any additional labels you want.
- By default, labels appear in Office apps in this order: Confidential, Internal, and Public. To change the order, for each label, select More actions (the ellipsis), and then move the label up or down. Typically, permissions are listed from the lowest to highest level of permissions.
- To add a sub-label to a label, select More actions, then Add sub level.
- When finished, choose Publish labels> Choose labels to publish > Add. Select the labels you want to publish, and then select Add > Done > Next.
- By default, the new label policy is applied to everyone. If you want to limit who the policy is applied to, select Choose users or groups > Add. Select who you want the policy to apply to, and then select Add > Done > Next.
- If you want a default label for documents and email, select the label you want from the drop-down list. Review the remaining settings, adjust as needed, and then select Next.
- Enter a Name and Description for your policy. Select Next.
- Review your settings, then select Publish.
In order for your labels to work, each user needs to download the Azure Information Protection unified labeling client. Search the web for AzinfoProtection_UL.exe, then download it from the Microsoft Download Center, and run it on your users’ computers.
The next time you open an Office app like Word, you’ll see the sensitivity labels that were created. To change or apply a label, select Sensitivity, and choose a label.