Office 365 Security Resources

This is a list of Office 365 and Microsoft cloud security resources that I compiled during research for my Office 365 security course at Pluralsight.

I will be maintaining this list as new resources surface. If you have suggestions that you'd like to see included, you can let me know here.

To stay up to date, subscribe to the Practical 365 newsletter for free.

Email Protection

Office 365 provides customers with protection from email-borne threats with Exchange Online Protection (EOP) and Office 365 Advanced Threat Protection (ATP).

Tools

• Exchange Remote Connectivity Analyzer (includes Message Header Analyzer)
• MXToolbox (variety of tools for testing MX/SPF/DMARC records, analyzing headers, etc)
• Office 365 delist portal (remove yourself from blocked senders list)
• DMARC inspector and DMARC record generator

Exchange Online Protection

• Exchange Online Protection service description (licensing and feature availability)
• Anti-spam message headers
• Spam confidence levels
• Use mail flow rules to set the spam confidence level (SCL) in messages
• Bulk Complaint Level values
• End user quarantine portal
• Submit spam, non-spam, and phishing scam messages to Microsoft for analysis
• Hooking up additional spam filters in front of or behind Office 365 (blog post)
• A short intro to how the Phishing Confidence Level (PCL) works (blog post)
• View email security reports in the Security & Compliance Center
• SwiftOnSecurity Exchange Mail Flow Rules examples
• SwiftOnSecurity Phishing RegEx Examples

Office 365 Advanced Threat Protection (ATP)

• Office 365 ATP service description (licensing and feature availability)
• Spoof intelligence
• Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams
• Windows Defender Security Intelligence submission portal (submit suspicious files for analysis)
• View reports for Office 365 Advanced Threat Protection
• Safe Links URL decoder (Non-Microsoft website)

Email Spoofing and Impersonation

• Anti-spoofing protection in Office 365
• Explanation of why Microsoft enabled DKIM-signing by default (blog post)
• Steps for implementing DKIM for your custom domains
• Steps for implementing DMARC for your custom domains
• Impact of strict domain authentication checks in EOP/ATP (blog post)

Phishing

• Windows Defender Security Intelligence: Tech support scams and other scams
• Whaling: how it works, and what your organization can do about it (NCSC guidance)

Ransomware

• Ransomware FAQ
• Ransomware 101: How to Protect and Mitigate Your Environment from Malware (video)
• Does OneDrive for Business prevent ransomware attacks
• Using OneDrive to recover from ransomware attack
• Plan security settings for VBA macros in Office 2016

Endpoint Security and Management

Device security is one of the three pillars of modern IT security. You can protect your endpoints using Windows Defender, Windows Defender ATP, and Microsoft Intune.

Windows Defender

• Troubleshooting Windows Defender or Endpoint Protection client
• Endpoint Protection client frequently asked questions

Windows Defender Advanced Threat Protection (WD ATP)

• Experience Windows Defender ATP through simulated attacks
• Integrate Office 365 Threat Intelligence with Windows Defender Advanced Threat Protection
• Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
• Automated response for Windows Defender ATP
• Windows Defender Security Intelligence submission portal (submit suspicious files for analysis)
• Windows Defender Antivirus compatibility
• Windows Defender ATP Preview features

Microsoft Intune

• What's new in Microsoft Intune
• Common ways to use Microsoft Intune
• Frequently asked questions about MAM and app protection

User and Administrative Access

Identity protection is one of the three pillars of modern IT security. You cna protect your Office 365 identities using Azure Active Directory, Azure MFA, Conditional Access, Identity Protection, and Privileged Identity Management.

Best Practices

• Microsoft recommending non-expiring passwords to Office 365 customers
• Securing privileged access for hybrid and cloud deployments in Azure AD, aka Best practices for security administrative access in Azure AD
• Manage emergency-access administrative accounts in Azure AD
• Reporting Office 365 admin role group members (PowerShell script)
• Privileged Access Workstations

Azure Active Directory

• What's new in Azure Active Directory?

Azure Multi-Factor Authentication

• How to get Azure Multi-Factor Authentication (licensing information)
• How to require two-step verification for a user or group – Note the tip about using Azure MFA or Conditional Access
• Frequently asked questions about Azure Multi-Factor Authentication
• What does Azure Multi-Factor Authentication mean for me? (MFA user guide)

Azure Active Directory Conditional Access

• Best practices for conditional access
• Azure Active Directory conditional access FAQs
• How to Use Azure Active Directory Conditional Access to Enforce Multi-Factor Authentication for Unmanaged Devices (blog post)

Azure AD Identity Protection

• Azure Active Directory risk events
• How to use the Azure Active Directory Power BI Content Pack

Privileged Identity Management

• Security Administrator Access with privileged identity management
• Announcing preview of privileged access management in Office 365

Information Protection

Information protection is one of the three pillars of modern IT security. You can protect your corporate data using Office 365 DLP, Azure Information Protection, and Office 365 Message Encryption.

Office 365 Data Loss Prevention (DLP)

• What the sensitive information types look for
• Getting Comfortable with Data Loss Prevention Policies in Office 365 (blog post)

Azure Information Protection

• Comparing Azure Information Protection and AD RMS
• Understanding usage restrictions
• Azure Information Protection client administrator guide
• Azure Information Protection user guide
• Frequently asked questions for Azure Information Protection

Office 365 Message Encryption

• Service information for Office 365 Message Encryption
• Office 365 Message Encryption FAQ
• Office Message Encryption Configuration and Troubleshooting (PowerShell script)

Monitoring, Auditing, and Alerting

Monitoring and auditing are critical to maintaining awareness of activity in your organization.

Tools

• Microsoft Secure Score (aka Office 365 Secure Score)
• Attack Simulator (Office 365)

Azure Advanced Threat Protection (Azure ATP)

• ATA Suspicious Activity Playbook
• Azure ATP suspicious activity guide
• Windows Event Forwarding
• Azure ATP frequently asked questions
• Troubleshooting Azure ATP known issues

Security Reports

• View email security reports in the Security & Compliance Center
• View reports for Office 365 Advanced Threat Protection

Auditing

• Enable mailbox auditing in Office 365
• How Office 365 collects and reports audit data (blog post)
• Search the audit log in Office 365 S&CC

Blogs, Podcasts and Videos

These resources will help you to keep up with developments in the world of Office 365 security.

• Official Blog of the Office 365 Security Team
• Terry Zink: Security Talk (spam fighting)
• Jessica Payne: Security Stuff
• Enterprise Mobility + Security
• Microsoft Mechanics: Enterprise Mobility + Security YouTube Playlist
• Microsoft Mechanics: Microsoft 365 Security YouTube Playlist

Books and Training Courses

These training courses will help you expand your security knowledge for Office 365, Windows, and more.

• Configuring and Managing Office 365 Security
• Office 365 Administration Playbook
• Microsoft MTA: Security Fundamentals
• Enrolling, Securing, and Managing Devices with Microsoft Intune
• Windows Virus and Malware Troubleshooting
• Implementing and Managing Azure Multi-factor Authentication
• Implementing Proactive Windows Security
• Windows: How It's Hacked, How to Protect It
• Play by Play: Social Engineering

To stay up to date, subscribe to the Practical 365 newsletter for free.