Ramping Up Tenant Security

Recently, Microsoft began positioning themselves as a security company with a suite of amazing products with robust features. But while Office 365 and Azure come with built-in security features like Exchange Online Protection and Security Defaults, they often lack the sophisticated controls needed to properly secure a cloud environment against current threats. I would go so far to say that a naked tenant that doesn’t effectively use and implement tenant security features – either from Microsoft or a third party – will be vulnerable to attack.

In the second article in this series, I propose five ways to secure your environment using controls that require a premium license such as Office E5 or Azure AD Premium. The five methods I describe aren’t listed in priority order; rather, I chose them based on my experience with customers where I tapped in to features that are either underutilized, or not widely known.

Limiting Access with Conditional Access

Conditional Access (CA) is included with the Azure AD Premium Plan 1, and it allows tenants to govern access to their environment by applying controls to session connects. By default, every user can access a tenant from any device, in any location, without meeting any other requirements.

When you deploy Conditional Access control policies to verify user identity and protect your company’s data, you’re ensuring that all connections satisfy basic security parameters. Conditional Access also allows organizations to create multiple rules to enforce certain controls or restrictions on a user’s sign-in. It can be difficult to know where to start when creating CA policies, but if you create a solid design and document your policies things are more manageable.

One of Conditional Access’ most powerful features is the integration with Microsoft Endpoint Manager, allowing policy evaluation to take the compliance state of a device into account before deciding to allow or deny a connection. Which means an Intune compliance policy can check if a specific setting is configured on a device, and if it isn’t, the device is considered in a ‘non-compliant state’.

Some compliance settings include Windows versions, Bitlocker encryption, and the Microsoft Defender for Endpoint threat level. Conditional Access can use the compliance state of a device to decide if a user should receive access to data, which then ensures that access to company data is only on managed, secured work devices.

Controlling Passwords with Password Protection and Self-Service Password Reset

While Azure AD Password Protection and Self-Service Password Reset (SSPR) is free for cloud environments, many organizations run in a hybrid configuration where the on-premises Active Directory manages user accounts and synchronizes their details to Azure AD. In order to use Password Protection and SSPR in a hybrid environment, it requires an Azure AD Premium Plan 1 license.

But are Password Protection and Self-Service Password Reset useful features when it comes to tenant security? Password Protection allows you to enforce stricter rules when users create passwords. Password Protection provides a global banned password list, and it also allows you to define a custom list of words you don’t want users including in passwords. Banned words might include company names, locations, or products names, which removes the possibility that attackers will guess passwords in brute-force attacks by using these words. Enabling password protection in a hybrid environment requires the configuration of agents, while configuration for a cloud environment is done through the portal.

Although enhanced password security is great, passwords resets and changes are often one of the most frequent requests handled by an organization’s help desk. When a user is locked out of their account or they forget their password, they must call the helpdesk to have the password reset. In that type of situation, it can be challenging for a helpdesk operator to validate the identity of an end-user, but Self-Service Password Reset (SSPR) solves that problem.

By utilizing SSPR, the end-user can reset their own passwords. At first login, the end-user must configure the authentication methods (email message, text message or Authenticator app) they wish to use. When a password reset is necessary, the user proves their identity with one or two authentication methods and after proving their identity, they can choose a new password.

When setting up SSPR it’s important to think about the permitted authentication methods and how many authentication methods are necessary. Requiring two authentication methods is recommended as this requires additional verification from an end-user. You might want to block certain authentication methods (such as email) as they are more insecure compared to others.

Identifying Vulnerabilities in Your Environment

One underestimated feature of Microsoft Defender for Endpoint is ‘Threat & Vulnerability Management,’ or TVM for short. This feature enables administrators to identify potential tenant security issues and then provides recommendations for how to fix the issues. TVM provides information about vulnerabilities which require software updates (such as an update to Chrome), as well as certain Operating System level settings that need to be configured (like disabling SMBv1).

Threat & Vulnerability Management supports the discovery of a wide range of Operating Systems, from Windows to Android and iOS devices. It even supports scanning devices which are not onboarded into Microsoft Defender for Endpoint with a feature called Device Discovery. This allows an onboarded machine to actively probe other devices on the network and check them for potential vulnerabilities.

Additionally, TVM updates continuously and through scanning it identifies software weaknesses within the organization. Because of these robust scanning capabilities, TVM can identify devices hidden away in the network. Almost every organization I work with is surprised to hear about the number of open vulnerabilities and the variety of software/devices within their infrastructure.

Microsoft introduced the capability of scanning network devices (switches, routers, and access points) in 2021, and while the current implementation is limited (it supports a handful of devices and can only identify out-of-date devices), it is a useful feature for providing tangible information around infrastructure.

* It’s important to note that Threat & Vulnerability Management is not available separately; it’s included with the Microsoft Defender for Endpoint bundle, P2 and Business SKUs.

Securing Administrator Access with PIM

In my first article, I discussed the assignment of least privileged roles to administrators. Most administrators only need an elevated role (like a Global Administrator) to perform a specific task, but they don’t require it daily.

That’s where Privileged Identity Management (PIM) comes in, which is an Azure AD Premium Plan 2 feature and it allows you to assign roles as ‘eligible’ instead of being active. An active assignment is a regular assignment where permissions are granted to an administrator. When an eligible assignment is made, Azure AD makes the permissions available to the administrator. If the administrator requires the role to perform a task, they can activate the role. That activation can be controlled by requiring certain conditions to be met before the activation is successful. These conditions range from requiring MFA, needing to provide a ticket number, or receiving specific approval; the possibilities are endless.

The main advantages of PIM are twofold:

  • Assignment of multiple roles to a single admin. The admin can choose when they activate a specific role, depending on their tasks for that day.
  • Permissions aren’t granted by default but are restricted through the conditions. This allows you to add additional monitoring or requirements before a role is active.

When implementing PIM in an organization, it’s important to find a balance between tenant security and end-user productivity. Assigning a Global Reader role, which requires explicit approval and is only active for one hour – doesn’t make sense. When setting up your PIM configuration, create strict requirements for your highly privileged roles, while allowing an administrator to activate less heavily permissioned roles needed to do their work.

Unfortunately, one of PIM’s tragic flaws is that the organization might think separate administrator accounts are not necessary, because user accounts don’t have administrator roles assigned by default. However, I still strongly recommend that all organizations split administrator and user accounts.

Phishing attacks are omnipresent, and the number of attacks is constantly increasing. Microsoft Defender for Office 365 Plan 1 includes a feature called ‘Safe Links,’ which is intended to protect users from malicious URLs. Safe Links works in both email, Teams chats, and Office apps.

When the feature is enabled, Defender scans URLs in incoming emails and rewrites the URLs to a Microsoft address. When a user clicks on a URL, it opens the Microsoft website and checks the validity of the URL. If a malicious link is detected, Defender blocks access to that URL. The same happens when users click URLs in Teams and Office apps. The click is intercepted and redirected to a Microsoft website for validation.

My experience from running a Security Operations Center is that Defender does not block some blatant phishing mails. Luckily, the option exists to manually block certain URLs which can be a great tool when used in combination with URL click tracking. If you enable URL click tracking, Defender for Office 365 will note the clicked URL. If that URL is deemed malicious (by Microsoft or manually by an administrator), an alert is created for your security team to follow-up.


Over the years, the Microsoft security stack has become very feature rich and offers many ways to customize the configuration. There are third-party products available with the same (if not better) capabilities, but by nature they lack the integration available within the Microsoft stack.

Tenant security is an important topic, and there’s no question that security should be a major aspect of every product implementation. While I may have limited this article to just five ways to harden your tenant security with Microsoft products, I could easily write a blog listing fifty or more hardening tasks that every IT administrator should perform. Many methods exist for securing tenants, so it’s important to research the different methods available before deciding which route to take for your organization.

About the Author

Thijs Lecomte

Thijs is a security consultant out of Belgium, working at The Collective, an MSSP with a Microsoft-focused Security Operations Center. His work consists out of leading the SOC team and implementing Microsoft Security solutions (such as Microsoft Sentinel and Defender) as a consultant. He is an MVP in the Security category and is a regular speaker at events and user groups. His best-known publication is as co-author of the 'Microsoft 365 Security for the IT Pro' ebook.


  1. Soft4Home

    Hi Thijs

    I just read this knowledgeable post on the security of Office 365 tenant. I got a lot of new information about the security of Office 365 . Thanks for sharing this information with us.

Leave a Reply