The Admins guide to securing your Office 365 data

Office365, SharePoint, Security


During my time at Microsoft and SkyNorth, one of the hottest cloud migration topics we have with clients, is around access and data security

While most companies believe their on-premises data is secure, we’ve found it is usually at higher risk then data stored in a correctly configured Office 365 tenant.  If you can properly answer the four primary concerns of the public cloud, O365 solutions will increase your security and flexibility.

  1. How do we limit and control access?
  2. How to ensure it’s the correct person?
  3. How do we secure our data?
  4. How do we secure our devices?

Out of the box, O365 cloud identities are accessible everywhere via internet, and secured with only username and password.   This appears sketchy at best, until you start looking at all the built-in features that O365 & Azure Active Directory offer.  When developing your O365 access policies you need to put together a plan that focuses on the 3 core areas.

  1. The Who and Where
  2. The What
  3. The How

Please keep in mind, some of these technologies cross boundaries and can be used in conjunction with other features to maximize your cloud security strategy.   If you haven't seen the Microsoft Identity and Device Access article. it is a must read (after you finish reading my blog post).

The Who and Where

Do you know who is accessing your cloud services, and where they are logging in from?

  • Option 1 - ADFS Server
    • Pros
      • Many people already have this infrastructure in place from past SSO requirements
      • Uses Microsoft technologies
    • Cons
      • Requires a lot of extra infrastructure and setup (ADFS, Proxy, x2 for HA)
      • Limited Options
      • This has became the 'outdated' way of providing a secured Single Sign-On solution
    • Extras
  • Option 2 - Conditional Access
    • Pros
      • Extremely configurable and stackable rules
      • Tied to your cloud login
      • Available to all Azure Applications and internal apps that are published via Azure Application Proxy
    • Cons
    • Extras
      • Limit logins based on the following policies
      • Allows you to limited login based on the following
        • Select Users
        • Trusted IP Range
        • Trusted Applications
        • Browser or Client Application
        • Device Platforms
        • Device Compliance (Requires Intune)
        • Login Risk (Requires Azure Active Directory Premium Plan 2)
        • Allows SharePointusers to only have READ access via Browser session, and others WRITE/EDIT via controlled Application

How do we ensure it’s the correct person?

The What?

What data are people accessing and how do we secure it?

  • Option 1 - SharePoint Site Permissions
    • Pros
      • Highly customizable at different SharePoint levels (Site/Web/Library/Item)
      • Have remained the same with all versions of SharePoint
    • Cons
      • Can get complicated with breaking inheritance
      • Auditing/Ensuring users are correctly setting permissions
    • Extras
  • Option 2 - External Sharing Settings
  • Option 3 - Tenant Restrictions
  • Option 4 - Azure Rights Management / Azure Information Protection
    • Pros
      • Increased data security
      • Available to many data formats
      • Set up on the SPO library or global rules via Azure
      • Labeling Support for O365 Data Classification
    • Cons
      • Multiple setup/config areas that do not span a broad spectrum of services
      • Typically requires an internet connection to pass ACL validation
    • Extras
  • Option 5 - Data Loss Prevention
    • Pros
      • Easy to configure rules
      • Used for SharePoint/OneDrive/Exchange
    • Cons
      • Other similar methods make it confusing to determine the best use
        • AIP / Transport Rules / Classification & Labels
    • Extras
        • Create a DLP query to identify what sensitive information now exists in your site collections.
        • Create a DLP policy to monitor and automatically protect sensitive information in your site collections.

The How?

How are people accessing cloud services, and how do we secure it?

  • Option 1 - Azure AD Device Registration / Workplace Join
    • Pros
      • Identifies what users and devices are using cloud services
      • Configure MFA for first-time registration
      • Allows easy SSO access to all of your apps
    • Cons
      • There isn't much security you can place around the device without extras
      • MFA Conditional Access rules are met with registered devices so you will not receive a call/text
    • Extras
  • Option 2 - Azure AD Joined Device
    • Pros
      • Same as Option 1
      • Azure AD Bitlocker Recovery
      • PIN Sign-In
      • Enterprise State Roaming Features
      • Automatic MDM Enrollment (With AAD Premium P1)
    • Cons
      • On-premises domain access would typically require VPN client
      • There isn't much security you can place around the device without extras
  • Option 3 - O365 Mobile Device Management (MDM)
  • Option 4 - Microsoft Intune
    • Pros
      • Highly configurable
      • Tied with your cloud identity and your device
      • Can manage Windows/iOS/Android Devices (limited MAC OSx Support)
    • Cons
    • Extras
      • What is Intune?
      • Contains Mobile Application Management policies (MAM)
        • Prevent Cut/Copy/Paste
        • Prevent SaveAs
        • Require a PIN for specific Mobile Apps
        • *With or without device enrollment*
      • Selective or Full Wipes of the device
      • Manages device compliance settings
        • Encryption/Password Rules/Etc.
      • Manages device configuration settings
        • Blocks to cameras, screen shots, USB ports, and tons more
      • Conditional Access via Compliance Policy and Device Registration
        • Allow only ‘domain joined’ devices to access cloud data


I hope I've made an extremely complex topic a little easier for everyone to understand.   Like I mentioned above, there isn't a single solution that you should decide on for all business & security scenarios.  You may need to mix-and-match and you may also need to use features I didn't even mention here.   If you find yourself in a confusing situation and need help finding the best approach please feel free to reach out to SkyNorth!


Need Help?

Be sure to contact SkyNorth Software today for an O365 Data Security Assessment or any of your data security needs! 

What is our Data Security Assessment?

It’s a comprehensive technology and process review for how you handle data security within your organization. 

How much does it cost?

It’s FREE!    Out introductory package is completely free and includes a 1-hour finding call with self-help documentation.  If you’d like to have a more comprehensive review or added support, you can look at our PREMIUM or PREMIUM – WITH SUPPORT options on our website.


comments powered by Disqus
Company Info

SkyNorth Software LLC
5357 Penn Ave South
Minneapolis, MN 55419

Follow Us

Get the latest news and updates.

© SkyNorth Software LLC