About this Video

• Video Title: Lock Down Your Microsoft 365: Your Essential Security Policies
• Channel: Jonathan Edwards
• Speakers: Jonathan Edwards
• Duration: 00:22:09

Introduction

This video provides a tutorial on essential Microsoft 365 security settings. The speaker, Jonathan Edwards, guides viewers through 13 basic security policies to enhance their Microsoft 365 tenant's security. He emphasizes the importance of proactive security measures beyond basic email, file, and folder usage.

Key Takeaways

1. Disable Security Defaults: Turn off Microsoft's default security settings to enable fine-tuning of individual security policies.
2. Conditional Access Policies: Implement MFA (multi-factor authentication) for all users accessing Microsoft 365.
3. Restrict Access by Location: Block access from all countries except those where your team operates, with options for exceptions (e.g., traveling employees).
4. Block Unapproved Device Types: Restrict access to specific device types (e.g., block Linux, Android, etc.).
5. Disable Persistent Browser Sessions: Prevent users from remaining logged into Microsoft 365 on the web after closing browser windows, enhancing security, especially for personal devices.
6. App Protection Policies: Use conditional access to enforce the use of app protection policies for work apps on personal smartphones.
7. Block Legacy Authentication: Create a policy to explicitly block legacy authentication methods.
8. Require MFA for Entra Join: Enforce MFA for users adding devices to Microsoft Entra ID.
9. Disable SMS MFA: Disable less secure SMS-based MFA in favor of more secure methods like Microsoft Authenticator or security keys.
10. Enable App Consent Workflow: Require admin approval for app installations, preventing unauthorized access.
11. Restrict Non-Admin Tenant Creation: Prevent non-admin users from creating Microsoft tenants.
12. Restrict Access to Microsoft Entra Admin Center: Limit access to the admin center to only administrators.
13. Default SharePoint Sharing Settings: Configure SharePoint to require guest users to sign in or provide a verification code when sharing files and set default sharing permissions to "view" instead of "edit".

To restrict access by location, the video instructs you to create a conditional access policy. Within this policy, you'll utilize "named locations." You add the countries where your team operates to this named location (the video uses "approved countries" as an example). Then, create another conditional access policy that targets all users, all cloud apps, and specifies location as a condition. In this second policy, you include all locations but exclude the "approved countries" named location. Finally, set the access control to "block access." This setup allows access only from the specified countries while providing a mechanism for exceptions (e.g., for traveling employees whose devices are deemed compliant). The video suggests using filters to allow compliant devices even when outside the approved countries.