Office 365 Security Policies
The Security Policies view provides a list of all security policies within the Cloudneeti application. Following is the security policies within the Cloudneeti application for different cloud account types, please refer Release Notes for latest updates.
Office 365 Security Policies
| Category Name | Policy Name |
|---|---|
| M365 - Apps | Discover risky and non compliant Shadow IT applications used in your organization |
| M365 - Apps | Enable Microsoft 365 Cloud App Security |
| M365 - Apps | Set custom activity policy for your organization to discover suspicious usage patterns in cloud apps |
| M365 - Apps | Review permissions & block risky OAuth applications connected to your corporate environment |
| M365 - Apps | Detect Insider Threat, Compromised account, and Brute force attempts in cloud applications |
| M365 - Apps | Identify Shadow IT application usage in your organization by automating log upload from firewalls |
| M365 - Apps | Set automated notifications for new and trending cloud applications in our organization |
| M365 - Apps | Set automated notification for new OAuth applications connected to your corporate environment |
| M365 - Apps | Ensure that AD Application keys are rotated before they expires |
| M365 - Data | Ensure DLP policies are enabled |
| M365 - Data | Enable audit data recording |
| M365 - Data | Store user documents in OneDrive for Business |
| M365 - Data | Review audit data for illicit activity detection and security breach |
| M365 - Data | Ensure mail transport rules do not forward email to external domains |
| M365 - Data | Ensure mailbox access by non-owners report is reviewed bi-weekly |
| M365 - Data | Ensure malware detections report is reviewed weekly |
| M365 - Data | IRM protections applied to documents |
| M365 - Data | Ensure expiration time for external sharing links is set |
| M365 - Data | Enable versioning on all SharePoint online document libraries |
| M365 - Data | Review list of external users you have invited to documents monthly |
| M365 - Data | Do not allow mailbox delegation |
| M365 - Data | Allow anonymous guest sharing links for sites and docs |
| M365 - Data | Ensure Advanced Threat Protection safe attach policy is Enabled |
| M365 - Data | Ensure Advanced Threat Protection safe links policy is Enabled |
| M365 - Data | Ensure the customer lockbox feature is enabled |
| M365 - Data | Remove TLS 1.0/1.1 and 3DES Dependencies |
| M365 - Device | Ensure that mobile devices require complex passwords with atleast two character sets to prevent brute force attacks |
| M365 - Device | Ensure that mobile device encryption is enabled to prevent unauthorized access to mobile data |
| M365 - Device | Require mobile devices to manage email profile |
| M365 - Device | Ensure that mobile devices require a complex password with a minimum password length to prevent brute force attacks |
| M365 - Device | Ensure that mobile devices are set to never expire passwords |
| M365 - Device | Require mobile devices to use a password |
| M365 - Device | Ensure that users cannot connect from devices that are jail broken or rooted |
| M365 - Device | Ensure that mobile devices require complex passwords to prevent brute force attacks |
| M365 - Device | Enable mobile devices to wipe on multiple sign-in failures to prevent brute force compromise |
| M365 - Device | Ensure that settings are enable to lock multiple devices after a period of inactivity to prevent unauthorized access |
| M365 - Device | Enable mobile device management services |
| M365 - Device | Require mobile devices to block access and report policy violations |
| M365 - Device | Ensure that mobile device password reuse is prohibited |
| M365 - Device | Enable Microsoft Intune Mobile Device Management |
| M365 - Device | Create a Microsoft Intune Compliance Policy for Android |
| M365 - Device | Create a Microsoft Intune Compliance Policy for iOS |
| M365 - Device | Create a Microsoft Intune Compliance Policy for Windows |
| M365 - Device | Create a Microsoft Intune Compliance Policy for Android for Work |
| M365 - Device | Create a Microsoft Intune App Protection Policy for iOS |
| M365 - Device | Create a Microsoft Intune Compliance Policy for macOS |
| M365 - Device | Create a Microsoft Intune Windows Information Protection Policy |
| M365 - Device | Create a Microsoft Intune App Protection Policy for Android |
| M365 - Device | Create a Microsoft Intune Configuration Profile for Android |
| M365 - Device | Create a Microsoft Intune Configuration Profile for iOS |
| M365 - Device | Create a Microsoft Intune Configuration Profile for Windows |
| M365 - Device | Create a Microsoft Intune Configuration Profile for Android for Work |
| M365 - Device | Mark devices with no Microsoft Intune Compliance Policy assigned as Non Compliant |
| M365 - Device | Create a Microsoft Intune Configuration Profile for macOS |
| M365 - Device | Enable Windows Defender ATP integration into Microsoft Intune |
| M365 - Device | Enable Enhanced Jailbreak Detection in Microsoft Intune |
| M365 - Device | Ensure mobile device management polices are set to require advanced security configurations to protect from basic internet attacks |
| M365 - Device | Ensure that devices connecting have local firewall enabled |
| M365 - Device | Ensure that devices connecting have AV and a local firewall enabled |
| M365 - Identity | User alternate contact info is completed for all users |
| M365 - Identity | Ensure that between two and four global admins are designated |
| M365 - Identity | Ensure third party integrated applications are not allowed |
| M365 - Identity | Use non-global administrative roles |
| M365 - Identity | Ensure that Office 365 Passwords Are Not Set to Expire |
| M365 - Identity | Ensure multifactor authentication is enabled for all users in administrative roles |
| M365 - Identity | Disable accounts not used in last 30 days |
| M365 - Identity | Designate more than one global admin |
| M365 - Identity | Enable user risk policy |
| M365 - Identity | Enable sign-in risk policy |
| M365 - Identity | Enable Conditional Access policies to block legacy authentication |
| M365 - Identity | Ensure multifactor authentication is enabled for all users in all roles |
| M365 - Identity | Ensure self-service password reset is enabled |
| M365 - Identity | Turn on Password Hash Sync if hybrid |
| M365 - Identity | Enforce the policy to set Password to 'always' expire in Azure Active Directory for all Organization Users |
| M365 - Identity | Ensure that Service Principal Certificates are renewed before it expires |
| M365 - Identity | Ensure that there are no guest users |
| M365 - Identity | Ensure that 'Number of days before users are asked to re-confirm their authentication information' is not set to '0' |
| M365 - Identity | Ensure that 'Number of methods required to reset' is set to '2' |
| M365 - Identity | Ensure that 'Notify users on password resets?' is set to 'Yes' |
| M365 - Identity | Ensure that 'Notify all admins when other admins reset their password?' is set to 'Yes' |
| M365 - Identity | Ensure that 'Users can add gallery apps to their Access Panel' is set to 'No' |
| M365 - Identity | Ensure that 'Users can consent to apps accessing company data on their behalf' is set to 'No' |
| M365 - Identity | Ensure that 'Guest user permissions are limited' is set to 'Yes' |
| M365 - Identity | Ensure that 'Users can register applications' is set to 'No' |
| M365 - Identity | Ensure that 'Guests can invite' is set to 'No' |
| M365 - Identity | Ensure that 'Members can invite' is set to 'No' |
| M365 - Identity | Ensure that 'Self-service group management enabled' is set to 'No' |
| M365 - Identity | Ensure that 'Restrict access to Azure AD administration portal' is set to 'Yes' |
| M365 - Identity | Ensure that 'Users who can manage security groups' is set to 'None' |
| M365 - Identity | Ensure that 'Users can create security groups' is set to 'No' |
| M365 - Identity | Ensure that 'Users who can manage Office 365 groups' is set to 'None' |
| M365 - Identity | Ensure that 'Users can create Office 365 groups' is set to 'No' |
| M365 - Identity | Ensure that 'Require Multi-Factor Auth to join devices' is set to 'Yes' |
| M365 - Identity | Ensure that 'Enable All Users group' is set to 'Yes' |
| M365 - Identity | Ensure that password protection is enabled for Active Directory in hybrid environments |
| M365 - Identity | Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly |
| M365 - Identity | Use Just In Time privileged access to Office 365 roles |
| M365 - Identity | Enabled Identity Protection to identify anomalous logon behavior |
| M365 - Account / Authentication | Ensure modern authentication for Skype for Business Online is enabled |
| M365 - Account / Authentication | Ensure modern authentication for SharePoint applications is required |
| M365 - Account / Authentication | Ensure modern authentication for Exchange Online is enabled |
| M365 - Application Permissions | Ensure calendar details sharing with external users is disabled |
| M365 - Application Permissions | Ensure Office 365 ATP for SharePoint, OneDrive, and Microsoft Teams is Enabled |
| M365 - Application Permissions | Ensure O365 ATP SafeLinks for Office Applications is Enabled |
| M365 - Data Management | Ensure that external users cannot share files, folders, and sites they do not own |
| M365 - Data Management | Ensure external domains are not allowed in Skype or Teams |
| M365 - Data Management | Ensure external file sharing in Teams is enabled for only approved cloud storage services |
| M365 - Data Management | Use custom sensitive information type classification for information protection |
| M365 - Data Management | Ensure DLP policies are enabled for Microsoft Teams |
| M365 - Email Security / Exchange Online | Ensure that DKIM is enabled for all Exchange Online Domains |
| M365 - Email Security / Exchange Online | Ensure DMARC Records for all Exchange Online domains are published |
| M365 - Email Security / Exchange Online | Ensure that SPF records are published for all Exchange Domains |
| M365 - Email Security / Exchange Online | Ensure Exchange Online Spam Policies are set correctly |
| M365 - Email Security / Exchange Online | Ensure notifications for internal users sending malware is Enabled |
| M365 - Email Security / Exchange Online | Ensure the Client Rules Forwarding Block is enabled |
| M365 - Email Security / Exchange Online | Ensure mail transport rules do not whitelist specific domains |
| M365 - Email Security / Exchange Online | Ensure that an anti-phishing policy has been created |
| M365 - Email Security / Exchange Online | Ensure the Common Attachment Types Filter is enabled |
| M365 - Email Security / Exchange Online | Ensure MailTips are enabled for end users |
| M365 - Email Security / Exchange Online | Ensure basic authentication for Exchange Online is Disabled |
| M365 - Auditing | Enable Microsoft 365 audit log search |
| M365 - Auditing | Ensure the Account Provisioning Activity report is reviewed at least weekly |
| M365 - Auditing | Ensure the spoofed domains report is reviewed weekly |
| M365 - Auditing | Ensure user role group changes are reviewed at least weekly |
| M365 - Auditing | Ensure mailbox auditing for all users is Enabled |
| M365 - Auditing | Ensure the self-service password reset activity report is reviewed at least weekly |
| M365 - Auditing | Ensure mail forwarding rules are reviewed at least weekly |
| M365 - Auditing | Ensure non-global administrator role group assignments are reviewed at least weekly |
| M365 - Auditing | Ensure the report of users who have had their email privileges restricted due to spamming is reviewed |
| M365 - Auditing | Ensure Guest Users are reviewed at least biweekly |
| M365 - Auditing | Ensure the Application Usage report is reviewed at least weekly |
| M365 - Storage | Ensure document sharing is being controlled by domains with whitelist or blacklist |
| M365 - Storage | Block OneDrive for Business sync from unmanaged devices |