CISA Best Practices for MS 365 Government Secure Login
As many governments around the world began to close their offices and move operations online around the beginning of 2020, the Cybersecurity and Infrastructure Security Agency (CISA) saw great demand for MSFT 365 by state, federal and local government.
As a result, CISA issued a set of best practices designed to help organizations to mitigate risks and vulnerabilities associated with migrating their email services to Microsoft 365.
Multi-factor authentication for administrator accounts not enabled by default: Azure Active Directory (AD) Global Administrators in an M365 environment have the highest level of administrator privileges at the tenant level. Multi-factor authentication (MFA) is not enabled by default for these accounts.
Mailbox auditing disabled: M365 mailbox auditing logs actions that mailbox owners, delegates, and administrators perform. Microsoft did not enable auditing by default in M365 prior to January 2019. Customers who procured their M365 environment before 2019 had to explicitly enable mailbox auditing.
Password sync enabled: Azure AD Connect integrates on-premises environments with Azure AD when agencies migrate to M365. If this option is enabled, the password from on-premises overwrites the password in Azure AD. In this particular situation, if the on-premises AD identity is compromised, then an attacker could move laterally to the cloud when the sync occurs.
Authentication unsupported by legacy protocols: Azure AD is the authentication method that M365 uses to authenticate with Exchange Online, which provides email services. There are a number of protocols associated with Exchange Online authentication that do not support modern authentication methods with MFA features.