How to Optimize Your Microsoft 365 Business Premium Security Features

ID: A glass sphere is held in front of a city skyline, warping the skyline within the sphere.

Now that you’ve purchased Microsoft 365 Business Premium for your organization, let’s look at what comes with this bundled subscription. Microsoft 365 Business Premium combines a few other subscriptions: Microsoft 365 Business Standard, Enterprise Mobility + Security E3, Microsoft Defender for Office 365, and Windows 10/11 Pro.   

Note that Microsoft 365 Business Premium licenses per user. Some of the features and services are tenant-wide; however, any user taking advantage of the features or services must have the same license or equivalent of that feature or service.  

Microsoft 365 Business Standard provides your users with the core components of the Microsoft 365 service: 

  • Office 365 Platform 
  • Exchange Online 
  • SharePoint Online 
  • OneDrive for Business 
  • Microsoft Teams 
  • Office Applications (Windows/Mac/Web) 

There are also additional features available: 

  • Bookings 
  • Forms 
  • Planner 
  • To Do 
  • Lists 
  • Stream 
  • StaffHub 
  • Power Automate 
  • Yammer 

Enterprise Mobility + Security E3 provides your user with additional identity, security, and device management capabilities.

Azure AD Premium Plan 1 Features:

  • Conditional Access 
  • Cloud app discovery 
  • Dynamic groups

Device and Application Management:

  • Endpoint Manager (Intune) 
  • Mobile Device Management (MDM) for PCs, Macs, and mobile devices 
  • Mobile Application Management (MAM) for Microsoft 365 apps and Line of Business (LOB) apps 
  • Accessibility to Azure Virtual Desktop (previously Windows Virtual Desktop) 

Windows 10/11 Pro Management:

  • Devices licensed with Windows 7, 8.1, 10, 11 Pro provide an upgrade to 10 and 11 Pro Note: Windows for Business additional bits will install when the device is Azure AD joined.
  • Windows AutoPilot 
  • Organizational control of device configurations and settings 
  • Windows Updates 
  • Windows Security 

Microsoft Defender for Office 365, previously Office 365 Advanced Threat Protection (ATP), provides the features and services of the add-on subscription of Plan 1: 

  • Anti-Phishing 
  • Safe Attachments 
  • Safe Links 

Additional noteworthy inclusions: 

  • Azure Information Protection (AIP) Plan 1 
  • Exchange Online Auto-Expanding Archive Note: Beginning 11/1/2021, it will have a maximum storage quota of 1.5TB. 
  • Shared activation of the Office applications for remote desktop services 
  • Azure AD Connect benefits: Self-service password reset (SSPR) write-back to on-premises AD and device write-back between on-premises AD and Azure AD 
  • Extended activity logs (sign-in, audit, and more) 

Use this link for the latest service description for additional information about all the features and services included with Microsoft 365’s Business Premium subscription.  

Setting Up Microsoft 365 Business Premium Features  

Now that you know what you’ve got in Microsoft 365 Business Premium, how do you set up all these great features and services to protect your organization and users? Reach out to TechHouse to schedule time with one of our highly skilled consultants for their expertise and guidance! It’s what they do all day long. Our team stays up to date on the newest updates, so you don’t have to. We listen to your organization’s needs and implement the features and services that make your goals attainable. TechHouse’s custom-fit approach puts you and your organization first. 

If you’re an IT Admin and looking to do it yourself, Microsoft has guided setup and configuration wizards to walk you through most of the features mentioned above.  If this is your first-time using Microsoft 365, we suggest familiarizing yourself with the overall admin center and the other service admin centers before any feature or service configuration. Each prominent feature or service may have its admin center such as Exchange Online, SharePoint Online, Teams, plus more. Knowing where everything is before you begin will help as you’ll be switching between many screens.    

As a TechHouse client, we provide free monthly webinars that go over Microsoft 365 Admin in general or the month’s topic. Contact your Account Manager for details.   

Another resource to familiarize yourself with all things Microsoft 365 is the Microsoft 365 Training Center

Before you go any further, a little FYI; most features and services do not set up or configure themselves. Just because you have a subscription and licensed users doesn’t mean things will work out of the box. 

Upon your first access to the Microsoft 365 admin center, you may need to expand or pin options in the left-hand navigation. The admin center dashboard also allows you to customize your view with different cards (there is even a dark mode option). Feel free to customize the admin center dashboard at any time. 

Right off the bat, Microsoft offers a guided setup for those just getting started on the main dashboard page. The recommended steps are to add your custom domain, add users, install Office, and there’s an option to send a mailer to your users about the new service. This guided wizard is more for organizations that are not migrating from another platform. 

For a more customized or advanced setup, navigate to Setup (the wrench icon) on the left-hand navigation. Here Microsoft 365 will give you a breakdown of tasks completed or that need to be completed to finish your overall onboarding to the service. Do you have to meet them all? Of course not. Some may not apply to your organizational needs. So don’t worry about it.   

Determine the Services and Features that Best Serve Your Organization 

Microsoft uses their best practices and guidance in the wizards. So, if they do not align with your organizational policies, make sure to implement the settings and configurations you need. 

The Setup guided wizards will help you migrate email and data from other platforms to Microsoft 365, such as Google, Yahoo, other legacy mail providers, and more. Depending on the platform you are migrating from, please read through the documentation carefully, as required steps and settings need to be configured on those platforms for the migration to be successful. 

The response an organization makes to remain ahead of technology’s curve should be quick and effective. TechHouse offers a solution to support your needs for flexibility and security. We provide migration services, such as our Move to the Cloud, that augment communication between your team and various applications. 

If you run into trouble, don’t worry.  There are resources to help, depending on how you purchased your subscription. If you purchased directly from Microsoft, you could contact them by opening a support ticket from the Support menu in the admin center. If you buy from an Indirect Cloud Solution Provider (CSP) or Managed Service Provider (MSP), they will have their own helpdesk contact or information. If you purchased from TechHouse, a Microsoft Gold Partner, Tier 1 Direct CSP, you already know how to contact us and get the immediate help you need! 

Part of the Setup wizards are options to protect data in mobile apps and secure your Windows devices.  The Setup guide and the Devices section make it look easy to configure and deploy, but it may not be the proper deployment for you.  While new admins to Microsoft 365 may find deploying protection policy from these sections are convenient, the users and devices still need to be ready.  Supported Windows devices need to be running the Pro version of Windows and mobile devices may need to be at certain OS version or better. Users may need to transition to using the Microsoft mobile apps rather than the usual preferred native mobile OS apps, and some users may not want to use their devices at all. Discuss with your users before deploying.

For a more comprehensive device and app protection deployment, you’ll want to work directly from the Endpoint Manager admin center. 

From Endpoint Manager, you have many more options to deploy device management and app protection policies.  The policies created from the Devices section of the admin center will appear here in Endpoint Manager.  They are Endpoint Manager policies but remove the complexity of a custom policy and deployment.  Custom deployments do have several prerequisite settings and configurations to consider, so please take the time to know what those are.  TechHouse will be blogging about Endpoint Manager configuration and deployment later in this series.  And we are here to help as much or little as you need! 

Securing your Features and Services 

We now know that Microsoft 365 can help us get things going and understand most of the featured services that come with the subscription, but you purchased Microsoft 365 Business Premium to be more secure.  You want to get your service guarded and get your users going. How do we do that?  

Devices and Endpoint Manager, which is a big part of securing your environment, is a daunting task on its own, but do not leave it out or put it on the back burner. 

Microsoft 365 has some great security features built right in with SMBs in mind. And some are turned on by default—for example, Security Defaults. New Microsoft 365 tenants automatically have Security Defaults turned on. 

Security Defaults are a set of Microsoft-recommended identity policies to protect users.  They are as follows: 

  • Require all users to register for Multi-Factor Authentication (MFA) 
  • Require all admins to implement MFA 
  • Block legacy authentication protocols (POP3, IMAP, and more) 
  • Require users to do MFA when risk sign-in is detected 
  • Protect other privileged activities 

Security Defaults is a blanket policy that applies to all current users and any new users created later.  This setting is not customizable and may not suit every organization.  Utilizing Security Defaults does has some caveats as well regarding legacy authentication. Some third-party apps/services or devices that still require those protocols will be impacted.  

As mentioned earlier, Microsoft 365 Business Premium includes Azure AD Premium Plan 1 features like Conditional Access.  Conditional access is the recommended option to configure MFA for all your users.  Individual policies can be used as a blanket policy or apply to specific groups or individual users.  Conditional Access policies are very customizable and will give the flexibility over Security Defaults while maintaining a secure tenant.   

It is important to note that Security Defaults and Conditional Access policies cannot work together. You must decide to use one or the other. 

With Conditional Access, you also have more significant insights and reporting on your user activities.  You can set your custom Conditional Access policies to read-only for testing before you enforce them.  To do this, Insights and Reporting must be configured.  Enabling Insights and Reporting collects user sign-in and authentication activity and gives you a detailed dashboard.  This feature requires an Azure subscription visible to the Azure AD directory of your tenant and a Log Analytics workspace.   

TechHouse is here to help you with any Conditional Access policies and enable Insights and Reporting.  The amount of activity stored in the Log Analytics workspace may incur Azure consumption costs.  TechHouse will be blogging about Conditional Access vs. Azure MFA later in this series. 

Another feature provided by Azure AD Premium is Smart lockout and MFA lockout. Each configuration can prevent brute force style of attacks.  Each one has recommended default settings or can be customized to suite your needs. 

Password Smart lockout also supports on-premises AD if you are planning to sync your local identities to Microsoft 365 with Azure AD Connect. 

The next security feature to look at is allowing a user to connect a third-party cloud app or service to their account.  While this seems convenient for users and admins alike, this is a huge security risk.  Azure AD allows you to configure all user app requests to require an admin’s or another user’s approval. Ransomware bad actors target this specifically to gain access to a users’ email and data and encrypt it.  If that happens, there is no recovery unless you have taken other actions like utilizing a Microsoft 365 backup service.  Consider configuring this in your tenant immediately. 

There are two locations to set user consent to apps.  You can see this in the image above, Azure AD, and the Org Settings section of the admin center.  The setting will apply to both areas but may not reflect the change immediately in the other location. 

The next thing to consider when securing your Microsoft 365 tenant is sharing.  By default, the sharing gates are wide open with no restrictions.  Users can share by default from OneDrive, SharePoint Online, Microsoft 365 Groups, Teams, Stream, and any other feature that utilizes SharePoint Online as its backend files framework.  There are a few places where sharing settings can be modified—Org Settings in the admin center and SharePoint Online admin center. 

TechHouse recommends a Zero Trust approach to sharing and work your way up, granting share access to groups and users as necessary.  And because Azure AD Premium is included, you can use Dynamic Groups to help assign appropriate share permissions to users. 

Sharing is Caring, Especially Securely  

When talking about sharing, it can lead to the topic of sensitive information.  And with Microsoft 365 Business Premium, you have the features and services to protect that as well!  Azure Information Protection is included.  This feature allows users to send protected emails, prevent accidental data leakage, and apply labels to emails and files to limit how they are viewed, accessed, and shared within or externally from your Microsoft 365 tenant.  While saying that statement makes it sound easy, some of these features require several steps to configure, test, deploy, and implement.   

Sending protected (encrypted) emails are available out-of-the-box and can be customized to suit your privacy or compliance policies. Users can send protected emails using the Outlook desktop app and from Outlook Online. You can also configure transport rules to encrypt emails. 

To protect against accidental data leakage by users, you can protect your data with Data Loss Prevention (DLP) policies or applying sensitivity labels. Microsoft offers some out-of-the-box configurations; they may work for some organizations but can be fine-tuned and customized as needed. Data Loss Prevention (DLP) is policy-based rules to detect specified information and take defined actions if a user tries to send or share the information outside the organization.  Using sensitivity labels takes this process further by embedding protection to data shared outside the organization, such as access permissions, watermarks, and more.  While both these features require some leg work to implement, we want to inform you that they are available with Microsoft 365 Business Premium, and TechHouse is here to assist.  

In Case You Missed It 

Our final mention includes Microsoft Defender for Office 365 (MDO) Plan 1, formerly Office 365 Advanced Threat Protection (ATP).  Some of you may be aware of this add-on subscription but may not realize that it’s part of Microsoft 365 Business Premium.  The mentioned features are not configured out-of-the-box. Microsoft Defender for Office 365 Plan 1 adds three additional Exchange Online Protection (EOP) policies: Anti-Phishing, Safe Attachments, and Safe Links.  Safe Attachments and Safe Links now expand their protection to OneDrive, SharePoint Online, and Microsoft Teams.   

  • Anti-Phishing is looking for attempts at impersonation of your email addresses wither internal or custom domains. 
  • Safe Attachment is a zero-day safeguard for your email.  Messages are sent to a sandbox environment to be checked and cleared before delivering to the intended recipient. 
  • Safe Links inspects the URLs or web links in the body of an email. The links are scanned, and if they are determined malicious, the recipient gets blocked from continuing to the site. 

Each of these policies comes with a tenant default policy, but there is a high recommendation to create custom policies to protect your users. Microsoft also provides you with security presets for these policies and the other Exchange Online Protection policies. A configuration analyzer also inspects your policies and recommendations for improvements. While the configuration analyzer is based on Microsoft best practices and suggestions, it is a great resource to see or better understand how your policies protect your users. 

TechHouse becomes your personal IT team to assist any cyber security needs your organization has internally. Our clients trust us to secure their environment. We provide Advance Threat Protection (ATP), Anti-Phishing, Data Loss Prevention, and more. As bad actors evolve, our team is proactive with hardening your security.  

Final Takeaways 

Microsoft 365 Business Premium is a powerful tool, and there are more ways to secure your tenant. Microsoft 365 is an ever-evolving platform and constantly updates its features and services and is a challenge on its own to stay up to date. The Message Center, located in the admin center, and Microsoft 365 Roadmap are great resources to stay aware and informed. This blog makes mention of the most popular and sometimes overlooked features and settings. As a Microsoft Gold Partner, we are here to assist you in any capacity for your Microsoft 365 needs. In a future blog, we will dive deep into protecting users with MFA and the user experience. 

Contact TechHouse, or 941-328-8601, for your custom-fit solution to protect and make the most of your Microsoft 365.  

TechHouse’s blogs are not to replace expert guidance. The information we provide is to grow background knowledge as IT continues to evolve. Our goal is to empower our readers through awareness with detailed information.