How to Secure Microsoft 365 in 2023

By a wide margin, Microsoft 365 is the world’s most popular productivity software with over 180 million users globally. Updating familiar applications such as Excel, Word, and PowerPoint for the cloud computing era has enabled Microsoft to once again transform the way that small and medium-sized businesses work and collaborate. 

However, as with any complex technology platform, deploying Microsoft 365 in your network can also present cybersecurity challenges. Based on recent announcements by Microsoft, we see a few key steps and strategies that all businesses will need to take to keep their business data secure in 2023 beyond what was necessary in 2022.   

BYOD Device Security Shifts Toward Conditional Access

Many smaller businesses give employees leeway to use their personal devices for work functions. Sometimes they do so because it’s more convenient for staff to just use the devices they’re familiar with, while other times, the cost savings on the business side drive this decision.

These “bring your own device” (BYOD) arrangements also have some serious downsides, particularly with how businesses manage their Microsoft 365 data.

In a worst-case scenario, a business will have no visibility or control over the devices they’re allowing to connect to company resources, which means that company data could be sitting on an employee’s personal device unsecured, where it’s highly vulnerable to hackers and exfiltration.

More commonly, a business will have deployed some basic mobile device management (MDM) solution to help keep devices updated and build a rudimentary barrier between the company and personal data.

Improving Data Security with Conditional Access

Mobile device management can help secure employee-owned phones and tablets; it’s an intrusive option that requires a business install software on each of their employees’ personal devices.

Microsoft 365 has a feature that allows businesses to keep information on BYOD devices secure without having to implement an MDM solution. It’s called “conditional access,” and it’s one of the least appreciated features in the software suite.

Conditional access is a set of controls within Microsoft Azure Active Directory that protects sensitive content by requiring users to meet a set of criteria before they’re granted access to it. The flexible conditional access system allows you to create and automate granular security rules that govern users, devices, and their locations without needing a 3rd party solution.

Here are some of the ways that using conditional access helps secure your mobile data:

• Integrate authentication factors like passwords, facial recognition, and voice recognition into your overall security plan.
• Enforce security standards to deny unverified user access to your sensitive information.
• Automate monitoring and security rule adjustments after the system notices an irregularity, such as an unrecognized location.
• Safeguard your network against security credentials like username and password being stolen.
• Reduce risk and improve compliance by allowing your staff to audit applications while reducing the need for third-party solutions.

To implement conditional access, you should start by auditing your technology to locate valuable data assets in your organization’s systems. Next, clarify which protections are appropriate for each of the systems in your network, and document those controls so they can be adjusted as your systems evolve.

Prepare Your Business for “Modern Authentication.”

A critical change that Microsoft 365 users will face in 2023 is the removal of basic authentication for commonly used services, such as POP, IMAP, and PowerShell.  Going forward, all systems will need to be transitioned to what Microsoft is calling “modern authentication,” which verifies each user’s identity according to stricter rules than in the past.

The reason is that the older basic authentication sends a user’s unencrypted name and password with every access request in plain text, leaving this important information exposed to interception and theft. 

With the number of password-based attacks soaring to one every 921 seconds, basic authentication is not loner enough for today’s digital business. Skilled hackers can even bypass multi-factor authentication (MFA) systems, undermining one of the most important security controls in the SMB cybersecurity toolkit.

Microsoft announced that 2023 basic authentication would be removed for all protocols starting in January 2023, meaning that all businesses should have a plan for dealing with this new reality.

Proactively Approaching Modern Authentication 

To ensure your network remains stable during the upgrade, you can use Microsoft 365 sign-in logs to determine what services/users are using these legacy methods and migrate them to supported methods. 

We recommend that companies coordinate with their IT support firm to determine which APIs are dependent on M365 and how best to upgrade those services to modern authentication.

You should also have your IT team contact your technology vendors and determine which of their services or APIs support modern authentication and which of them don’t. Once this thorough audit of your applications and services is finished, you can proactively either upgrade or replace whichever ones don’t meet the new modern authentication standards.

Prepare for the Possibility of Network Instability

Businesses should be aware that migrating away from basic authentication could have a negative impact on their networks. For example, companies using Exchange ActiSync (EAS) to connect their company email to mobile phones will likely experience problems with modern authentication. Similarly, the scan-to-email functions that printers have may also be affected.