Securing your new Azure Tenant

So you've set up your new Microsoft Azure Tenant, onboarded users and got the fundamentals working that you needed, but what about the security settings?

In this blog, we'll go over some of the fundamental security configuration settings that you may have missed or not even been aware of, to give you a little more peace of mind by reducing unwanted changes or potential risks that could impact the tenant.

Note: There is no requirement for Entra P1 or P2 licences for these features.

Key Elements Covered

• Entra ID

• SharePoint / OneDrive

• Teams

Entra ID

Guest User Access Restrictions

Q. Do you want Guest Users to have full access as members, be limited or restricted?

A. Suggest restricted unless you have a business need otherwise.

In the Azure Portal, go to Microsoft Entra ID > User Settings:

Note: This can also be set under "External Collaboration Settings".

Guest Invitation Policy

Q. Do you want EVERYONE in your Tenant and pre-existing Guest users to be able to invite new Guest users?

A. Possibly not.

In the Azure Portal, go to Microsoft Entra ID > User Settings > External Collaboration Settings:

Collaboration Restrictions

Q. Do you want to allow invitations sent to any domain or have more control?

A. Only restrict settings if you already have agreed external domains that you work with / have the technical resources to manage this.

In the Azure Portal, go to Microsoft Entra ID > User Settings > External Collaboration Settings:

Default User Role Permissions

Q. Do you want your users to have permissions to perform these activities?

A. Please set these to No unless you have a specific need.

In the Azure Portal, go to Microsoft Entra ID > User Settings:

I recommend the following settings:

LinkedIn Account Connections

Q. Do you want to allow users to connect their work or school account with LinkedIn?

A. If there's no specific business case, disable it.

In the Azure Portal, go to Microsoft Entra ID > User Settings:

Disable Legacy MFA

Q. Are you applying all of these settings to an older Tenant? If yes, you may have legacy MFA enabled still.

A. Microsoft have you covered with a pre-ready migration option.

In the Azure Portal, go to Microsoft Entra ID > Security > Authentication Methods > Policies > click "Begin Automated Guide" and follow the instructions.

SharePoint / OneDrive

Legacy Protocols

Sharing Controls

Q. Do you store sensitive data in SharePoint / OneDrive?

A. If yes, please consider restricting access to suit your business needs.

Within the SharePoint Admin portal, navigate to Policies > Sharing.

It's recommended to reduce the sharing options for both products to at least "New and Existing Guests", but consider being more restrictive if you can.

Underneath, there's additional external sharing settings where you can look at limiting the domains you share with, or perhaps you may want to only allow certain users in specific groups share externally.

I would recommend unticking "Allow guests to share items they don't own" and perhaps enable the following two options underneath to enforce Guest Access expiry and re-authentication for those who use a verification code.

Idle Timeout

Q. Do you want idle sessions to time out after a specific time?

A. Ideally yes, to ensure inactive sessions remain authenticated.

Within the SharePoint Admin portal, navigate to Policies > Access Control > Idle Session sign-out.

Enable the toggle to On and configure the sign out option / notice period accordingly.

User Site Creation

Q. Do you want to allow all users to create new SharePoint Sites?

A. I'd suggest not!

Within the SharePoint Admin portal, navigate to Settings > Site Creation and untick "Users can create SharePoint Sites".

Also ensure your Default Time Zone is correct;)

Teams

Restrict External Access

Q. Do you currently allow ALL external domains access to message your company?

A. If yes, then consider changing that to Allow only specific external domains or Block specific external domains.

This is common method for Phishing attacks, so please treat this one as high risk to your business.

Within the Teams Admin Center, select Users > External Access and select the appropriate option from the drop down menu.

Under the same policy settings you can also restrict additional settings for external users which I highly recommend you do.

If for any reason you require access to "Unmanaged Teams Accounts", PLEASE PLEASE ensure "External users with Teams accounts not managed by an organisation can contact users in my organisation" is UNTICKED!

Also Disable the "People in my organisation can communicate with accounts in Trial Teams Tenants" to reduce the risk of Phishing attacks.

The two options underneath are personal preference.

Conclusion

I hope this has been of use to some of you, as it's really important to get the fundamentals right before looking at the wider security posture of a tenant. Please feel free to comment and add additional settings you think I've missed or would be of benefit to others!!