Microsoft 365 Security Functionality You Might Have Missed

Collaborative Meeting with Whiteboard

The Microsoft 365 Security suite is vast, with an enormous and constantly evolving feature set to utilise in defence of your organisation’s cyber security.

This is excellent news for those looking to consolidate their security tools into a cohesive platform (rather than relying on a disparate selection of vendors), as much of the functionality a modern business requires can be found within M365 Security’s arsenal.

However, the sheer number of tools offered within the M365 Security suite (and the changeable nature of Microsoft’s subscription tiers and their associated offering) risks certain features and functionalities going overlooked, particularly in the case of new or updated capabilities.

Therefore, before you look to invest in a new security tool, implement a new process, or settle for less-than-ideal coverage, it’s worth making sure that your existing Microsoft 365 licence does not have the capabilities you’re searching for already built into your subscription, or available within an upgrade.

Here are five current elements of Microsoft 365 Security’s functionality that you might have missed

1. Greater Log Data is Available, But Must Be Switched On

In light of increased large-scale cyber threats, earlier this year Microsoft released plans to expand their cloud logging accessibility to grant greater visibility to more customers than ever before, coming into play in September 2023.

Those utilising Microsoft Purview Audit (Standard) in Microsoft 365 will soon have access to richer, deeper security data, including more than 30 types of log data previously only available to those with a Microsoft Purview Audit (Premium) licence subscription. Along with increased data availability, Standard customers will also see their default retention period increase to 180 days from the previous 90.

However, it should be noted that not all of the associated audit logs are turned on by default, and manual intervention is required to ensure all events are being appropriately catalogued. For example, users’ searches within Exchange Online and SharePoint Online are not automatically tracked, but the functionality is available, and should be taken advantage of to maximise user insight. Should you wish to track this, there are simple steps which must be taken to ensure complete audit coverage, as outlined by Microsoft here.

2. Microsoft Defender for Endpoint Can Be Utilised Alongside Non-MSFT EPPs

If you have a preferred non-Microsoft endpoint protection platform in place, those with an E5 licence can still harness Microsoft Defender for Endpoint’s capabilities in tandem with your chosen tool for more comprehensive security coverage across both solutions.

Should you enable Passive Mode within Microsoft Defender for Endpoint alongside your non-Microsoft solution, telemetry and vulnerability management data will still be collected in the background and accessible within your Microsoft client, allowing greater insight into potential threats and user activity.

Similarly, by enabling Block Mode within Microsoft’s Endpoint Detection and Response, you may be guarded against threats your primary endpoint protection platform misses. While Block Mode doesn’t offer the full protection associated with Microsoft’s EDR tools, Block Mode does provide an extra layer of defence and a richer audit trail both pre- and post-incident.

Way to work. Man texting on phone, standing with bike

3. Phish-Resistant MFA Can Be Achieved Without Security Keys

Passwordless access and phish-resistant multi-factor authentication are hot topics within identity access management, and many organisations are striving towards this level of defence to guard against adversary-in-the-middle phishing attacks and common breaches associated with passwords’ inherent vulnerabilities.

Security keys (such as YubiKeys) are an increasingly common, reliable, and robust method of phish-resistant MFA, requiring users to present or insert a physical hardware key to their device for authentication. However, there are alternatives which you may already have access to.

Windows Hello for Business offers a FIDO2 certified MFA solution enabling users to sign into their devices using either biometrics (a facial or fingerprint scan) or a PIN, without the need for passwords. The certificate-based authentication available via Azure AD can also be utilised for phish-resistant MFA and is recommended by Microsoft as a modern approach to secure access.

If security keys aren’t a tenable solution within your organisation at present, it’s worth considering whether Windows Hello for Business or Azure AD certificate authentication might meet your IAM requirements.

4. App Governance is Now Included with Both E5 Licences and Defender for Cloud Apps

Another example of evolving availability within the Microsoft 365 licence suite that you may have missed: app governance is now included in both E5 licences and Defender for Cloud Apps. While this functionality was previously an add-on, many existing users will now have access.

Offering security and policy management of OAuth apps, app governance delivers—

“—visibility, remediation, and governance into how these apps and their users’ access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions.”

The insight provided by app governance empowers you to make informed choices about the use (or restrictions) of apps that may pose a risk to your corporate security environment.

Man in shirt using mobile phone on laptop

5. Azure AD Application Proxy’s Vast Capabilities

An essential feature for organisations facilitating remote or hybrid working patterns by granting users secure access to internal resources and applications. Application Proxy is a simple, cost-effective feature included within Azure AD which allows businesses to publish on-premises web applications or Remote Desktop Services to the internet without the need for a DMZ, while still benefitting from the security provided by Azure AD.

In practice, this can mean the provision of conditional access, sign-in logs, protection against DDoS, among others, with no traffic passing through until a successful authentication has been made.

If you’re an existing Microsoft 365 E5 licence holder, or considering upgrading from your current licence subscription to an E5 licence but unsure of the features included, our summary guide is a useful starting point to create a complete picture of what the E5 licence includes, its business benefits, and the capabilities that set it apart from a Microsoft 365 E3 licence. View our Microsoft 365 E5 Licence Explained guide.

Whatever your Microsoft strategy, Threatscape’s award-winning Microsoft experts are available to support your journey with a wealth of expertise and vital know-how. Explore our Microsoft Security Practice for more information on how we can assist in your utilisation of your Microsoft subscription and help you to realise your investment and maintain your cyber defences. 

You may also be interested in these articles:



Contact Us