Neon light that reads Security

A Perfect Storm of Ignored M365 Security Options

ByMike McBride Reading Time: 2 minutes

Most of you are probably going to be shocked by what was discovered as part of this data breach in Australia, but I’m going to caution you not to be:

For example, none of the audited agencies had implemented DLP controls broadly across all Microsoft 365 applications including OneDrive, SharePoint, Power Platform, Exchange and Teams.

All seven entities also allowed external data storage on unmanaged third-party services including Dropbox, Facebook and Google Drive, with no technical controls to prevent staff synchronising work data to personal accounts.

For authentication, the report said the entities relied on SMS text messages, voice and email one-time passwords.

…….

Entities also allowed personal devices to register for MFA without enrolling them in device management systems.

Staff were not restricted from installing unapproved Microsoft Teams applications, and could use external code for Power BI.

It sounds bad, I know. And you might be wondering how that could happen, but here’s what I think happened: they are Microsoft customers with a very intricate and powerful environment to work in, and no resources to understand how to administer it. It may not surprise you to learn that Microsoft will sell enterprise licenses and set up an M365 for anyone who shows up with cash. I know, I paid for one myself. It’s just me. I’m the entire Admin, Security, Compliance, and Privacy team all rolled into one.

Now, in my case, that’s OK because I created it specifically as a place to learn and test, and I’m not keeping any confidential information in it. (I don’t have employees, and any customer information I have for consulting or newsletter subscriptions is elsewhere.)

How many organizations have a tenant and have simply left a lot of the default settings from when they bought their first licenses? What would that look like now?

I suspect it would look a lot like what you just read. Microsoft has gotten better at enabling security features by default that would help prevent some of this, but in the end, it’s not their responsibility to monitor employees uploading private data to cloud services or to put in controls to prevent unwanted Teams apps. That’s on the tenant Admin to follow those best practices and implement them.

If you’re responsible for a tenant who is at risk, and they all are at some level of risk, please take the time to understand what you have and get help to put up some basic defenses. These audit results should be humbling for all of us.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)