CISA shares security guidance & detailed best practices for cloud based O365 services, esp. with large WFH based access verses more robust protection users might enjoy in office.  This April 29th bulletin updates prior guidance

As organizations adapt or change their enterprise collaboration capabilities to meet “telework” requirements, many organizations are migrating to Microsoft Office 365 (O365) and other cloud collaboration services. Due to the speed of these deployments, organizations may not be fully considering the security configurations of these platforms.

This Alert is an update to the Cybersecurity and Infrastructure Security Agency’s May 2019 Analysis Report, AR19-133A: Microsoft Office 365 Security Observations, and reiterates the recommendations related to O365 for organizations to review and ensure their newly adopted environment is configured to protect, detect, and respond against would be attackers of O365.

CISA encourages organizations to implement an organizational cloud strategy to protect their infrastructure assets by defending against attacks related to their O365 transition and better securing O365 services. Specifically, CISA recommends that administrators implement the following mitigations and best practices:

    • Use multi-factor authentication. This is the best mitigation technique to protect against credential theft for O365 administrators and users.
    • Protect Global Admins from compromise and use the principle of “Least Privilege.”
    • Enable unified audit logging in the Security and Compliance Center.
    • Enable Alerting capabilities.
    • Integrate with organizational SIEM solutions.
    • Disable legacy email protocols, if not required, or limit their use to specific users.