Testing Microsoft 365 Configuration Security

Summary

Whether Microsoft 365 or Google Workspace, your office platform is key to identity, email and documents. Your business doesn’t run without it. We routinely test both platforms to varying levels of detail.

Client need

One ongoing customer is a growing university spin-off, who have some IT and cyber security support but had never had any third-party testing or assurance. The logical place to start with assurance is Microsoft 365, as it contains all emails and documents for the whole company, and is central to all their online applications.

It is also crucial for identity, as Microsoft 365 accounts are used for device sign-in, and Single Sign-On for other applications.

Our approach

We completed a review of their Microsoft 365 configuration using our custom approach, which draws from industry-standard security guidance and our own experience in applying and testing security policies for lots of customers.

It covers key areas such as accounts and authentication, administrator roles and external access, applications, email security configuration, SharePoint and Teams.

Client benefit

As well as getting the usual report that they can use as evidence of testing, as a smaller organisation they were also keen to get help applying the recommended fixes. We worked through the results with them, helping them to understand where controls need tightening, or where they need to accept the risk because of a genuine business requirement.

The result is a locked-down Microsoft 365 tenant, which supports their needs but doesn’t introduce any unknown risks to their business.