In my role as an Exchange PFE I have worked with a number of customers at various stages in their journey to Office 365 and Exchange Online. Some organizations jump right in to their Exchange migrations by performing a quick pilot and then start migrating mailboxes, only to find that they would like to enable a feature that is not enabled by default. They then have to decide whether the change to the environment warrants stopping the migration and performing additional analysis/testing or whether their online mailbox users can adapt to some amount of potential change. In order to head off these future changes and decisions, I put together a list of items for consideration before a good number of mailbox migrations are performed.
10 11 12 Office 365 and Exchange Online Must-Dos
- Enforce MFA for Office 365 Global Admin Accounts – Global Admin accounts are tempting, high-value targets for attackers and need to be protected accordingly. Organizations should enforce MFA for all Office 365 Global Admin accounts. While Azure MFA requires licensing (Azure AD Premium or other corresponding bundle), Microsoft offers MFA for free on all admin accounts. Couple this with the Exchange Online PowerShell module that supports MFA for added protection (note: MFA-enabled accounts cannot be setup to run scheduled, which is logical considering no one is typically present to provide a second auth factor). See articles "What is Azure Multi-Factor Authentication?" (link) and "How To Get Azure Multi-Factor Authentication" (link) for additional information.
- Enable Exchange Online and Skype for Business Online Modern Authentication – Disabled for these workloads by default, organizations are encouraged to enable modern authentication for Exchange Online and Skype for Business Online (recommendation is to enable both to prevent extra logon prompts). Keep in mind that this will not disable basic authentication but will enable modern authentication capabilities for supported clients which includes MFA. When modern authentication is enabled for Exchange Online, Outlook 2016 and Outlook 2013 (version 15.0.4753 or later, with a required registry setting) will use modern authentication to log in to Office 365 mailboxes instead of basic authentication. This also enables other authentication features like multi-factor authentication (MFA) using smart cards, certificate-based authentication (CBA) and third-party SAML identity providers. If your organization is using third-party federation service, please check with the vendor to ensure modern authentication is supported.
- Enable Mailbox-level Auditing for All Exchange Online Mailboxes – Sometimes administrators require audit logs for investigative purposes. This is sometimes necessary as a result of a breach but also sometimes to try and determine the actions that led up to a certain outcome (such as a delegate deleting an item out of a delegator's mailbox). Mailbox-level audit actions are only recorded when mailbox auditing is enabled and it is disabled by default. In order to be able to comply with the organization's auditing needs, enable it for all mailboxes and if needed, adjust the auditing config (such as login and all deletes for owner actions). Unfortunately, setting AuditEnabled to True via Set-MailboxPlan is not supported. Therefore, develop a simple maintenance script to enable auditing for all mailboxes.
- Disable Client-Based Auto-Forwarding - Remote domain settings override settings that users might configure in Outlook or OWA. By default, users are allowed to setup automatic forwarding to any remote domain but auto-forwarding can be easily disabled by updating the default remote domain named Default. Use Exchange Online RPS "Set-RemoteDomain Default -AutoForwardEnabled:$False". This is a global setting and applies to every email sent from within the tenant. For a little more granular control (i.e., to allow overrides) an Exchange Transport Rule can be employed instead (text from securescore.office.com):
- If The Sender is located 'Inside the organization'
- If The Recipient is located 'Outside the organization'
- If The message type is 'Auto-Forward'
- Reject the message with the explanation 'External Mail Forwarding via Client Rules is Not Permitted'
- Update the Default MRM Policy (or Create a New One) – The Default MRM policy in Exchange Online includes a move to archive default policy tag as well as a number of personal tags. Update the policy early if needed or create additional policies if desired. As an aside, I am a proponent of using a couple of additional tags, including "Junk Email" and "Deleted Items" (and sometimes "Sent Items"). Also note that if you create a new retention policy, it will have to be assigned to all current and future mailboxes (see Mailbox Plans below for more information on automating). Use Exchange Online RPS "Set-Mailbox <Mailbox> -RetentionPolicy:<PolicyName>".
- Disable Remote PowerShell for Non-Admin Users - By default, all accounts in Exchange Online are allowed to use Exchange Online PowerShell. Administrators can enable or disable a user’s ability to connect to Exchange Online PowerShell. While a user's capabilities in Exchange Online PowerShell are defined by role based access control (RBAC) and the roles that are assigned to them, it's generally unnecessary and opens up another connectivity method when accounts are compromised. Use Exchange Online RPS "Set-User <Account> -RemotePowerShellEnabled:$True".
- Disable POP3 and IMAP4 (and Other Protocols) on Mailboxes - POP and IMAP are client access protocols not used very often these days, except in the case of application mailboxes. As with the case with many of the client access protocols, they could be utilized to remotely try and guess user credentials. If an organization already requires the use of Outlook mobile app, the ActiveSync protocol can be disabled since the Outlook mobile app uses its own API in combination with REST. Controls options include changing settings on a per-mailbox level (example: Exchange Online RPS: "Set-CASMailbox <Mailbox> -PopEnabled:$False -ImapEnabled:$False"), Exchange Online Mailbox Plans (see below) and Exchange CARs (see below).
- Standardize Future Mailbox Configurations via Mailbox Plans - Some configurations can be deployed via mailbox plans such as quotas, retention policies, RoleAssignmentPolicy, enablement of certain protocols. See articles "Set-MailboxPlan" (link) and "Set-CASMailboxPlan" (link) for additional information.
- Consider Deploying Exchange Client Access Rules (CARs) to Disable Unwanted Mailbox Access Methods - CARs help control access to the organization's email based on client properties or client access requests. CARs are like transport rules for client connections to the Exchange Online organization. While above I mentioned disabling certain features or protocols on a per-mailbox basis (such as PowerShell, POP and IMAP) CARs can be used to disable things more broadly but also allow exceptions. See article "Client Access Rules in Exchange Online" (link) for additional information.
- Enable New OME (Office Message Encryption) - OME makes it easier to share protected emails with anybody—inside or outside of the organization. If your tenant was created after February 2018 OME should already be enabled by default. However, if it was enabled before this date then it is likely not enabled. Note that OME requires E3 licenses or higher. Enabling OME takes a bit more than just toggling the feature on but is documented. See articles "Office 365 Message Encryption FAQ" (link) and "Set Up New Office 365 Message Encryption Capabilities Built On Top of Azure Information Protection" (link) for additional information.
- Deploy Report Message Outlook Add-in For All Users - This is not the legacy Outlook COM add-in that was deployed via MSI but rather, a new Report Message add-in for Outlook that enables users to easily report misclassified email, whether safe or malicious, to Microsoft for analysis. Microsoft uses these submissions to improve the effectiveness of email protection technologies. You can easily enable the add-in for your entire organization for both OWA and Outlook click-to-run. In order to see what users are doing, organizations can also create a transport rule to copy the messages off to another mailbox for later review. See article "Enable the Report Message Add-In" (link) for additional information.
- Deploy Office 365 ProPlus Monthly (Used To Be Called Current) Channel to Everyone - Many organizations take a conservative approach to deploying Office to users and often times choose to deploy Semi-Annual (used to be called Deferred) channel to most users. However when doing so, organizations run the risk of having to deal/live with potential issues until the next build release which could be up to 6 months away (now with releases in January and July) since only security updates are address between releases. If an issue is impactful enough, the only workaround organizations have is to move users up to Semi-Annual (Targeted) or to Monthly. This could be on a temporary basis (moved back when the issue is fixed) but this can be time consuming and disruptive for the user who is already dealing with an issue. If the frequency of updates and potential changes is manageable to your users, consider deploying Monthly to the majority of the organization and Semi-Annual as an exception. See article "Overview of Update Channels for Office 365 ProPlus" (link) for additional information.