Checklist to securing your SharePoint Online

Asked by a colleague of mine yesterday whether there was any security checklist for SharePoint Online to improve security because recently he ran into a huge incident in IaaS cloud in which several productions virtual machines got deleted.  This incident triggered an audit plan through the entirely his organization, not only IaaS cloud but also SaaS cloud.

SharePoint Online is part of Office 365 which is a proved to meet the requirements in number of different industrial compliance certifications, you still have to prepare for a better secure collaboration environment in SharePoint Online. The more you open for collaboration, the riskier you may have to take. Most of the security incidents in collaborative environment is caused by humanity, which is not well planned and foreseen. In this article, I’m going to share a list of what you need to do to make your SharePoint Online more secure. At the end of the day, feeling safe is what to be achieved.

#1 – Role-based access control

The number #1 rule must be the implementation of role-based access control in Office 365 admin portal. If you have many people working on providing solution for customer in your Office 365 portal, come out with a sheet of admin roles assigned to properly users or groups. There are three administrator roles in Office 365 you can grant to your engineer or developer. These are provided to a set of Office 365 services, but to SharePoint Online specifically, you need Global administrator, Billing administrator, Password administrator, Service administrator, SharePoint administrator, User Management administrator. Power BI service administrator in case you use Power BI with SharePoint to visualize your data.

Each role has its own permission which may impact on your security policy. A common case is to assign Global administrator to many people to ease the access and privileges on all areas in Office 365. This case would lead to a huge problem if somebody intentionally sabotages your company.  Go check list of Office 365 administrator roles and permission relatively.

#2 – Password Complexity

It’s very common but not many organizations pay attention to this rule. If your password is simple it is guessable. If you use Azure AD to manage your Office 365 accounts, enabling password complexity is a recommended best practice to SharePoint Online security. Read Password policies and restrictions in Azure Active Directory to know more about the complexity requirement for user account stored in Azure AD. If you wish to enable password complexity feature, simply set StrongPasswordRequired property to true to your users. See the sample below

Make sure to notify your end user after your execute the command because he has to change his password on the next login with complex password.

#3 – Password Expiration

Setting password expiration is a common practice in information security. In large organization this rule is part of the corporate compliance. With password expiration, you are to have to change to another password you may have never thought in your mind before. It is good because even as a password owner you still hardly memorize so brute-forcing is not easy. Office 365 allows you to enable password expiration policy.

#4 – Self-Service Password Reset

Folks have a feeling that self-service password reset is not relevant to information security. However, I would say it is relevant in terms of user experience. In large organizations when you have thousands of users, empowering them to set password themselves is a good approach to saving administrative time.

In addition to password reset policy, you can restrict access to password reset to a specific group. Make sure you have Azure AD Premium, Azure AD Basic, or a paid O365 license to enable this feature. Here is a step-by-step guidance on how to enable password reset.

#5 – Policy & Access based location Rule 

I used to be asked so many times in the past if limiting access to Office 365 was possible. At that time the only solution would be to deeply touch to network configuration and some firewall rules were created to restrict access. Fortunately today as of this writing, deploying policy and access based location rule in Office 365 should not be a challenge. Location means the IP address or origin where your client or device makes a request to. For example, if I’m an employee who belongs to the fixed Singapore’s IP address range, I should not be able to access to SharePoint Online in USA where primarily executives are working on. With Active Directory Federation Services (AD FS), you can create template to block extranet access.

#6 – Control Sharing

One of the interesting features in SharePoint Online is the ability to share documents or access to somebody not in your organization without having to set up a complex federation solution. That said, people tend to use sharing feature for its supplier or partner, which make up a security hole if not controlled. In SharePoint Online, make sure you know how to control sharing and type of guests you allow.

You can also turn external sharing on or off for individual site collections. If you love to play scripting, the sample below may help

#7 – Audit logging in Office 365

When you need to investigate something, for example who attempted to access to a sensitive document, audit logging is your friend. Audit logging is also part of industrial information security compliance to ensure CIA (Confidentiality – Integrity – Available). The report which is powered by Office 365 Security Compliance center gives you full details including Date, Activity, IP address, Item and Detail of information.

Kudos to Microsoft for very much of understanding its customers, the filtering on the left hand pretty much gets me impressed.

To SharePoint Online specifically, go to site collection setting to enable auditing feature which I believe you’ve been familiar for a while.

#8 – Multi-factor Authentication

Not to develop a complicated solution, Office 365 already provided multi-factor authentication feature which you can set up by just a few clicks. Multi-factor authentication from the user experience perspective is quite annoying but to security, it’s valuable. It’s to ensure if your password is compromised, hacker is not able to access before they do not have sms message containing one-time password/auto-generated code sent to your mobile phone.

#9 – Information Right Management

Information Right Management (IRM) in information security is to ensure your information is protected, and *hard* to be compromised by unauthorized user. In SharePoint Online there is a feature named Information Right Management but before using it, you need to activate Right Management Service which is now powered by Azure Information Protection.

Before setting up IRM in SharePoint Online, be sure to have a plan of what to be protected.

#10 – Data Loss Prevention

Information leakage is a big deal today due to the rapid growth of information, and the trend of digital transformation. Towards the demand, recently Microsoft rolled out Data Loss Prevention (DLP) in Office 365, offering you number of different ways to control leakage. For example if a document contains credit card number, your site administrator will be notified via email. Combining with eDiscovery Center in SharePoint Online and DLP in Office 365, you now have a more secure environment.

#11 – Coding Security Practice

The practice you apply may vary, depending on the library you are going to use for customization and add-in development. OWASP Security Coding Practice is always the very first place to me to recommend to my development team. If budget is not a problem, or security is on top of your head, then you may consider purchasing enterprise coding analysis tool such as Coverity, HP Fortify.

#12 – Identity Protection

[Updated on April 01, 2018]

SharePoint Online by default uses Azure Active Directory as an identity access management. In case you don’t implement hybrid deployment to use your on-premises Active Directory to authenticate, you need to protect your identity in Azure Active Directory. By default, Azure Active Directory only gives you logging capabilities to monitor activity logs and sign-in which would be enough basically. However, if you’d like an advanced identity protection (e.g. conditional access, advanced alert, risk-based rule or so forth) you should enable Azure Active Directory Premium.

Moreover, recently Microsoft announced Attack Simulator on Office 365 which may benefit to your identity penetration test. Attack Simulator allows you to simulate some common attacks targeting to end-user such as Email phishing, brute-force password, password spray.


This list surely is not enough. It still depends on the deployment scenario, which would be different from my case. For example, Secure Store service is suggested to secure connection string if any used. No matter how your deployment looks like, plan to make your collaborative environment more secure is a must. It is not because you are afraid of security thread, but because today in the digital transformation, your information is 100% valuable to anyone.


Leave a Reply

© 2018 The Soldier of Fortune.