Tweaks and best practices for Office 365

A list of tweaks and best practices for configuring Office 365 most of these were shamelessly stolen from the sysadmin today podcast, some were also taken from Microsoft Office 365 deployment guidance. As Microsoft continues to develop their platform much of this will change but I think at the moment this is a great starting point.

1. Establish main tenant administrator with strong password and MFA and create a break glass global admin account using yourtenet.onmicrosoft.com so if a mistake is made you can still login to Office 365 as a global admin. 

2. Enable/Verify that modern authentication is enabled and or enable security defaults in azure AD, if you are deploying hybrid configure conditional access rules so your Exchange service account is never prompted for 2fa from your exchange servers IP.

3. Setup tenant profile with organization information: https://admin.microsoft.com/AdminPortal/Home#/companyprofile

4. Configure Account Recovery Options: https://aka.ms/ssprsetup

5. Grant Delegated Admin to CSP (if MS Partner)

6. Disable self service Purchases across the board:

Install-Module -Name MSCommerce #once you install you should remove this line
Import-Module -Name MSCommerce 
Connect-MSCommerce #sign-in with your global or billing administrator account when prompted
Get-MSCommerceProductPolicies -PolicyId AllowSelfServicePurchase | forEach { 
Update-MSCommerceProductPolicy -PolicyId AllowSelfServicePurchase -ProductId $_.ProductID -Enabled $false  }

7. Consider limiting group creation so that only users of the group “Group Admins” security group are allowed to create office 365 groups: https://docs.microsoft.com/en-us/office365/admin/create-groups/manage-creation-of-groups?view=o365-worldwide

8. Configure Tenant alerts email addresses as a distribution group and set it in powershell.

Set-AzureADTenantDetail -SecurityComplianceNotificationMails "[email protected]" - TechnicalNotificationMails "[email protected]" -MarketingNotificationEmails "[email protected]"

9. Enable Unified Audit Logging

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $True

10. Enable Mailbox Audit Logging

$AuditSettings = @{
AuditEnabled = $True AuditLogAgeLimit = 365 AuditOwner =
"Create,HardDelete,MailboxLogin,Move,MoveToDeletedItems,SoftDelete,Update,UpdateCale ndarDelegation,UpdateFolderPermissions,UpdateInboxRules"
AuditDelegate = "Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,SoftDelet e,Update,UpdateFolderPermissions"
AuditAdmin = "Copy,Create,FolderBind,HardDelete,Move,MoveToDeletedItems,SendAs,SendOnBehalf,Soft Delete,Update,UpdateCalendarDelegation,UpdateFolderPermissions,UpdateInboxRules"
}

Get-Mailbox | Set-Mailbox @AuditSettings

11. Set Language and Time Zone for All Users this will save them a step when they first sign in

Get-Mailbox | Get-MailboxRegionalConfiguration | ? {$_.TimeZone -eq $null} | Set-MailboxRegionalConfiguration -Language 1033 -TimeZone "Central Standard Time"

12. Increase Deleted Item Retention from 14 to 30 Days

Get-Mailbox -ResultSize unlimited | Set-Mailbox -RetainDeletedItemsFor 30

13. Show mailtip for External Recipients

Set-OrganizationConfig -MailTipsExternalRecipientsTipsEnabled $True

14. Show mailtip for large number of recipients (Shows tip Beyond threshold)

Set-OrganizationConfig -MailTipsLargeAudienceThreshold 10

15. Set Outbound Spam Notifications

Set-HostedOutboundSpamFilterPolicy Default -NotifyOutboundSpam $true - NotifyOutboundSpamRecipients “[email protected]”

16. Prevent Inbox Rules Forwarding Messages Externally, strongly recommend. 

Set-RemoteDomain Default -AutoForwardEnabled $false

17. Prepend Disclaimer on External Messages

$TransportSettings = @{
Name = 'External Sender Warning'
FromScope = 'NotInOrganization'
SentToScope = 'InOrganization'
ApplyHtmlDisclaimerLocation = 'Prepend' ApplyHtmlDisclaimerText = "<p><div style='border:solid #9C6500
1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line- height:12.0pt;background:#FFEB9C'><b><span style='font- size:10.0pt;color:#9C6500'></span></b><span style='font- size:10.0pt;color:black'>[EXTERNAL]<o:p></o:p></span></p>"
ApplyHtmlDisclaimerFallbackAction = 'Wrap' }

New-TransportRule @TransportSettings

18. Increase OneDrive Deleted User Retention (up to 3650 days) no typo 10 years is correct and can be configured.

Set-SPOTenant -OrphanedPersonalSitesRetentionPeriod 180

19. Disable IMAP / POP Protocols For Current Users, also strongly recommend.

Get-CASMailbox -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | Select-Object @{n = "Identity"; e = {$_.primarysmtpaddress}} | Set-CASMailbox -ImapEnabled $false -PopEnabled $false

and for Future Users

Get-CASMailboxPlan -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

20. If migrating a large environment call Microsoft and ask them to disable throttling for your tenet.

Misc.

• Have an Office 365 Backup Policy in place.
• Enable DKIM and DMARC
• Setup Anti-SPAM and Anti-Phishing policies
• Use email encryption
• Setup Alert Polices. (Creation of forwarding/redirect rule, permissions changes, Unusual volume of external file sharing etc)
• Use MDM for all mobile devices that store company data.
• Use Rights Management.
• Setup compliance reviewers for eDiscovery and Supervision.
• DLP Policies: * Setup External Sharing Polices * Define what data is important (SSN, CC, Health Records, Salaries, Accounts, PST MSG etc) * Create notifications when users share external data based on your defined criteria. * Take it to the next level in your policy and prevent data from being sent that matches the criteria.
• Secure SharePoint with multiple doc libraries.
• Always use group level permissions. Use custom permission levels. (i.e. edit but not delete)
• Disable anonymous guest link sharing

Azure AD Notes (Some features may require advanced licensing like Azure AD Premium P1)

• Enable Group-Based Licensing to automatically assign O365 Licenses based on AD group (TIP: you can create groups with dynamic membership based off user principle name, this is a great way to give every new user a base set of apps while excluding your break glass and other admin accounts automatically)
• Branding: Customize logos and colors to provide a branded and recognizable logon
• experience. Train users to not enter their password if they don’t see the branding
• MFA: Enable MFA for all users
• Trusted IPs: Configure trusted IPs to bypass MFA for the office; This will ease resistance to the MFA burden for end users
• Review Secure Score and work to increase it: https://securescore.office.com/
• Use Conditional Access to prevent all access from outside your country (be sure to exclude
• an account as a safety measure against accidentally locking yourself out of the whole tenant)

Reporting Audits

• LicenseReconciliationNeeded (Mailboxes at risk of being deleted due to lack of license)
• Tenants with more licenses than consumed (wasting money)
• Users without MFA Enabled/Enforce

Useful Group Policy WMI Filters

One of group policy’s best yet seldom used features is WMI filtering which allows an admin to apply policies to windows computers conditionally instead of statically based on what OU a computer or user object is in. Here are a few of my favorites, all of them are in root\CIMv2 unless otherwise specified.

Filter by OS Install Date Incredibly useful if you are looking to push new software automatically to only new computer or computers that have been freshly imaged with MDT. The example below will only apply to computers that have an install date greater than 2016-04-09

SELECT * FROM win32_operatingsystem WHERE Installdate>="20160409111400.0+0"

Filter by Memory Type This allows you to filter by desktops and laptops if you have desktops that do not have sodimm memory. If you do have desktops with sodimm memory you might combine this with another WMI filter that queries if systems have a battery present

Note that If you have systems which are small form factor and have UPS’s attached this may not work for you.

Desktops (devices not using SODIMMs)

Select * from Win32_PhysicalMemory WHERE (FormFactor != 12)

Laptops (devices using SODIMMs)

Select * from Win32_PhysicalMemory WHERE (FormFactor = 12)

Filter by Windows Desktop Operating Systems Filtering by Windows Desktop Operating Systems is useful if you have changed the default Computers Container to an OU with policies applied, doing this ensures that when Servers are joined to the domain and appear in an OU instead of a container they do not pickup group policies designed for desktops.

select * from Win32_OperatingSystem WHERE ProductType = "1"

Filter for Windows 10

select * from Win32_OperatingSystem where Version like "10.%" and ProductType="1"

Filter for a specific build of windows 10 In this case windows 10 1909 useful if you want to control windows update with group policy.

select * from Win32_OperatingSystem where Version like "10.0.18363" and ProductType="1"

Filter for 64 Bit Windows Servers

select * from Win32_OperatingSystem where (ProductType = "2") OR (ProductType = "3") AND  OSArchitecture = "64-bit"

From these you should find that you can filter just about all the various parts of your windows 10 infrastructure.