Microsoft Office 365 Security Guidance: Administrator good practice

Created:  24 Nov 2015
Updated:  08 Aug 2016
CESG Archive

Archive content originally produced by CESG that has not yet been absorbed into the new NCSC web pages.

 The secure configuration of a cloud-hosted service aligns with government’s guidance on implementing the Cloud Security Principles. Please send any feedback you may have to


1. Office 365 Admin Centre

The OAC allows an administrator of O365 to configure users’ settings and privileges (including restricting user access to O365 features) using the O365 Portal. There are additional Admin Centres for certain individual services; such as the Exchange Admin Centre (EAC) and the SharePoint Admin Centre (SAC), which are available under OAC | Admin.

The OAC provides some security options that need to be addressed:

  • The password expiry policy should automatically be the same as the on-premise policy if the enterprise is implementing federated identity with O365. Otherwise, the expiry policy can be set or changed for O365 under OAC | Service Settings | Passwords.

  • The decision to enable two-step verification should be assessed as part of enterprise’s authentication practice, as an option to enhance the security of user access. CESG strongly recommend it for at least administrative users. It can be implemented with a phone call, a mobile app, or an SMS message. Enabling two-step verification will disable PowerShell access for that account. If it is required, CESG recommend having a separate administrator account for PowerShell access, which should be disabled until it is needed.

2. Users

There are some security considerations relating to users:

  • Not all features will be needed by all users. CESG recommend that an administrator takes the time to familiarise themselves with the features available to users and consider their relevancy to the enterprise. There should also be continued careful observation of the services features available to users as Microsoft develops its product range. Restricting a user’s access to features can be done on initial deployment by not assigning a license for that feature. If configured after initial deployment, licenses can be added or removed from groups of users.

  • Under no circumstances should a user’s login credentials be known to anyone other than the user. The credentials are only needed for the normal login process, and are not needed for any diagnostic process.

When removing a user from O365 two options are available, the choice of which should be defined by an enterprise’s data retention policy:

  1. Remove their account from O365. This will delete all user data and remove all licenses. There is a 30-day grace period in which a user account may be restored. The user’s data may be exported by an administrator during this period (for example, to OneDrive) and will be deleted at the end of this period. A mailbox can be retained by converting it to a shared mailbox before removal of the account; other users are added and the original user removed, giving control to the new users and freeing up the license. No passwords are required to access a shared mailbox. Microsoft provide guidance on converting a mailbox. If an enterprise synchronises user accounts to O365 from a local Active Directory (AD) environment, ensure that the user accounts are deleted and restored in the AD service.

  2. Disable their account. This will retain all information about the user until an administrator removes it and will block the user from accessing their account. The sign-in status should be set to “Blocked” under Users | User Page | Settings.

3. Administrative controls

Users can be granted administrative privileges by assigning administrator roles to them. These roles determine what information they can access and which management tasks they can perform.

  • Microsoft offer pre-built administrator roles which allow common business functions to be fulfilled, such as a Billing Admin.

  • It cannot be assumed that an administrator role directly translates across all services – different services have individual permission structures, such as SharePoint.

  • The pre-built Global Admin role grants the user access to all features in the OAC. They can manage all aspects of the enterprise’s account. Careful assignment of this role to a small number of users should be ensured; its elevated access permissions are not required for many administrative tasks.

The principle of ‘least privilege’ should be adopted when:

  • assessing each user’s administration requirements

  • fulfilling good practice for administrative users by assigning them separate, non-privileged accounts to be used when they carry out non-privileged work

It is possible to delegate an external administrator; this administrator must be a Microsoft authorised partner. They will be able to create or edit users, reset user passwords, manage user licenses, manage domains and assign administrator permissions to other users in an enterprise. If this option is pursued, CESG recommend that careful thought is given to the amount of control that should be given to the partner enterprise.

4. Sharing Controls

O365 is a collaborative toolset and working environment; rather than using the traditional model of only sharing information through email, there are many ways in which enterprise information can be shared using O365. For example, SharePoint Online allows users to share documents and information through the creation and editing of sites and site collections, onto which sharing permissions can be applied. O365 also allows users to share some information externally by default; for instance they can use a public URL to share their calendars.

The security of the collaborative features of O365 should be assessed, with some features outlined here:

  • The external sharing of user’s Calendars, Sites and Lync accounts can be turned off under External Sharing in the OAC

  • External sharing for Integrated Apps can be turned off under External Sharing | Sharing Overview | Integrated Apps. If turned on, enterprise users can allow third party apps to access their O365 information. In addition, turning off Integrated Apps does not remove installed apps or revoke permissions. Even after turning Integrated Apps off, administrators can still register apps to make them available to their users and allow those apps access to their users’ information.

  • OneDrive for Business is primarily a personal data store. On initial deployment the existing folder on OneDrive has permissions of “shared with everyone”. By default, all user-created folders can only be read and edited by the creator. The sharing permissions of a folder can be changed when viewing the folder under OAC |OneDrive.

  • Files can be shared with others in the enterprise by saving into a shared folder. Files automatically inherit the permissions of their folder but individual permissions can be changed.

5. SharePoint Online

The first defined Global Admin (GA) automatically becomes the first SharePoint administrator. However, SharePoint has its own security model – the GA is the only role which transfers directly to SharePoint. To share a specific document or site, Microsoft has detailed several ways in which a document can be shared.

SharePoint has the option to allow users to include custom scripting in their sites. An administrator should consider whether they want to allow their users to do this.

Sites in SharePoint are organised into site collections.

  • Site collections are hierarchical - all sites in a collection are organised under one root site. Any settings applied to the root site will apply by default to all sites in the collection, although settings can be personalised for individual sites.

  • Site collection administrators can manage SharePoint Online at the site collection level, and their permissions extend to all sub-sites and content in that site collection.

Configuration of SharePoint Online can enable a number of different sharing models and the default permissions depend on where content is created and stored:

  • The options for sharing sites and documents include sharing with invited authenticated users who must sign in with a Microsoft or work or school account. Alternatively, guest users who do not require credentials can sign in via a guest link. CESG recommend that by default, most users should only be able to share documents within their enterprise. When they are to be shared externally, CESG strongly recommend that this is done using the invite mechanism which requires the guest to authenticate. For sites where external sharing is enabled, an administrator should consider enabling Azure RMS to protect the data.

  • External sharing is turned on by default for the entire SharePoint Online environment

  • External sharing can be turned on or off for the whole of SharePoint or for individual site collections, in line with the enterprise’s sharing policy.

  • Administrators should be aware that in order for external sharing to be enabled for some sites, it must be first turned on for the whole O365 instance. It can then be turned off for individual sites.

Default sharing permissions also depends on the type of SharePoint site. These include:

  • Team Sites: all users of the enterprise have read and write access to documents by default. These permissions can be altered to only allow some users, groups or devices to access or write to files. If the functionality is enabled, individual files or the entire site can be shared with named individuals outside of the enterprise.

  • Public Sites: can publish documents directly to the Internet. All content on this site will be readable without authentication. Publishing rights can be restricted to a subset of authenticated users by assigning permissions on creation of the site. Microsoft removed the ability to create public sites on SharePoint in January 2015 - any purchase of O365 and SharePoint after this date will not have the option to implement them. Existing users will get two years of public site usage before it is fully removed.

As with other online services, sharing controls only restrict access to items while they are stored inside O365. The ability to share documents outside of an enterprises’ O365 instance is not usually desired for enterprises which handle sensitive information. Azure Rights Management Services (RMS) can be enabled to maintain access controls when documents are sent between users outside of O365, and to keep them encrypted when in transit. Note that these controls are designed to prevent accidental data loss, rather than to protect against a malicious user.

Templates for classifications can be created to apply different settings and permissions to a certain classification. For example, RMS could be used to identify and protect OFFICIAL SENSITIVE documents in the SharePoint file store.

6. Data privacy

The European Parliament has issued a directive (95/46/EC), which describes the protection of individuals with regard to the processing and free movement of personal data. Microsoft’s standard contractual terms for Office 365 include EU model contract clauses to accord with this directive.

Was this guidance helpful?

We need your feedback to improve this content.

Yes No