Microsoft 365 Best Practise Security

It is becoming more and more common that hackers and scammers are trying to get access to peoples Microsoft 365 accounts. Once access is gained a lot of damage can be done, including using your accounts for spamming or other illegal activities. There are some best practises that can be followed to keep you as safe as possible and we’ll outline them below.

MFA (Multi Factor Authentication)

This is the single most important thing you can do to protect your Microsoft 365 account. Even if your username and password are compromised your account cannot be accessed without passing a an MFA check first.

MFA means that if someone tries to log into your account from a new machine (or an existing machine that hasn’t been used in some time) you’ll be prompted to not only put in your password but also verify with a code send to a mobile number or app.

MFA can be enabled by ITP on your Microsoft tenant and then can be set up by each user using one of the following guides:

Set up MFA via a Mobile Number

Set up MFA via the Authenticator App

Secure Passwords

Every user on your Microsoft 365 tenant should have a secure password. This involves having a minimum of 8 characters with a combination of uppercase and lowercase letters, numbers and symbols. You should also avoid having any full words in there. It also be a password that you only use for Microsoft 365 and never use on any other sites. To give an example below I have set out a table with variations on a password and then given the estimated time to crack it via brute force:

You can quickly see how building up a longer password more jumbled password can secure you. You can try it out yourself by using the site below to test your own passwords:

Old Passwords

For security it’s best practise to change your password from time to time. How often you do this is up to you but Microsoft recommends every 90 days. If an account ever has been compromised in the past without you knowing changing passwords is a good way to block this out. It’s also a good thing to do if you have fallen into the habbit of using the same password for multiple sites, by changing your Microsoft 365 one often it will push you into thinking up something new and unique.

Inactive mailboxes

If you have any old inactive mailboxes on your Microsoft 365 tenant it’s best to either remove them or turn them into Shared Mailboxes (as you can then remove the licence and stop someone being able to log into it).

These are some of the best practise security tips that should be applied to every Microsoft 365 account. If you’d like more information or would like some deeper investigation into your Microsoft 365 security then get in touch as we can run a Security Audit on your tenant and discuss the results with you.