Security Concerns of Hidden Permissions in SharePoint

Security Concerns of Hidden Permissions in SharePoint

SharePoint is a stalwart of collaboration and file sharing in Microsoft 365 which started its life as SharePoint server back in 2001. Most organizations use SharePoint online as hosted by Microsoft and it’s become a “plumbing” technology – something that’s fundamental, sits in the background and most people don’t take any notice of it, until it stops working properly.

This is even more evident in how SharePoint is used in Microsoft 365, you probably have SharePoint sites for various teams, departments, or countries, but SharePoint sites are also used as the backend file storage for everyone’s OneDrive for Business file storage. And when you share files and folders in Teams – guess what, that storage is also backed by SharePoint. So, not only do you need to govern the data stored in SharePoint sites, but also in these other locations, and as we’ll show you – governing data access in SharePoint is hard to do.

The heritage has a downside, starting life as on-premises piece of software and now running as a hosted service brings with it some serious security baggage. In this article we’ll show you the lack of permission visibility that can lead to security risks, and how hidden groups and hidden users make this situation even worse. Furthermore, custom permission levels can have disastrous consequences when it comes to assigning rights, and the manual management of user access is a recipe for security mistakes. Finally – custom document libraries can be an attackers’ hidden haven.

In other words – your SharePoint environment might already be infiltrated by an attacker, and you wouldn’t know it. At the very least, your permissions are likely not aligned with “least privilege”, one of the tenets of Zero Trust.

Most CISOs and security professionals are focused on the “loud” threats such as ransomware, but it’s important to be aware that there are many other avenues attackers take, and an attacker who’s been able to compromise a single user account might quietly watch the vendor invoice document folder in SharePoint for example. Gathering these documents, they may be able to change payment details in a classic Business Email Compromise attack (in this case without the email vector).

The Visibility Gap

We’ll focus most of this article on the Documents folder in your SharePoint sites – this is what most sites are used for – file sharing.

A fundamental difference, compared to traditional file shares, is that there’s no folder tree hierarchy that you can see. You can create subfolders in subfolders and so forth, and put files into any of the folders, but there’s no easy way to visualize the hierarchy, and you must click into each folder to see what’s stored in there.

To actually see which user accounts, groups or external guest users have been granted permissions to each folder (and each file, as they can have different permissions) means you must click on the object – then go to Manage Access to see who has access.

Manage Access Permissions for each individual folder and file

Manage Access Permissions for each individual folder and file

The second challenge is that while you can see the names of the groups that have been granted permissions on a particular folder, you can’t see the user accounts that are members of those groups in the Manage Access dialog. Clicking on a group name doesn’t bring up the members, in fact it does nothing.

List of groups that have been granted permissions

List of groups that have been granted permissions

To determine the user accounts in a group requires a visit to either the Microsoft 365 admin center ( or the Entra ID portal ( Administrators will have access to these portals but if you’re a department manager, who is the owner of a SharePoint Team site, trying to ascertain who’s got access to what document folders in a SharePoint team site means you can’t complete this task without contacting the IT department.

Even more troubling (thanks to the SharePoint server heritage mentioned above) is that there is a group type in SharePoint itself, that is not visible in the Microsoft 365 admin center or the Entra ID portal, only in the SharePoint admin center (again, which ordinary users don’t have access to). If there are nested groups inside one of these groups you might have to track down those groups in one of the three mentioned admin centers. Finally, if you grant permissions to a group which has one user and one group inside of it, it’ll tell you that you’re granting permissions to two people, when in fact there could be hundreds of user accounts inside the nested group.

Hornetsecurity’s 365 Permission Manager thoroughly fixes these visibility problems, showing you all the users that have permissions to a site, folder, or file, as well as if those permissions are inherited from the site, or are unique to that object. It also surfaces external sharing, either where it has been shared with specific people outside your organization, or where an anonymous link has been created.

Another innovative feature is the ability to see SharePoint / OneDrive for Business sites “through the eyes” of a selected user – exactly which sites / folders / documents does this user account have access to? This is useful during a forensic investigation (what data did the attacker who compromised this account have access to?), insider risk cases (what’s the blast radius of this malicious employee?), and data governance (do our permissions match our data access policies?).

Permission Levels

SharePoint Online provides four levels of access permissions to folders and files: Owner, Can edit, Can View and Can’t Download (=view but not save files locally). However, SharePoint Server had and still has a more comprehensive model – with multiple built-in permissions levels, as well as the ability to create custom permission levels.

The first issue that this leads to is that when you check permissions granted on an object, the UI will “round off” to the closest permission level granted, Design for example is a legacy level that grants more permissions than Edit, but this is shown as Edit in the UI.

Much scarier, however, is the ability to create custom permission levels with the same name as a built in one – such as “read”. This level could be granted every available permission (definitely not just read). Not only does that lead to the situation where a casual check of permissions granted would lead you to assume that a group or user only has read access but if you do decide to investigate why there are two permission levels called read / Read, it turns out that the UI will show you the built-in permission level, not your custom one. If a custom permissions level has the same name as a built in one, the URL in SharePoint isn’t case sensitive, and thus will show you the built in one.

365 Permission Manager will surface these custom permission levels, bringing visibility and governance to your entire SharePoint Online estate, it also allows you to use built-in or create customized policies that you can apply across different types of sites. This then shows you where sites are deviating from your policy intent and allows you to remediate permissions with a single click.

Site vs Document Library Permissions

Another risk is that you can set custom permissions on the Document library, that are different to the overall Site permissions.

Once granted, when an audit is done, these permissions are visible, but can’t be changed in the UI.

Example user whose permissions can't be changed

Example user whose permissions can’t be changed

Again, 365 Permission Manager will find these discrepancies, surface them as deviations from your policies, and prioritize their remediation in the handy To Do list.

Hidden Document Libraries

Normally a SharePoint site has a single Documents folder, but you can create other ones. Furthermore, you can hide it from the site’s navigation (so no one else knows it is there), and you can remove everyone else’s permissions from it, only granting yourself access. This will in effect create an exfiltration channel, where the attacker can copy sensitive documents from the site into their custom Document library, perhaps even returning on a regular basis to capture the latest versions of files, and then downloading them to their machine.

Hidden Document library - only visible to the attacker

Hidden Document library – only visible to the attacker

This is a huge risk in a compromised SharePoint site and of course 365 Permission Manager will surface custom, hidden, Document libraries, and their permissions for you to remediate.

There’s another very useful feature – the ability to revoke all access to SharePoint / OneDrive for Business data for an account. If you know that an account is compromised, manually revoking access across every location is extremely time consuming – 365 Permission Manager gives you a single button to do it.

To effortlessly manage Microsoft 365 permissions, enforce compliance policies, and monitor violations with ease, utilize Hornetsecurity’s 365 Permission Manager. Protect your Microsoft 365 environment and make admin tasks a breeze.


As with many Microsoft technologies, the focus on backwards compatibility has proven to be a strength when it comes to enterprises for decades. Imagine an organization with a large investment in SharePoint Server on-premises, with thousands of busy sites and Terabytes of data, migrating this to SharePoint online – this compatibility is a requirement.

However, it also has scary security implications – the reality today is that many businesses might be compromised, with bad actors exfiltrating data at will from your most precious intellectual property, with very little chance of discovery.

This is why any CISO who wants to apply comprehensive data governance to their SharePoint estate needs 365 Permission Manager.


I’ve been hacked! WHAT SHOULD I DO?

With Hornetsecurity’s 365 Permission Manager you can regain control of your SharePoint environment and protect your business immediately.


  • Remove User Access Feature: With a single click, the Offboarding feature in 365 Permission Manager allows you to revoke access and stop a hacker immediately. This immediate action can prevent further unauthorized access and potential data breaches.
  • The View as feature: Gain insight into what files a compromised user could access with the View as feature in 365 Permission Manager. This feature allows you to see SharePoint through a user’s eyes, helping you identify potential areas of unauthorized access and take corrective action.
  • Generate Reports for Forensics: Understanding the extent of a security breach is crucial for effective remediation and compliance. With 365 Permission Manager, you can generate detailed reports for forensics, showing exactly what files a user had access to and the full permissions inside all SharePoint sites and OneDrive for Business locations. This information is invaluable for identifying the scope of the breach, assessing the damage, and implementing necessary security measures to prevent future incidents.


What are the primary security concerns associated with hidden permissions in SharePoint?

Hidden permissions in SharePoint pose significant security risks because they can allow unauthorized access without the knowledge of administrators or users. Key issues include:

  • Lack of Visibility: SharePoint’s permission settings can be complex and opaque, making it difficult to see who has access to what. This includes hidden groups and users whose permissions are not easily visible.
  • Custom Permission Levels: Custom permissions can be misleading. For example, a permission level named “read” might actually have full access rights, leading to potential security breaches if not properly managed.
  • Hidden Document Libraries: Attackers can create hidden document libraries with exclusive access, enabling them to exfiltrate data without detection. These hidden libraries are not easily visible in the SharePoint navigation, making them a significant risk.

How can 365 Permission Manager help mitigate the security risks in SharePoint?

365 Permission Manager provides several features to enhance security and governance in SharePoint:

  • Visibility Enhancement: It displays all users, groups, and permissions for sites, folders, and files, including inherited and unique permissions. This comprehensive visibility helps in identifying and addressing hidden access issues.
  • Permission Management: It surfaces custom permission levels and discrepancies, allowing administrators to standardize permissions according to policy. This reduces the risk of misconfigured access rights.
  • Access Control: The tool offers the ability to revoke all access for a compromised account with a single click, ensuring quick response to security incidents and preventing further unauthorized access.

How can Hornetsecurity help secure my SharePoint environment?

Hornetsecurity’s 365 Permission Manager enhances security by providing comprehensive visibility into all user permissions, managing and standardizing custom permission levels, and allowing for immediate revocation of access for compromised accounts. This ensures robust data governance and quick response to security incidents.

Enhancing Security with Microsoft 365 Ransomware Protection

Enhancing Security with Microsoft 365 Ransomware Protection

Boosting Your Defenses: The Multilayered Ransomware Protection Method of Microsoft 365

The two main reasons why businesses have embraced Microsoft 365 so rapidly are hybrid working and reduced capital costs.

However, due to its sizable user base and quick subscriber growth over the previous two years, the subscription-based suite, which includes Exchange Online and other Office 365 productivity programs, OneDrive for Business, SharePoint, and Teams, is an alluring target for hackers.

You should be monitoring more than just the number of users and collaboration minutes if your company uses Microsoft 365 (M365). There has been an increase in ransomware attacks over the last few years, and your M365 sensitive data will be targeted more frequently.

Malicious actors are already trying to encrypt your data and infect it with malware, then demand a payment to unlock it.

Beyond that, hackers will be hoping that your sensitive data in M365 is not fully protected so they can steal (called exfiltrate) it and then use it to demand ransom in order to keep it from being released to the public.

The adoption of the tactic in “double-extortion” ransomware operations is growing rapidly. Operators using ransomware may severely impact your company’s finances and reputation, regardless of their strategy, so your best bet is to continue to plan ahead as it is not a matter of ‘if’, it is a matter of ‘when’.

Microsoft’s advice for fending off ransomware that targets your M365 data is straightforward: Make frequent data and content backups, and use third-party apps and services to store it. This is good advice, but it’s likely not enough.

Comprehending the Concept of Shared Responsibility

Operating on a shared responsibility paradigm, Microsoft is a hyperscale cloud and application provider. In real terms, that means Microsoft pledges strong infrastructure security, high infrastructure dependability, and restricted data protection, which includes certain data retention guidelines and versioning, which we’ll talk about next.

It never promises that your material will always be accessible. That’s a general assessment of its portion of the responsibility.

Maintaining the trust of your customers and the reputation of your brand depends equally on you. Your business data is yours. It is therefore your duty to safeguard your cloud data both now and in the future to ensure compliance with legal and business standards.

If your data is compromised, it is also your organization’s responsibility to promptly restore it. The main justification for abiding to best practices and adding third-party apps and services that shield your data from ransomware assaults in addition to basic M365 protection is your internal share of responsibility for M365, a mission-critical environment.

Microsoft does include certain built-in features for storing data after it has been deleted or modified, but these aren’t reliable, unchangeable backups, more on that later.

Ransomware Around The Corner

Before launching a full-scale attack, malware or attackers might penetrate a system and hide for a few weeks or months in order for it to spread to other systems.

Furthermore, as you’ll see, versioning isn’t appropriate for ransomware recovery since, in order to guarantee that your restored data is free of ransomware infection, restores must occur from a specified point in time on the full data set rather than on individual files.

The threat of Ransomware-as-a-Service (RaaS) affiliate models facilitates threat actors’ ability to expand their operations and target businesses of any size or industry.

Can Ransomware Infect Files Stored in OneDrive?

Yes, files kept on OneDrive can become infected with ransomware. This is due to the fact that cloud data accessed through the OneDrive sync application that is installed on your machine is directly accessible from the endpoint, which facilitates the propagation of ransomware and its ability to corrupt all of your OneDrive files.

It’s crucial to remember that if you haven’t taken any precautions to secure your system or are using an out-of-date version of the program, your risk increases. To defend against online attacks, it is crucial to utilize additional tools like Microsoft Defender or a third party Endpoint Detection and Response (EDR) tool.

OneDrive offers built-in capabilities to restore from a previous version of your cloud data, even if you have been attacked with ransomware. This enables you to recover from a state that existed before the ransomware assault. Additionally, there are solutions for backing up your Microsoft 365 data to an independent cloud backup repository, giving you a backup copy in the event that OneDrive’s restore points become unavailable.

Backups VS Versioning

If you require additional proof that native M365 data protection isn’t reliable enough for your data, think about the way it stores data. M365, in contrast to actual backup systems, employs a method more akin to version control, which is the management of several revisions of the same data or files, Microsoft calls this in place retention.

Stated differently, versioning occurs at the file level, with each file having a unique file version history. This method has the drawback that ransomware attacks targets all files at once and occur at a specific time.

Backup shouldn’t be considered the primary method of retention in use. Rather than being your “officially retained record,” backup has always served as the “copy of last resort that always exists.”

Since this was the sole copy of the content available for the retention period, backed-up content search and retrieval sadly had to be integrated into the backup or archival system as this was the only copy of the content available for the retention period.

When versioning is enabled, you may track, store, and restore files in a library and items in a list as they change.

You have control over the material that is posted on your website when you use versioning in conjunction with other settings like checkout. Versioning can also be used to view or restore previous iterations of a library or list.

You can use versioning to:

  1. Track History of a version: You can see when and by whom an item or file was modified when versioning is enabled. Additionally, you may view the dates of changes to the file’s properties. For instance, the version history contains information on changes made to a list item’s due date. Additionally, comments made by users upon checking files into libraries are visible.
  2. Go back to an earlier version: You can replace the current version with a prior one if you made a mistake in the current version, if the current version is corrupt, or if you just prefer the earlier version. The version that has been restored is now the latest one.
  3. Examine an earlier version: Viewing an earlier version won’t cause your current version to be overwritten. You can compare the two versions to see the differences if you are viewing version history in a Microsoft Office document, such as a Word or Excel file.

Microsoft 365 Ransomware Protection

Microsoft offers a range of capabilities and services through the Office 365 platform to assist your company in defending against ransomware threats.

Start with ensuring that all accounts use Multi Factor Authentication, as identities is the main target for modern criminals – they don’t hack in, they sign in. Defender for Office 365 assists in thwarting the spread of ransomware through email.

Microsoft Defender for Endpoint, on the other hand, is a cutting-edge antivirus and EDR program made to identify and neutralize threats directly on Windows (and MacOS, Linux, iOS and Android) devices. Combining these capabilities with other Microsoft 365 solutions offers a comprehensive approach to strengthen your company’s cybersecurity posture and stop malware threats all around.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.


Although the possibility of a ransomware attack on Microsoft 365 is increasing, you are taking precautions to make sure your data is safe by adhering to best practices for data security and learning how ransomware attacks arise and may be avoided.

It is important to put more sophisticated techniques like network segmentation and fundamental procedures like multi-factor authentication into practice.

Your best line of defense against a ransomware assault on your Microsoft 365 data is knowledge.

You can greatly lessen your vulnerability to these kinds of attacks by being aware of the dangers, training your users regularly, typical attack vectors, and countermeasures. Furthermore, being aware of what to do right away in the event that you become a victim can significantly reduce harm and possibly even help you retrieve any lost data.


Does Office 365 have ransomware protection?

Yes, Microsoft 365 has built-in safeguards against ransomware. It uses cutting-edge threat prevention techniques to identify and eliminate ransomware attacks in all of its apps.

Should I set up OneDrive for ransomware protection?

In addition to providing basic backup and recovery features, OneDrive has the capability to protect your files from ransomware attacks by using file versioning and sophisticated threat detection.

Does Microsoft Defender protect against ransomware?

Microsoft Defender provides ransomware protection. It uses cutting-edge threat prevention techniques to identify, stop, and handle ransomware threats.

The Importance of Backup in Microsoft 365

The Importance of Backup in Microsoft 365

In this article we look at the need for data protection in Microsoft 365 – what Microsoft is responsible for – and what your organization is responsible for.

Native Data Resiliency

As any capable cloud service, Microsoft takes the availability of customers data in M365 very seriously. As previously mentioned, Exchange mailboxes have four copies, three up to date ones and a fourth, lagged copy (up 24 hours behind).

This last copy is used in case of a systemic corruption of the other three copies. These four copies are distributed across at least two datacenters. All of this is handled automatically by the system and not something end users will notice.

SharePoint and OneDrive for Business storage similarly relies on data being stored in two separate Azure regions – a write will only be considered completed if it’s successfully written to both regions. And the underlying storage uses AppendOnly, ensuring that earlier data can’t be corrupted or encrypted by an attacker.

This versioning also allows the restore of previous versions of files.

Sounds good right? Microsoft clearly takes steps to protect my data, so I don’t have to worry about it? Not so fast – everything described above is about data resiliency, and high availability of your data. What it doesn’t provide, outside of some limited options, is backup of your data.

Backup are copies of your production data, in a separate system, that’s regularly (every hour, every day) copied from production data to the backup location. This provides the following features:

  • The ability to “go back in time” and restore emails / documents / mailboxes / sites to a previous point in time – either to a production location, or a separate export location.
  • The ability to access your production data in case of a catastrophic failure or outage of services in Microsoft 365.

In other words, data resiliency / high availability is not the same as backup. They’re related but serve different purposes. Depending on your business needs or which compliance regulations you must comply with, you may need both.

Let’s cover your native options for restoring earlier versions of data. With Exchange items (emails, contacts, calendar appointments), when they’re deleted you can recover them from the Outlook Deleted Items folder.

They’re kept there indefinitely unless you change the policy in your tenant. If they’re deleted from the Deleted Items folder, you can recover them for up to 14 days from the Recoverable Items hidden folder.

You’ll need to train your users how to do this themselves, or make sure your helpdesk team is prepared to assist on a regular basis as the user interface isn’t exactly intuitive.

In SharePoint / OneDrive for Business deleted documents are kept by default for 93 days, first in a user accessible recycle bin, and if they’re purged from there, in an administrator accessible recycle bin.

Again, the restore process for a document deleted by mistake isn’t straightforward so some training will be required.

To alter the defaults, you can use Retention Policies to keep items for longer (they’re available for restore, even if users delete them out of their Deleted Items folder), these can be applied to both Exchange and SharePoint data.

For Exchange you also use In-Place and Litigation Holds for select mailboxes to manage retention.

365 Total Backup

If you’re looking to alleviate the challenges with using the built in data protection features as a recovery solution, Hornetsecurity provides a comprehensive M365 backup and recovery solution 365 Total Backup or as part of 365 Total Protection Compliance & Awareness.

This protects mailboxes, Teams Chat, OneDrive for Business storage, SharePoint sites, plus Windows endpoints. It’s simple to set up and provides comprehensive protection across your entire tenant.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.


In summary, while Microsoft 365 ensures data resiliency, other backup substitutes exist. Backup solutions offer crucial benefits like restoring data to previous states and accessing data during outages. Consider options like Hornetsecurity’s 365 Total Backup for comprehensive protection.


Does Microsoft 365 have a backup?

Microsoft 365 provides basic data retention features but doesn’t offer a comprehensive backup solution (although one is in preview from Microsoft at this time). While it retains deleted items for a limited time, a dedicated backup strategy is recommended for robust data protection.

How do I set up a Microsoft 365 backup?

To set up a Microsoft 365 backup:

  • Consider third-party backup solutions like Hornetsecurity.
  • Select a solution that aligns with your backup needs.
  • Follow the provider’s instructions to configure and schedule backups.

How do I backup my OneDrive in Microsoft 365?

To backup your OneDrive in Microsoft 365:

  • Choose a backup solution compatible with OneDrive.
  • Install and configure the selected backup tool.
  • Set up backup policies, including frequency and retention.
  • Monitor and verify backups to ensure data integrity.
Advanced Threat Protection in Microsoft 365

Advanced Threat Protection in Microsoft 365

There are many security tools built into the O365 platform, but when you move to M365 E3 or E5, you unlock a whole new set of advanced features for securing your business.

In this article, we’re going to look at these tools, except for Endpoint Manager, which we have covered here, and Windows 11, which we covered in this article.

Microsoft 365 Defender

Nearly all of Microsoft’s M365 focused security products have the Defender brand, and the central console to work with them is security.

Here you’ll find a comprehensive Extended Detection and Response (XDR) service that collects data from email, identity, endpoints, cloud services and alerts you to intruders across your M365 digital estate.

Here’s a rundown of the different Defender services:

Microsoft also offers Microsoft Sentinel – a cloud based SIEM; Microsoft Defender for Cloud (for Azure, AWS and GCP IaaS and PaaS workloads) and Entra for identity management and protection.

Microsoft Defender for Endpoint (MDE)

Microsoft Defender for Endpoint (MDE) is a full-fledged Endpoint Detection and Response (EDR) security solution using Machine Learning (ML) behavior analytics for Windows, MacOS, Linux servers, iOS, and Android devices.

It inventories installed applications (Windows and MacOS) and through Threat and Vulnerability Management (TVM) prioritizes which applications bring the most severe risks to your organization based on how widely deployed each application is and the severity of the disclosed vulnerability.

MDE also provides Attack surface reduction rules and Next generation protection, along with many other security features. MDE is available with, M365 E5 / E5 Security or as a standalone license.

Microsoft Defender for Identity (MDI)

With M365 E5 you can step up to Defender for Identity (MDI) which monitors your Active Directory Domain Controllers, and your Active Directory Federation Servers with only lightweight agents, the rest is taken care of by the cloud service.

Any attacker that establishes a foothold on a device in your network must touch AD to move laterally and escalate privileges and MDI will catch them when they do.

Microsoft Defender for Cloud Apps

Once upon a time when your users stayed in the corporate office all you needed to protect them was a good firewall but in today’s world of “work anywhere, on any device” you need a new type of tool to protect them, a cloud access security broker.

Microsoft Defender for Cloud Apps (MDA) is part of M365 E5 and protects your users in real time when they access cloud services. The catalogue of over 31,000 different cloud services gives IT a way to discover and manage Shadow IT (cloud services that users have provisioned without the IT department knowing) across your user base.

Secure Score

How do you know what’s most important to attend to? And where in all the different portals (or PowerShell) do you go to configure each setting? The answers to these questions are in Secure Score, now part of the Security portal.

Here you see an overall score for your tenant (for Identity / Data / Device / Apps and Infrastructure controls) and can compare it to the global average across M365, the average for your industry and for businesses of the same size.

As you implement more controls you score increases (it can take 24-48 hours), and you track your progress on the History tab. Secure Score is the BEST place to start improving your tenant’s security posture.

I’d like to highlight another control (apart from MFA) that’ll gain you a quick win to improve overall security – blocking legacy authentication. This is because even if you have enabled MFA, attackers can still access your user’s accounts with just a username and password through older protocols that don’t support MFA.

To investigate if there are any legitimate connections using these older protocols (which will need to be upgraded or exempt from your block legacy authentication policy) go to the Azure AD portal, click on Sign-ins under monitoring, click Add filters, pick Client app, then click “None selected” and add all 13 legacy connection options.

Once you’re certain there are no legitimate needs for legacy authentication, use CA policies to block it.

The concept of Secure score has spread to other parts of M365, in Compliance Manager there’s Compliance Score to indicate how compliant your business is with regulatory frameworks you have to comply with.

Microsoft has recently added hundreds of additional regulations from all over the world to help you track your compliance, assign tasks users to achieve and maintain compliance.

To manage compliance for your SharePoint and OneDrive sites and their security posture / sharing settings using the built in tools is an exercise in frustration as they’re spread across several portals.

In contrast, Hornetsecurity’s 365 Permission Manager provides a single pane to see the settings for every site in your tenant, apply policies, remediate compliance violations, see all access that a particular user has, produce reports and much more.

Security Is Everyone’s Responsibility

The sad truth is that most small to medium businesses don’t implement nearly enough of the features they have already paid for and even large enterprises struggle to get these protections in place for all their users.

This is partly due to the inherent complexity of many of Microsoft’s native security features – remember the saying, “Complexity is the enemy of security”.

That’s why many organizations are turning to third-party security solutions like Hornetsecurity to help them make key security features more accessible and reduce complexity.

On the other hand, security neglect is also due to a certain carelessness, which stems from the fact that in many businesses a mindset from the on-premise era still prevails, in which it was thought that (almost) everything was already done with a firewall – and IT shops will take care of it.

The world is a different place today: We must understand that the responsibility for security is in all of our hands and that our cyber defense chain can only be as strong as its weakest link.

Consider security awareness training for employees since it is essential to reduce the risk of cyberattacks, prevent data breaches, and ensure compliance with regulations. It empowers employees to recognize and respond to security threats, fostering a strong cybersecurity culture and protecting both company assets and reputation.

Ultimately, investing in awareness training leads to cost savings and a safer digital environment.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

Conclusion – Keeping Microsoft Honest

If the thought of paying for the underlying platform from Microsoft, and then paying again for the additional security features on top doesn’t sit right with you, consider a third-party solution for your M365 security and compliance needs.

Hornetsecurity offers several different plans with powerful Advanced Threat Protection for your email, data loss prevention (DLP), security awareness service (end user phishing simulation and training), email encryption, email archiving and more.

Hornetsecurity also offers an entire free eBook focused on securing a Microsoft 365 tenant, The Microsoft 365 Security Checklist. It covers all the security settings and configurations you need to know for each M365 license to properly secure your environment and goes into more detail of the actual settings than outlined here.


What is Microsoft Defender for Office 365?

Microsoft 365 Defender for Office 365 (MDO) is a cloud-based security service that helps safeguard against advanced cyber threats in emails and Teams communications. It provides protection against malicious links, attachments, and phishing emails, enhancing the overall security posture of Microsoft 365 environments.

What is Microsoft Defender XDR?

Microsoft Defender XDR combines Defender for Endpoint (Windows, MacOS, Linux, iOS and Android), Defender for Office 365, Defender for Identity and Defender for Cloud Apps into a single console, and single comprehensive protection platform.

What does Defender for Office 365 provide?

Defender for Office 365, offers several key functions:

  • Safe Attachments: Scans email attachments for malicious content before delivery.
  • Safe Links: Checks and rewrites URLs in emails to protect against phishing and malicious websites.
  • Anti-Phishing Policies: Detects and mitigates phishing attempts through machine learning and user-reported signals.
  • Real-time Threat Intelligence: Utilizes cloud-based intelligence to identify and respond to emerging threats.
The Importance of Security in Office 365

The Importance of Security in Office 365

In the early days of cloud computing there was a lot of concern around the security of data moved to “someone else’s datacenter”. I think it’s clear to most CISOs today that the big providers do a much better job of it security than most businesses can do (or have the budget to do).

Their incentive is also strong, if a large breach happened it could affect many thousands of businesses and so they spend a lot of money on making sure their clouds are as secure as they can be.

That doesn’t mean however that you can leave it all to Microsoft, there’s something called the Shared Responsibility Model and all cloud providers have some version of this.

There are some areas that are still your responsibility such as the endpoints that your users use to access cloud services, any on-premises infrastructure that’s operating in a hybrid mode with O365 and user provisioning and de-provisioning.

There are also many security controls in O365 that you need to customize to suit your business, where you and Microsoft share the security responsibility. In this article we’ll look at these controls and where and how you configure them.

A New Approach to Cloud Security

The foundation for “how you think about security” should be Zero Trust, instead of trusting a connection based on where it’s coming from (“if it’s on the internal LAN it’s safe, from the outside it’s dangerous”), every access is checked against your Conditional Access rules which gives you a much better security posture.

And base your security on identity which is the new firewall and keep up with new features in the security space.

When thinking about how to defend your systems, don’t forget to take into account attackers moving from on-premises to the cloud, as we saw in the SolarWinds breach.

If you have M365 E5 licensing, you can use attack simulation training to test your users with fake phishing emails and provide bite sized training automatically to them based on their propensity to fall for them. If you’d like more control and optimization, try out Hornetsecurity’s Security Awareness Service which delivers fully automated benchmarking, spear-phishing-simulation and e-training to sensitize and protect employees against cyber threats.

Remember Entra ID Premium P1 & P2 which you can purchase as add-ons to O365 (included in M365), we covered their security features in this article.

There’s a strong argument to be made that relying on Microsoft both to provide the platform (Office 365) and also paying extra for advanced security features from the same company is a conflict of interest.

After all, Microsoft could include more security features in the base platform (Office 365 E3 and Microsoft 365 E3 for example), rather than charging extra for them.

As such, many enterprises choose to opt for a third-party service for advanced security services on top of the base platform, such as Hornetsecurity’s 365 Total Protection.

365 Total Protection

365 Total Protection is a cloud-based security solution that covers all aspects of an organization’s Microsoft 365 security management and data protection: email security, backup and recovery, compliance, permission management and security awareness.

The solution is specifically developed for Microsoft 365 and requires no hardware, software, or maintenance, while providing much-needed layers of additional security and data protection against spam, malware, and advanced threats.

365 Total Protection from Hornetsecurity comes in four different plans:

  1. 365 Total Protection Business gives you state of the art email security, spam and malware protection, signatures, and encrypted email.
  2. 365 Total Protection Enterprise adds email archiving, 10-year retention, eDiscovery, Advanced Threat Protection (ATP) sandboxing of suspect emails, URL scanning, QR code analyzer.
  3. 365 Total Protection Enterprise Backup adds automated backup of mailboxes, Teams, OneDrive and SharePoint and easy recovery, Windows endpoint backup and recovery.
  4. 365 Total Protection Compliance & Awareness adds Permission Manager, Security Awareness Service and AI Recipient Validation to the offering.

This wide range of Microsoft 365 security and compliance features is available in one package and in one license.

365 Permission Manager

One of the three pillars of Zero Trust, using least-privilege access, is remarkably hard to achieve at scale. This is particularly evident in SharePoint and OneDrive where you not only have a complex set of overlapping permission options, but also sharing of files and sites with external users, either through SharePoint, OneDrive, and now also commonly through Teams.

To inventory all these permissions that have been granted and reporting on them requires browsing multiple screens or running PowerShell scripts.

There’s also no easy way to “right-size” permissions when they’re too broad, nor a quick way to revoke permissions quickly across all sites when a user account is discovered to have been compromised for example.

A unique product from Hornetsecurity, 365 Permission Manager alleviates all these issues, and more. A centralized dashboard shows you all your sites, and how compliant they are with your sharing policies.

To right-size permissions use the simple Fix button, or in the case of genuine business requirements for an exception to policy, Approve a special case.

Built-in or custom policies that control external sharing, internal sharing and associated settings can be applied to individual SharePoint sites or OneDrive locations, improving governance and risk management considerably.

You can also see permissions across SharePoint, OneDrive, and Teams for a selected user, very useful when you suspect an account compromise, or perhaps in the case of an insider risk investigation.

Another very useful feature is Quick Actions, which lets you perform bulk actions to manage permissions and maintain a compliant SharePoint, Teams and OneDrive infrastructure.

Microsoft Purview Information Protection

All the governance, Data Loss Prevention (DLP) and Information Protection features in M365 come under the Purview umbrella, with the portal located at

Using labels to classify data, either manually or automatically through crawling documents or emails lets you start to govern your business information. Once a document has been labeled you can use MIP or OME to protect it (see below), or control access on Windows endpoints through policy as well as manage access in Office for Mac, Windows, iOS and Android.

Microsoft Information Protection

One of the most powerful and least deployed features is the ability to protect documents, no matter where they live. Traditional file / SharePoint document sharing tightly controlled access at the server level but as soon as a document is emailed to someone, or stored on a USB drive, that control is lost.

With Microsoft Information Protection (MIP) you can set up labels and rules that encrypt documents and that carry their user access with them so no matter how they’re shared, only the right people have access.

If you’re getting started with MIP, you’ll be using the built-in client in the Office apps on Windows, Mac, iOS and Android. It’s important to configure super user accounts so that you can access documents when a user leaves the company.

The list of sensitive information types (SITs) grows ever longer and it’s now possible to customize the confidence levels of rules, copy the built-in ones and customize them and create larger keyword dictionaries (catch every mention of a staff ID tag, or patient record number).

It’s possible to co-author protected documents in real time (with AutoSave support!) and in larger deployments you can use variables in MIP rules to facilitate per-app content marking.

You can apply labels (and optionally document encryption) to documents, SharePoint online sites, and on-premises SharePoint and file shares. You can also scan images using Optical Character Recognition (OCR) to catch sensitive information in screenshots and the like.

Sensitivity labels are now also available for SharePoint sites, M365 groups and Teams. This doesn’t apply to content stored in those locations but rather manages privacy of the container, external user access and can also integrate with Conditional Access policies to block access from unmanaged devices for example.

You can however configure a default sensitivity label for a SharePoint site.

Office 365 Message Encryption

In a similar way to how MIP allows you to share protected documents with anyone, you can use O365 Message Encryption to send emails to anyone and know that only that person can access that email.

Like MIP you can also set up rules so that emails with specific information in them (credit card numbers, social security numbers) are automatically encrypted.

Data Loss Prevention (DLP)

The aim of Data Loss Prevention (DLP) is to help users do the right thing by alerting them when they’re about to share sensitive data through email, SharePoint Online, OD4B or Teams.

It can also be integrated with MIP as Microsoft continues the journey of unifying labeling and protection across M365. DLP protection has been extended to Windows 10 and 11 with Endpoint DLP, which can block upload of documents with sensitive content to cloud storage, copying sensitive information to the clip board, USB storage, network shares or printing.

There’s also an extension for Google Chrome that extends DLP protection to browser tasks. DLP has also been extended to on-premises using the MIP Scanner to find sensitive documents and alert management for DLP violations is also vastly improved.

Exchange Online Protection (EOP)

Exchange Online Protection (EOP) is the mail hygiene solution for Office 365 and can also protect your on-premises Exchange mailboxes if you’re in a hybrid deployment (Exchange Online article).

There are a few settings you can control for EOP as well as some additional configuration you should consider for complete spam protection such as Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Domain Keys Identified Mail (DKIM).

If you find that EOP isn’t catching enough malicious emails consider third party services, Hornetsecurity offers a free tool called Threat Monitor (requiring no changes to your MX records) that’ll identify advertising emails (spam), threats and advanced threats emails and also lets you delete them from user’s mailboxes.

Threat Monitor provides valuable email statistical data for your tenant as to what EOP is missing, making the case for upgrading email hygiene services easier.

Defender for Office 365

Defender for O365 protections (available in O365 E5 or as standalone add-ons) builds on top of EOP and gives you Safe Attachments where attachments in incoming emails that may be malicious are opened inside a VM and checked before they’re delivered to end users.

Safe Links checks that links in emails and Office files aren’t malicious at the time when users click on those links. Anti-phishing detects attempts to impersonate users, these protections also extend to SharePoint, OD4B and Teams.

If you find Defender for Office 365 too pricey (It’s included in M365 E5, E5 Security or as a separate add-on) have a look at Hornetsecurity’s 365 Total Protection which comes in a Business and an Enterprise flavor.

Business gives you granular control over email categories and content so that you can block unwanted emails.

You can set email signatures with company disclaimers and use either PGP or S/MIME for email encryption, with certificate handling built in.

The Enterprise flavor adds email archiving / journaling with up to 10 years retention, eDiscovery and sandbox analysis of attachments, URL rewriting and scanning (both in emails and in attachments) and Contingency Covering through an email failover environment when Microsoft 365 is down.


One of the great features of the unified platform of O365 is the ability to audit user and administrator actions across the entire platform.

At a minimum you want to configure alerting on Entra ID actions, go to the Compliance portal – Search – Audit log search and see all the different activities you can audit and report on, as well as create Alert policies for.

By default, Office 365 audit logs are kept for 180 days (Entra ID logs for 30 days), which may not be sufficient for your business or regulations you must comply with.

You have two options, use a third-party service to continuously export the logs and archive them for the time period you require, or assign M365 E5 (or M365 E5 Compliance / Discovery & Audit) licenses to the users who’s logs you want to keep for longer. This unlocks the ability to keep the logs for 1 or 10 years.

Say Goodbye to Passwords?

Ultimately the best way to manage passwords is to not have any stored in your directory and not have your users use any – this is called passwordless.

There are many steps on the journey towards this end goal, today you can use the Authenticator app to sign in on an Azure AD account (not as a second factor but as the only factor), or Windows Hello for Business or a FIDO 2 hardware USB/NFC key.

In the meantime, enable Password protection to ban commonly used passwords (2000 in a list maintained by Microsoft plus up to 1000 custom words common in your organization/city/sports teams).

This works seamlessly for cloud only accounts and can easily be extended to on-premises AD. When you require your users to register for MFA, they also register for Self-Service Password Reset at the same time.

Block User Access

If you suspect or confirm that a user account has been compromised the first step should be to disable sign-in for the account in the Admin center.

You should be aware however that the user (or the attacker) isn’t immediately logged out from services they’re accessing, and it can take up to an hour until the block takes effect, due to the lifetime of refresh tokens.

The solution to this issue is Continuous access evaluation which today only applies to Exchange, Teams and SharePoint online connectivity and will block access in near real time (occasionally up to 15 minutes latency due to event propagation).

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.


In conclusion, safeguarding your Office 365 environment is paramount in today’s digital landscape.

By leveraging advanced security features such as Defender for Office 365 and comprehensive solutions like Hornetsecurity’s 365 Total Protection, coupled with meticulous auditing practices, you can fortify your defenses and protect your organization from evolving cyber threats.


Does Office 365 have security?

Yes, Office 365 incorporates robust security features to protect user data and ensure confidentiality, integrity, and availability of services. It includes features like threat protection, data loss prevention, multi-factor authentication, and more.

How do I enable security in Office 365?

Enable security features in Office 365 through the Security Center. Implement multi-factor authentication, configure threat protection policies, and use features like Purview Information Governance to enhance data security.

What is the best way to secure Office 365?

The best way to secure Office 365 involves a multi-layered approach:

  • Implement multi-factor authentication.
  • Configure Conditional Access policies in Entra ID.
  • Regularly update and patch software.
  • Educate users on security best practices.
  • Use advanced threat protection services.

How secure is the data in Microsoft 365?

Data in Microsoft 365 is highly secure. Microsoft employs encryption in transit and at rest, complies with industry standards, and offers features like Purview Information Protection and Data Loss Prevention to enhance data security. However, users should also implement best practices to ensure the security of their specific environment.

Mastering Endpoint Security with Microsoft Intune

Mastering Endpoint Security with Microsoft Intune

M365 E3 and E5 brings you Microsoft Intune, Microsoft’s mobile device management (MDM) cloud service. In this article we’ll look at how it can help you manage devices and PCs, mobile apps, protect company data, and enforce security policies.

There used to be an on-premises product called System Center Configuration Manager (SCCM), now called Microsoft Configuration Manager, which you can integrate tightly with Intune.

There used to be a requirement that Intune administrators were licensed for Intune but this is no longer the case. Endpoint analytics is an interesting part of Intune, using signals from your devices to pinpoint problematic or slow PCs, it’s part of the overall Adoption score.

If you have Windows 10/11 devices that serve specific functions (on a factory floor, at a nurses station in a hospital for example), you can use Cloud Configuration to easily manage them entirely using Intune, with scripted, baseline configuration settings.

Mobile Device Management

There are a couple of ways you can use Intune, if you have devices (smartphones, tablets, laptops) that are company owned you can enroll them in Intune.

This gives you a great deal of control over the device, including the ability to manage settings, apps and the option to wipe the device should it be lost or stolen.

You can also use Intune to manage OS updates for Windows devices, push out applications to devices, configure Wi-Fi profiles and deploy certificates as well as block iOS jailbroken and rooted Android devices.

If the device is a personal device, owned by the employee, they may not be comfortable with enrolling the device so you can use Mobile Application Management (MAM) for those devices.

Mobile Application Management

This less intrusive approach lets you create app protection policies (APP) across specific applications, with email being the classic example.

Users want to access business email on their personal smartphone so you put policies around it where they can only use Outlook (free mobile app for Android and iOS), not the built-in mail apps and you can further protect corporate data so that a user can’t copy business data to a non-business app (personal email app etc.).

If the device is lost or stolen, you can wipe the corporate data off it while leaving personal photos etc. untouched.

Picking between MDM and MAM is going to depend on many factors such as your userbase, your employment contracts, business and security needs and more; make sure you spend some time in the planning phase to get it right.

Another part of managing mobile applications might be to connect them back to on-premises resources securely, Microsoft now offers their own VPN for iOS and Android called Tunnel – and it’s integrated into the Microsoft Defender for Endpoint.

Microsoft Configuration Manager

If you have deployed MCM on-premises to manage your servers and traditional client PCs you can integrate Intune into your management flow through Co-management to leverage the best of both worlds and prepare your environment for a gradual migration to cloud management.

Don’t confuse this with Hybrid MDM which is the older, deprecated approach to marrying SCCM and Intune.

Intune Suite

In true Microsoft fashion there are add-ons for Intune that you may want to consider for your business, if they solve a particular business problem for you.

There are stand-alone add-ons, an Intune P2 plan and the full Intune Suite, which includes the following: Advanced endpoint analytics to track and optimize end user experiences, Endpoint Privilege Management which lets end users perform certain administrative tasks on their Windows device without being a local administrator and Microsoft Tunnel for MAM which extends the per-app VPN feature for Android and iOS apps to MAM.

There’s also Remote Help, which is a secure way to allow helpdesk to access the screen of staff to assist them and Managing specialty devices such as AR/VR headset and large smart screen devices.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.


We believe that now you can unlock enhanced security and efficiency with Microsoft Intune as one of your comprehensive solutions for device management and data protection.


What is Microsoft Intune used for?

Microsoft Intune is a cloud-based service that provides mobile device management (MDM) and mobile application management (MAM) capabilities. It allows organizations to manage and secure mobile devices, ensuring compliance with security policies and facilitating remote management.

What does Microsoft Intune give access to?

Microsoft Intune provides access to features such as:

  • Mobile Device Management (MDM)
  • Mobile Application Management (MAM)
  • Conditional Access Policies (through Entra ID)
  • Endpoint Security
  • Device Compliance Monitoring
  • Application Deployment and Management

What’s the benefit of Intune for your business?

Intune is used to the security and management of both computers and smartphones / tablet devices within an organization. It helps enforce security policies, manage device configurations, and protect corporate data on both company-owned and employee-owned devices, contributing to a more secure and controlled IT environment.