Operating on a shared responsibility paradigm, Microsoft is a hyperscale cloud and application provider. In real terms, that means Microsoft pledges strong infrastructure security, high infrastructure dependability, and restricted data protection, which includes certain data retention guidelines and versioning, which we’ll talk about next.

It never promises that your material will always be accessible. That’s a general assessment of its portion of the responsibility.

Maintaining the trust of your customers and the reputation of your brand depends equally on you. Your business data is yours. It is therefore your duty to safeguard your cloud data both now and in the future to ensure compliance with legal and business standards.

If your data is compromised, it is also your organization’s responsibility to promptly restore it. The main justification for abiding to best practices and adding third-party apps and services that shield your data from ransomware assaults in addition to basic M365 protection is your internal share of responsibility for M365, a mission-critical environment.

Microsoft does include certain built-in features for storing data after it has been deleted or modified, but these aren’t reliable, unchangeable backups, more on that later.

Before launching a full-scale attack, malware or attackers might penetrate a system and hide for a few weeks or months in order for it to spread to other systems.

Furthermore, as you’ll see, versioning isn’t appropriate for ransomware recovery since, in order to guarantee that your restored data is free of ransomware infection, restores must occur from a specified point in time on the full data set rather than on individual files.

The threat of Ransomware-as-a-Service (RaaS) affiliate models facilitates threat actors’ ability to expand their operations and target businesses of any size or industry.

Yes, files kept on OneDrive can become infected with ransomware. This is due to the fact that cloud data accessed through the OneDrive sync application that is installed on your machine is directly accessible from the endpoint, which facilitates the propagation of ransomware and its ability to corrupt all of your OneDrive files.

It’s crucial to remember that if you haven’t taken any precautions to secure your system or are using an out-of-date version of the program, your risk increases. To defend against online attacks, it is crucial to utilize additional tools like Microsoft Defender or a third party Endpoint Detection and Response (EDR) tool.

OneDrive offers built-in capabilities to restore from a previous version of your cloud data, even if you have been attacked with ransomware. This enables you to recover from a state that existed before the ransomware assault. Additionally, there are solutions for backing up your Microsoft 365 data to an independent cloud backup repository, giving you a backup copy in the event that OneDrive’s restore points become unavailable.

If you require additional proof that native M365 data protection isn’t reliable enough for your data, think about the way it stores data. M365, in contrast to actual backup systems, employs a method more akin to version control, which is the management of several revisions of the same data or files, Microsoft calls this in place retention.

Stated differently, versioning occurs at the file level, with each file having a unique file version history. This method has the drawback that ransomware attacks targets all files at once and occur at a specific time.

Backup shouldn’t be considered the primary method of retention in use. Rather than being your “officially retained record,” backup has always served as the “copy of last resort that always exists.”

Since this was the sole copy of the content available for the retention period, backed-up content search and retrieval sadly had to be integrated into the backup or archival system as this was the only copy of the content available for the retention period.

When versioning is enabled, you may track, store, and restore files in a library and items in a list as they change.

You have control over the material that is posted on your website when you use versioning in conjunction with other settings like checkout. Versioning can also be used to view or restore previous iterations of a library or list.

You can use versioning to:

1. Track History of a version: You can see when and by whom an item or file was modified when versioning is enabled. Additionally, you may view the dates of changes to the file’s properties. For instance, the version history contains information on changes made to a list item’s due date. Additionally, comments made by users upon checking files into libraries are visible.
2. Go back to an earlier version: You can replace the current version with a prior one if you made a mistake in the current version, if the current version is corrupt, or if you just prefer the earlier version. The version that has been restored is now the latest one.
3. Examine an earlier version: Viewing an earlier version won’t cause your current version to be overwritten. You can compare the two versions to see the differences if you are viewing version history in a Microsoft Office document, such as a Word or Excel file.

Microsoft offers a range of capabilities and services through the Office 365 platform to assist your company in defending against ransomware threats.

Start with ensuring that all accounts use Multi Factor Authentication, as identities is the main target for modern criminals – they don’t hack in, they sign in. Defender for Office 365 assists in thwarting the spread of ransomware through email.

Microsoft Defender for Endpoint, on the other hand, is a cutting-edge antivirus and EDR program made to identify and neutralize threats directly on Windows (and MacOS, Linux, iOS and Android) devices. Combining these capabilities with other Microsoft 365 solutions offers a comprehensive approach to strengthen your company’s cybersecurity posture and stop malware threats all around.

In this article we look at the need for data protection in Microsoft 365 – what Microsoft is responsible for – and what your organization is responsible for.

As any capable cloud service, Microsoft takes the availability of customers data in M365 very seriously. As previously mentioned, Exchange mailboxes have four copies, three up to date ones and a fourth, lagged copy (up 24 hours behind).

This last copy is used in case of a systemic corruption of the other three copies. These four copies are distributed across at least two datacenters. All of this is handled automatically by the system and not something end users will notice.

SharePoint and OneDrive for Business storage similarly relies on data being stored in two separate Azure regions – a write will only be considered completed if it’s successfully written to both regions. And the underlying storage uses AppendOnly, ensuring that earlier data can’t be corrupted or encrypted by an attacker.

This versioning also allows the restore of previous versions of files.

Sounds good right? Microsoft clearly takes steps to protect my data, so I don’t have to worry about it? Not so fast – everything described above is about data resiliency, and high availability of your data. What it doesn’t provide, outside of some limited options, is backup of your data.

Backup are copies of your production data, in a separate system, that’s regularly (every hour, every day) copied from production data to the backup location. This provides the following features:

• The ability to “go back in time” and restore emails / documents / mailboxes / sites to a previous point in time – either to a production location, or a separate export location.
• The ability to access your production data in case of a catastrophic failure or outage of services in Microsoft 365.

In other words, data resiliency / high availability is not the same as backup. They’re related but serve different purposes. Depending on your business needs or which compliance regulations you must comply with, you may need both.

Let’s cover your native options for restoring earlier versions of data. With Exchange items (emails, contacts, calendar appointments), when they’re deleted you can recover them from the Outlook Deleted Items folder.

They’re kept there indefinitely unless you change the policy in your tenant. If they’re deleted from the Deleted Items folder, you can recover them for up to 14 days from the Recoverable Items hidden folder.

You’ll need to train your users how to do this themselves, or make sure your helpdesk team is prepared to assist on a regular basis as the user interface isn’t exactly intuitive.

In SharePoint / OneDrive for Business deleted documents are kept by default for 93 days, first in a user accessible recycle bin, and if they’re purged from there, in an administrator accessible recycle bin.

Again, the restore process for a document deleted by mistake isn’t straightforward so some training will be required.

To alter the defaults, you can use Retention Policies to keep items for longer (they’re available for restore, even if users delete them out of their Deleted Items folder), these can be applied to both Exchange and SharePoint data.

For Exchange you also use In-Place and Litigation Holds for select mailboxes to manage retention.

If you’re looking to alleviate the challenges with using the built in data protection features as a recovery solution, Hornetsecurity provides a comprehensive M365 backup and recovery solution 365 Total Backup or as part of 365 Total Protection Compliance & Awareness.

This protects mailboxes, Teams Chat, OneDrive for Business storage, SharePoint sites, plus Windows endpoints. It’s simple to set up and provides comprehensive protection across your entire tenant.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

• 365 Total Protection
• 365 Total Backup
• 365 Permission Manager
• 365 Total Protection Compliance & Awareness
• 365 Total Protection Enterprise Backup

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

In summary, while Microsoft 365 ensures data resiliency, other backup substitutes exist. Backup solutions offer crucial benefits like restoring data to previous states and accessing data during outages. Consider options like Hornetsecurity’s 365 Total Backup for comprehensive protection.

There are many security tools built into the O365 platform, but when you move to M365 E3 or E5, you unlock a whole new set of advanced features for securing your business.

In this article, we’re going to look at these tools, except for Endpoint Manager, which we have covered here, and Windows 11, which we covered in this article.

Nearly all of Microsoft’s M365 focused security products have the Defender brand, and the central console to work with them is security. microsoft.com.

Here you’ll find a comprehensive Extended Detection and Response (XDR) service that collects data from email, identity, endpoints, cloud services and alerts you to intruders across your M365 digital estate.

Here’s a rundown of the different Defender services:

• Microsoft Defender for Office 365 – This provides protection for emails, SharePoint sites, OD4B and Teams
• Microsoft Defender for Identity – This monitors your on-premises Active Directory (AD), integrates with your Security Information and Events Management (SIEM) tool and alerts you to account breaches, lateral movement and attacks involving AD
• Microsoft Defender for Endpoint – Centralized management of anti-malware on all endpoints in your environment (Windows, Linux, macOS, Android and iOS)
• Microsoft Defender for Cloud Apps – A Cloud App Security Broker (CASB), adding features to match the more modern buzz word, SaaS apps security posture management.

Microsoft also offers Microsoft Sentinel – a cloud based SIEM; Microsoft Defender for Cloud (for Azure, AWS and GCP IaaS and PaaS workloads) and Entra for identity management and protection.

Microsoft Defender for Endpoint (MDE) is a full-fledged Endpoint Detection and Response (EDR) security solution using Machine Learning (ML) behavior analytics for Windows, MacOS, Linux servers, iOS, and Android devices.

It inventories installed applications (Windows and MacOS) and through Threat and Vulnerability Management (TVM) prioritizes which applications bring the most severe risks to your organization based on how widely deployed each application is and the severity of the disclosed vulnerability.

MDE also provides Attack surface reduction rules and Next generation protection, along with many other security features. MDE is available with, M365 E5 / E5 Security or as a standalone license.

With M365 E5 you can step up to Defender for Identity (MDI) which monitors your Active Directory Domain Controllers, and your Active Directory Federation Servers with only lightweight agents, the rest is taken care of by the cloud service.

Any attacker that establishes a foothold on a device in your network must touch AD to move laterally and escalate privileges and MDI will catch them when they do.

Once upon a time when your users stayed in the corporate office all you needed to protect them was a good firewall but in today’s world of “work anywhere, on any device” you need a new type of tool to protect them, a cloud access security broker.

Microsoft Defender for Cloud Apps (MDA) is part of M365 E5 and protects your users in real time when they access cloud services. The catalogue of over 31,000 different cloud services gives IT a way to discover and manage Shadow IT (cloud services that users have provisioned without the IT department knowing) across your user base.

How do you know what’s most important to attend to? And where in all the different portals (or PowerShell) do you go to configure each setting? The answers to these questions are in Secure Score, now part of the Security portal.

Here you see an overall score for your tenant (for Identity / Data / Device / Apps and Infrastructure controls) and can compare it to the global average across M365, the average for your industry and for businesses of the same size.

As you implement more controls you score increases (it can take 24-48 hours), and you track your progress on the History tab. Secure Score is the BEST place to start improving your tenant’s security posture.

I’d like to highlight another control (apart from MFA) that’ll gain you a quick win to improve overall security – blocking legacy authentication. This is because even if you have enabled MFA, attackers can still access your user’s accounts with just a username and password through older protocols that don’t support MFA.

To investigate if there are any legitimate connections using these older protocols (which will need to be upgraded or exempt from your block legacy authentication policy) go to the Azure AD portal, click on Sign-ins under monitoring, click Add filters, pick Client app, then click “None selected” and add all 13 legacy connection options.

Once you’re certain there are no legitimate needs for legacy authentication, use CA policies to block it.

The concept of Secure score has spread to other parts of M365, in Compliance Manager there’s Compliance Score to indicate how compliant your business is with regulatory frameworks you have to comply with.

Microsoft has recently added hundreds of additional regulations from all over the world to help you track your compliance, assign tasks users to achieve and maintain compliance.

To manage compliance for your SharePoint and OneDrive sites and their security posture / sharing settings using the built in tools is an exercise in frustration as they’re spread across several portals.

In contrast, Hornetsecurity’s 365 Permission Manager provides a single pane to see the settings for every site in your tenant, apply policies, remediate compliance violations, see all access that a particular user has, produce reports and much more.

The sad truth is that most small to medium businesses don’t implement nearly enough of the features they have already paid for and even large enterprises struggle to get these protections in place for all their users.

This is partly due to the inherent complexity of many of Microsoft’s native security features – remember the saying, “Complexity is the enemy of security”.

That’s why many organizations are turning to third-party security solutions like Hornetsecurity to help them make key security features more accessible and reduce complexity.

On the other hand, security neglect is also due to a certain carelessness, which stems from the fact that in many businesses a mindset from the on-premise era still prevails, in which it was thought that (almost) everything was already done with a firewall – and IT shops will take care of it.

The world is a different place today: We must understand that the responsibility for security is in all of our hands and that our cyber defense chain can only be as strong as its weakest link.

Consider security awareness training for employees since it is essential to reduce the risk of cyberattacks, prevent data breaches, and ensure compliance with regulations. It empowers employees to recognize and respond to security threats, fostering a strong cybersecurity culture and protecting both company assets and reputation.

Ultimately, investing in awareness training leads to cost savings and a safer digital environment.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

• 365 Total Protection
• 365 Total Backup
• 365 Permission Manager
• 365 Total Protection Compliance & Awareness
• 365 Total Protection Enterprise Backup

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

If the thought of paying for the underlying platform from Microsoft, and then paying again for the additional security features on top doesn’t sit right with you, consider a third-party solution for your M365 security and compliance needs.

Hornetsecurity offers several different plans with powerful Advanced Threat Protection for your email, data loss prevention (DLP), security awareness service (end user phishing simulation and training), email encryption, email archiving and more.

Hornetsecurity also offers an entire free eBook focused on securing a Microsoft 365 tenant, The Microsoft 365 Security Checklist. It covers all the security settings and configurations you need to know for each M365 license to properly secure your environment and goes into more detail of the actual settings than outlined here.

In the early days of cloud computing there was a lot of concern around the security of data moved to “someone else’s datacenter”. I think it’s clear to most CISOs today that the big providers do a much better job of it security than most businesses can do (or have the budget to do).

Their incentive is also strong, if a large breach happened it could affect many thousands of businesses and so they spend a lot of money on making sure their clouds are as secure as they can be.

That doesn’t mean however that you can leave it all to Microsoft, there’s something called the Shared Responsibility Model and all cloud providers have some version of this.

There are some areas that are still your responsibility such as the endpoints that your users use to access cloud services, any on-premises infrastructure that’s operating in a hybrid mode with O365 and user provisioning and de-provisioning.

There are also many security controls in O365 that you need to customize to suit your business, where you and Microsoft share the security responsibility. In this article we’ll look at these controls and where and how you configure them.

The foundation for “how you think about security” should be Zero Trust, instead of trusting a connection based on where it’s coming from (“if it’s on the internal LAN it’s safe, from the outside it’s dangerous”), every access is checked against your Conditional Access rules which gives you a much better security posture.

And base your security on identity which is the new firewall and keep up with new features in the security space.

When thinking about how to defend your systems, don’t forget to take into account attackers moving from on-premises to the cloud, as we saw in the SolarWinds breach.

If you have M365 E5 licensing, you can use attack simulation training to test your users with fake phishing emails and provide bite sized training automatically to them based on their propensity to fall for them. If you’d like more control and optimization, try out Hornetsecurity’s Security Awareness Service which delivers fully automated benchmarking, spear-phishing-simulation and e-training to sensitize and protect employees against cyber threats.

Remember Entra ID Premium P1 & P2 which you can purchase as add-ons to O365 (included in M365), we covered their security features in this article.

There’s a strong argument to be made that relying on Microsoft both to provide the platform (Office 365) and also paying extra for advanced security features from the same company is a conflict of interest.

After all, Microsoft could include more security features in the base platform (Office 365 E3 and Microsoft 365 E3 for example), rather than charging extra for them.

As such, many enterprises choose to opt for a third-party service for advanced security services on top of the base platform, such as Hornetsecurity’s 365 Total Protection.

365 Total Protection is a cloud-based security solution that covers all aspects of an organization’s Microsoft 365 security management and data protection: email security, backup and recovery, compliance, permission management and security awareness.

The solution is specifically developed for Microsoft 365 and requires no hardware, software, or maintenance, while providing much-needed layers of additional security and data protection against spam, malware, and advanced threats.

365 Total Protection from Hornetsecurity comes in four different plans:

1. 365 Total Protection Business gives you state of the art email security, spam and malware protection, signatures, and encrypted email.
2. 365 Total Protection Enterprise adds email archiving, 10-year retention, eDiscovery, Advanced Threat Protection (ATP) sandboxing of suspect emails, URL scanning, QR code analyzer.
3. 365 Total Protection Enterprise Backup adds automated backup of mailboxes, Teams, OneDrive and SharePoint and easy recovery, Windows endpoint backup and recovery.
4. 365 Total Protection Compliance & Awareness adds Permission Manager, Security Awareness Service and AI Recipient Validation to the offering.

This wide range of Microsoft 365 security and compliance features is available in one package and in one license.

One of the three pillars of Zero Trust, using least-privilege access, is remarkably hard to achieve at scale. This is particularly evident in SharePoint and OneDrive where you not only have a complex set of overlapping permission options, but also sharing of files and sites with external users, either through SharePoint, OneDrive, and now also commonly through Teams.

To inventory all these permissions that have been granted and reporting on them requires browsing multiple screens or running PowerShell scripts.

There’s also no easy way to “right-size” permissions when they’re too broad, nor a quick way to revoke permissions quickly across all sites when a user account is discovered to have been compromised for example.

A unique product from Hornetsecurity, 365 Permission Manager alleviates all these issues, and more. A centralized dashboard shows you all your sites, and how compliant they are with your sharing policies.

To right-size permissions use the simple Fix button, or in the case of genuine business requirements for an exception to policy, Approve a special case.

Built-in or custom policies that control external sharing, internal sharing and associated settings can be applied to individual SharePoint sites or OneDrive locations, improving governance and risk management considerably.

You can also see permissions across SharePoint, OneDrive, and Teams for a selected user, very useful when you suspect an account compromise, or perhaps in the case of an insider risk investigation.

Another very useful feature is Quick Actions, which lets you perform bulk actions to manage permissions and maintain a compliant SharePoint, Teams and OneDrive infrastructure.

All the governance, Data Loss Prevention (DLP) and Information Protection features in M365 come under the Purview umbrella, with the portal located at compliance.microsoft.com.

Using labels to classify data, either manually or automatically through crawling documents or emails lets you start to govern your business information. Once a document has been labeled you can use MIP or OME to protect it (see below), or control access on Windows endpoints through policy as well as manage access in Office for Mac, Windows, iOS and Android.

One of the most powerful and least deployed features is the ability to protect documents, no matter where they live. Traditional file / SharePoint document sharing tightly controlled access at the server level but as soon as a document is emailed to someone, or stored on a USB drive, that control is lost.

With Microsoft Information Protection (MIP) you can set up labels and rules that encrypt documents and that carry their user access with them so no matter how they’re shared, only the right people have access.

If you’re getting started with MIP, you’ll be using the built-in client in the Office apps on Windows, Mac, iOS and Android. It’s important to configure super user accounts so that you can access documents when a user leaves the company.

The list of sensitive information types (SITs) grows ever longer and it’s now possible to customize the confidence levels of rules, copy the built-in ones and customize them and create larger keyword dictionaries (catch every mention of a staff ID tag, or patient record number).

It’s possible to co-author protected documents in real time (with AutoSave support!) and in larger deployments you can use variables in MIP rules to facilitate per-app content marking.

You can apply labels (and optionally document encryption) to documents, SharePoint online sites, and on-premises SharePoint and file shares. You can also scan images using Optical Character Recognition (OCR) to catch sensitive information in screenshots and the like.

Sensitivity labels are now also available for SharePoint sites, M365 groups and Teams. This doesn’t apply to content stored in those locations but rather manages privacy of the container, external user access and can also integrate with Conditional Access policies to block access from unmanaged devices for example.

You can however configure a default sensitivity label for a SharePoint site.

In a similar way to how MIP allows you to share protected documents with anyone, you can use O365 Message Encryption to send emails to anyone and know that only that person can access that email.

Like MIP you can also set up rules so that emails with specific information in them (credit card numbers, social security numbers) are automatically encrypted.

The aim of Data Loss Prevention (DLP) is to help users do the right thing by alerting them when they’re about to share sensitive data through email, SharePoint Online, OD4B or Teams.

It can also be integrated with MIP as Microsoft continues the journey of unifying labeling and protection across M365. DLP protection has been extended to Windows 10 and 11 with Endpoint DLP, which can block upload of documents with sensitive content to cloud storage, copying sensitive information to the clip board, USB storage, network shares or printing.

There’s also an extension for Google Chrome that extends DLP protection to browser tasks. DLP has also been extended to on-premises using the MIP Scanner to find sensitive documents and alert management for DLP violations is also vastly improved.

Exchange Online Protection (EOP) is the mail hygiene solution for Office 365 and can also protect your on-premises Exchange mailboxes if you’re in a hybrid deployment (Exchange Online article).

There are a few settings you can control for EOP as well as some additional configuration you should consider for complete spam protection such as Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting, and Conformance (DMARC) and Domain Keys Identified Mail (DKIM).

If you find that EOP isn’t catching enough malicious emails consider third party services, Hornetsecurity offers a free tool called Threat Monitor (requiring no changes to your MX records) that’ll identify advertising emails (spam), threats and advanced threats emails and also lets you delete them from user’s mailboxes.

Threat Monitor provides valuable email statistical data for your tenant as to what EOP is missing, making the case for upgrading email hygiene services easier.

Defender for O365 protections (available in O365 E5 or as standalone add-ons) builds on top of EOP and gives you Safe Attachments where attachments in incoming emails that may be malicious are opened inside a VM and checked before they’re delivered to end users.

Safe Links checks that links in emails and Office files aren’t malicious at the time when users click on those links. Anti-phishing detects attempts to impersonate users, these protections also extend to SharePoint, OD4B and Teams.

If you find Defender for Office 365 too pricey (It’s included in M365 E5, E5 Security or as a separate add-on) have a look at Hornetsecurity’s 365 Total Protection which comes in a Business and an Enterprise flavor.

Business gives you granular control over email categories and content so that you can block unwanted emails.

You can set email signatures with company disclaimers and use either PGP or S/MIME for email encryption, with certificate handling built in.

The Enterprise flavor adds email archiving / journaling with up to 10 years retention, eDiscovery and sandbox analysis of attachments, URL rewriting and scanning (both in emails and in attachments) and Contingency Covering through an email failover environment when Microsoft 365 is down.

One of the great features of the unified platform of O365 is the ability to audit user and administrator actions across the entire platform.

At a minimum you want to configure alerting on Entra ID actions, go to the Compliance portal – Search – Audit log search and see all the different activities you can audit and report on, as well as create Alert policies for.

By default, Office 365 audit logs are kept for 180 days (Entra ID logs for 30 days), which may not be sufficient for your business or regulations you must comply with.

You have two options, use a third-party service to continuously export the logs and archive them for the time period you require, or assign M365 E5 (or M365 E5 Compliance / Discovery & Audit) licenses to the users who’s logs you want to keep for longer. This unlocks the ability to keep the logs for 1 or 10 years.

Ultimately the best way to manage passwords is to not have any stored in your directory and not have your users use any – this is called passwordless.

There are many steps on the journey towards this end goal, today you can use the Authenticator app to sign in on an Azure AD account (not as a second factor but as the only factor), or Windows Hello for Business or a FIDO 2 hardware USB/NFC key.

In the meantime, enable Password protection to ban commonly used passwords (2000 in a list maintained by Microsoft plus up to 1000 custom words common in your organization/city/sports teams).

This works seamlessly for cloud only accounts and can easily be extended to on-premises AD. When you require your users to register for MFA, they also register for Self-Service Password Reset at the same time.

If you suspect or confirm that a user account has been compromised the first step should be to disable sign-in for the account in the Admin center.

You should be aware however that the user (or the attacker) isn’t immediately logged out from services they’re accessing, and it can take up to an hour until the block takes effect, due to the lifetime of refresh tokens.

The solution to this issue is Continuous access evaluation which today only applies to Exchange, Teams and SharePoint online connectivity and will block access in near real time (occasionally up to 15 minutes latency due to event propagation).

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

• 365 Total Protection
• 365 Total Backup
• 365 Permission Manager
• 365 Total Protection Compliance & Awareness
• 365 Total Protection Enterprise Backup

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.

In conclusion, safeguarding your Office 365 environment is paramount in today’s digital landscape.

By leveraging advanced security features such as Defender for Office 365 and comprehensive solutions like Hornetsecurity’s 365 Total Protection, coupled with meticulous auditing practices, you can fortify your defenses and protect your organization from evolving cyber threats.

M365 E3 and E5 brings you Microsoft Intune, Microsoft’s mobile device management (MDM) cloud service. In this article we’ll look at how it can help you manage devices and PCs, mobile apps, protect company data, and enforce security policies.

There used to be an on-premises product called System Center Configuration Manager (SCCM), now called Microsoft Configuration Manager, which you can integrate tightly with Intune.

There used to be a requirement that Intune administrators were licensed for Intune but this is no longer the case. Endpoint analytics is an interesting part of Intune, using signals from your devices to pinpoint problematic or slow PCs, it’s part of the overall Adoption score.

If you have Windows 10/11 devices that serve specific functions (on a factory floor, at a nurses station in a hospital for example), you can use Cloud Configuration to easily manage them entirely using Intune, with scripted, baseline configuration settings.

There are a couple of ways you can use Intune, if you have devices (smartphones, tablets, laptops) that are company owned you can enroll them in Intune.

This gives you a great deal of control over the device, including the ability to manage settings, apps and the option to wipe the device should it be lost or stolen.

You can also use Intune to manage OS updates for Windows devices, push out applications to devices, configure Wi-Fi profiles and deploy certificates as well as block iOS jailbroken and rooted Android devices.

If the device is a personal device, owned by the employee, they may not be comfortable with enrolling the device so you can use Mobile Application Management (MAM) for those devices.

This less intrusive approach lets you create app protection policies (APP) across specific applications, with email being the classic example.

Users want to access business email on their personal smartphone so you put policies around it where they can only use Outlook (free mobile app for Android and iOS), not the built-in mail apps and you can further protect corporate data so that a user can’t copy business data to a non-business app (personal email app etc.).

If the device is lost or stolen, you can wipe the corporate data off it while leaving personal photos etc. untouched.

Picking between MDM and MAM is going to depend on many factors such as your userbase, your employment contracts, business and security needs and more; make sure you spend some time in the planning phase to get it right.

Another part of managing mobile applications might be to connect them back to on-premises resources securely, Microsoft now offers their own VPN for iOS and Android called Tunnel – and it’s integrated into the Microsoft Defender for Endpoint.

If you have deployed MCM on-premises to manage your servers and traditional client PCs you can integrate Intune into your management flow through Co-management to leverage the best of both worlds and prepare your environment for a gradual migration to cloud management.

Don’t confuse this with Hybrid MDM which is the older, deprecated approach to marrying SCCM and Intune.

In true Microsoft fashion there are add-ons for Intune that you may want to consider for your business, if they solve a particular business problem for you.

There are stand-alone add-ons, an Intune P2 plan and the full Intune Suite, which includes the following: Advanced endpoint analytics to track and optimize end user experiences, Endpoint Privilege Management which lets end users perform certain administrative tasks on their Windows device without being a local administrator and Microsoft Tunnel for MAM which extends the per-app VPN feature for Android and iOS apps to MAM.

There’s also Remote Help, which is a secure way to allow helpdesk to access the screen of staff to assist them and Managing specialty devices such as AR/VR headset and large smart screen devices.

To properly protect your Microsoft 365 environment, use Hornetsecurity one-of-a-kind services:

• 365 Total Protection
• 365 Total Backup
• 365 Permission Manager
• 365 Total Protection Compliance & Awareness
• 365 Total Protection Enterprise Backup

To keep up with the latest Microsoft 365 articles and practices, visit our Hornetsecurity blog now.