How Hard Is It to Implement Microsoft 365 Security?

February 8, 2023
5 min read

How Hard Is It to Implement Microsoft 365 Security?

Over the past few years, there has been increased adoption of cloud services, such as Microsoft 365. Most of it is due to the need to provide applications and services to home workers. The standard approach of working in an office the whole time became a split between the office and home, or sometimes all remote from home. As such, the most effective option for delivering excellent capabilities at home is to migrate to the cloud. It is quicker deployment, does not require complicated hardware or software setup, and is cost-effective.

However, please wait to get too excited about the migration, as one area that needs to get the attention it deserves is security. Too often, the urgency to move to the cloud to provide fantastic end-user services overshadows the need to define and configure security controls and protections.

Why does this happen?

There are a few reasons for this:

  1. Microsoft could have done a better job explaining the security controls to use, where they were and how organizations need to use them.
  2. Organizations assume that controls exist and protect everything as part of the service.
  3. Security is sometimes complicated, hard to understand and implement, and requires an effort many organizations wish to refrain from performing.

A different issue is that security is not a single thing; it covers multiple layers, from access control to dissemination of content to device protections and more. Often organizations that implement controls tend to focus on a single area and miss others or stagger the deployment of critical controls that should be there immediately.

If organizations remember to look at Microsoft’s shared responsibility for the cloud table, they can see the areas they need to manage.

A table by Microsoft showing the components of cloud computing for which they and/or the customer are responsible.
Shared responsibility in the cloud. Image: Microsoft

Looking at the table (the top three rows in particular), organizations can easily see that from an identity perspective, they also need to manage and protect, followed by complete ownership of devices, information and data.

How do you fix this?

Ultimately the implementation of security controls is down to the organizations, specifically those responsible for securing computer systems. Within larger organizations, this becomes a problem as there could be multiple IT and security teams managing different parts of the network. Smaller organizations may need to gain the required skills first. 

The key to ensuring security controls become essential is having the conversation. It starts with ensuring that everyone involved in the migration and day-to-day management understands why they need security controls, what is available, and the implications of using them. Once everyone understands this, then the design of the controls begins. The most straightforward approach is to review each security category's needs, focus independently, and layer over each other.

For example:   

1. Start with standard access control with a focus on the account, password, multi-factor, and conditional access.

A sample list of access control policies for computer users and administrators.
Access control policies. Image: Microsoft

2. Layer things such as device protections. 

A sample list of device protection profiles for Windows and macOS computers.
Device protection profiles. Image: Microsoft

3. Apply content controls such as data loss prevention and sensitivity labels and policies.

A sample list of content controls for cloud computing.
Content control measures. Image: Microsoft

Microsoft provides documentation to help in prioritizing security based on the zero-trust model:

What about the cost?

A significant downside to implementing security controls within the cloud is also cost. In the past, the most common approach was to buy an application, service, or hardware outright, purchase support and then leave it to do its work. Rarely did those services or platforms need to know how many people were connecting or even license users. The cloud, however, changed the license model to per-user. I hear you ask; well, undoubtedly, that is better. I agree; however, from a security perspective, it can become much more complicated than that. 

Let me give you a real-world example. A client of mine licensed their users with a mix of Microsoft enterprise licenses from E1 and E3, plus about 25 E5 licenses. Each of those licenses includes various capabilities, with the E5 having all abilities, including all the security controls the organization might need. With the organization's 25,000 users, cost becomes a deciding factor when a new license is required. During a review of the Microsoft 365 tenant, I recommended that they license Defender for Cloud Apps for all users. The current cost for Defender for Cloud Apps is $3.50 per user. If every user without an E5 license got it, they would have spent approximately $87,000. After some discussion, the outcome was to perform a cost analysis of what the features provide, the value they would get, and examine options if they upgraded core licensing or added other licensing to get the same features.

During this process, they did not use these particular security features, limiting their ability to protect against specific security attacks. As you can see, cost often explains why security features may or may not get enabled or utilized within a Microsoft 365 tenant.

Is security hard to implement?

Security is always hard to implement because, by design, it often makes our everyday work harder due to the restrictions or limits it adds for protection. Now, is it hard to implement security within Microsoft 365? That answer is no, not really. The implementation can be straightforward if you have the licenses that provide the needed features.

To ensure implementation goes well and relatively quickly, follow these five suggestions:

  1. At the beginning of the migration project, define a security group whose responsibility is to design, implement, test and deploy security controls.
  2. Start with core controls at the account and access control level.
  3. Include other departments and groups when designing content protection controls.
  4. Follow the zero-trust model when designing security controls.
  5. A base set of security controls must already exist as soon as users access the Microsoft 365 tenant, whether for testing or after launch.

The five items listed will not guarantee a perfect deployment. They will, however, go a long way to ensure the organization remembers the need for security controls and policies. Doing this will ensure security controls and policies aren’t left until 25,000 users have accessed the tenant or shared sensitive content.

Liam Cleary

Liam Cleary

Liam began his career as a computer trainer. He quickly realized that programming, breaking and hacking were much more fun. Liam spent the next few years working within core infrastructure and security services. He is now the founder and owner of SharePlicity, a consulting company focusing on Microsoft 365 and Azure technology. His role within SharePlicity is to help organizations implement Microsoft 365 and Azure technology to enhance internal and external collaboration, document, and records management, automate business processes, and implement security controls and protection. He is a long-time Microsoft MVP and Microsoft Certified Trainer, focusing on architecture, security and crossing the boundary into software development. Over the past few years, his specialty has been security in Microsoft 365, Azure and its surrounding platforms. Liam also creates online training courses for Pluralsight, LinkedIn Learning and Cloud Academy, and he teaches multiple Microsoft certification courses for Opsgility and Microsoft. You can find him at user groups and conferences, teaching classes, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet, building Lego robots, or coaching soccer. You may also find him running races in the dark, hiking, or mountain biking at breakneck speeds.