The next one is almost as simple as the first one and is enabled in just a few minutes.
Navigate to “protection.office.com” and authenticate, go to “Threat Management” and “Policy” then click “Anti-malware”. Edit the default policy and og to settings, under “Common Attachment Types Filter” set the toggle to “On” – your done! 🙂
3. Use a separate account for administrative tasks
A simple thing to do – if you have administrative privilege’s on your account you should create a separate admin account which is protected with MFA of course. This can also be mitigated using the paid service Azure AD Privileged Identity Management – more on that service i a later blogpost
4. Block Auto-forwarding on email accounts
By blocking auto-forwarding on email accounts you mitigate the attack vector which is when a account is breached and the bad guys setting up forwarding of emails to gain information about the company and how people collaborates. This is the start of a advanced phishing attack.
So in the previously
post I went through how to activate MFA for Administrator roles i a really
simple and effective way.
In this post we will
focus on activating MFA for all regular users. And first off all we need to
evaluate who should be activated first or should we activate on all users at
the same time and do a evaluation on service accounts! If we enable MFA on for
example a serivce account used for scan to email on “multi functional
printers” or on a mailbox account witch are used on a thirdparty
ticketingsystem (POP/IMAP) we could break those service by just enabling MFA on
My recomandation is
when you are more then 30 users in your company you should select a few
ambasadeurs who is getting the MFA activated first and can therefore be the
power users who can help others with the registration if there is any hick-ups
(should not be many).
And to activate MFA
for end users I highly recomend to use Conditional Access for
all users and exclude a AzureAD Group which contains a “Break the glass Admin” and other service accounts.
All cloud apps (no exeptions)
Grant Access – but require MFA
Easy like that! And
It`s a realy quick solution for your company.
Drawback here is
that you need “Azure AD Premium P1” licenses to use Conditional
Access and a second drawback is that it`s not scored at the Microsoft Secure