Companies that use Microsoft products and services have access to many of the best security features and controls available in today's market. However, complex customer technology stacks and elaborate Microsoft products make it easy to overlook important and useful security controls.
Companies using Microsoft products and services benefit from some of the best security features and controls available in today's market. However, the complexity of customer technology stacks and the intricacy of Microsoft products can make it easy to overlook important and useful security controls.
Here are four examples of common security mistakes made in Microsoft environments:
Understanding Microsoft Security Controls
While standard security features are inherent to most Microsoft products, the available security controls can vary depending on the specific product and its subscription options.
For example, Microsoft Entra has two premium subscription levels, P1 and P2. P1 offers foundational security features, while P2 adds additional controls such as user risk policies and privileged identity management. Microsoft 365 Business' standard edition has baseline security controls such as anti-phishing and anti-spam, while the premium version includes advanced threat detection and Azure information protection.
Check if your service subscription provides the features you need.
Not Enabling Crucial Security Controls
Microsoft services come with excellent security controls, but they are not necessarily implemented from the start.
Multi-factor authentication (MFA) is a good example: many deployments of Microsoft Entra will not automatically require new users or guests to set up MFA when they first log in. Software like Microsoft Teams can expire anonymously shared links after a certain period, but many administrators are often unaware of this feature. Other common oversights include audit data recording to track user activities, configuring data loss prevention policies, or enabling security defaults in Entra ID.
There are dozens of optional security controls that can help reduce cyber intrusion and negligence risks. The best move is to work with security experts like Performanta, who understand the nuances of Microsoft security controls.
Insufficient User Permission Management Controls
An application needs permission in Microsoft environments before accessing an organisation's data. By default, users can give applications permissions that don't require administrator approval.
While giving users some autonomy over permissions is convenient, this leaves room for serious security errors. Organisations frequently neglect to configure administration consent for risky apps, which can expose data to unvetted applications—especially shadow IT installations. If companies ignore user education, they might permit malicious applications. Security teams might also fail to monitor application permissions or implement conditional access policies.
Microsoft systems provide many controls to manage when and how users can provide permissions to applications. Several built-in security features can reduce user permission risks, such as monitoring for malicious app consent.
Misinterpreting the Shared Responsibility Model
Many organisations use cloud infrastructure and services for the inherent convenience and built-in security features. Microsoft invests billions annually and employs thousands of security experts to ensure it provides the best protection. Yet all that investment does not mean customers can stop prioritising security.
Microsoft manages certain security aspects, while customers manage other security responsibilities. Generally speaking, in cloud terms, Microsoft looks after the security of its physical hosts, network, and data centres. Customers are responsible for information and data, devices, and account/identity management. There are also overlaps around applications, network controls, operating systems and identity infrastructure. These areas of responsibility can shift depending on whether the security is for Software, Platform, or Infrastructure services.
A good rule of thumb: Microsoft ensures the overall security of its cloud infrastructure and services, while customers are responsible for their data, devices, and users. If you are unsure where your responsibility sits, assume it's yours and chat with Performanta for clarification.
Kommentare