Considerations before moving users to Exchange Online

Out of the box, Exchange Online requires a username and a password. But once entered, there are many ways to reach and download email, many of which might not be desirable from an enterprise-security perspective.

Email Protocols

Let’s say you’ve set up your Office 365 tenant and are ready to start moving mailboxes, as part of your overall plan to migrate. You know to do the email first because that’s where it all started. Everybody does the email first. If you can make that a success, you can make anything in Office 365 a success.

There are a few things that, in 2018, you don’t generally need. Things like ActiveSync and POP3 & IMAP4. Finding the commandlets to disable the protocol for individual users is easy, but disabling it for all users can be quite the challenge.

While the commands can be run together as one, they’re more easily explained using the following two examples. First, there is the initial command to get those users who do currently have POP and IMAP enabled, then the results are piped out to a command to disable the protocol from them.

Get-CASMailboxPlan -Filter {ImapEnabled -eq "true" -or PopEnabled -eq "true" } | set-CASMailboxPlan -ImapEnabled $false -PopEnabled $false

The second example sets a protocol: ActiveSync (in this case), as disabled:

Set-CASMailboxPlan -identity ExchangeOnlineEnterprise -Activesyncenabled $false

Note that these are being done at the Set-CASMailboxPlan level rather than the Set-CASMailbox level, where the command would be, for example:

set-CASMailbox [email protected] -ImapEnabled $false -PopEnabled $false

Multi-Factor Authentication

Rather than enable MFA on a user-by-user basis, why not enable them for all users at once? This way, as users logon to Office 365 for the first time, they can enter their mobile phone and emergency email addresses as part of the setup. Better to do it right at the beginning than to get inconvenienced a week or two later.

While this can be done with PowerShell (example here) I suggest caution. These things should be done with care, using the browser interface, exporting the user list to a CSV file, and making some manipulations. See here for a guide, but first, read on.

Export users into the required CSV file, then change the column names to what they need to be, as per the linked guide. Basically, the two columns are “Username” and “MFA Status.” To export, go into Office 365 Administration, and select “Users,” then “Active Users.” On the right side of the screen is an Export button. Click it and save the CSV file to a location of your choosing. The relevant column name is going to be somewhere around AE in the spreadsheet. Delete everything else and add an “MFA Status” column. Then remove all the Global Admins, along with any other Service Accounts you know are not going to be configured to use MFA.

Please note: here, you will certainly be enabling MFA for the Global Admins (all except one or two)—but on a one-by-one basis, and when the admins are ready to configure themselves (if they haven’t done so already).

Mobile Device Mailbox Policies

The MDM policy appears in the Mobile section of the Exchange Administration Center. Edit this so that devices that connect to Exchange Online conform to some basic security requirements. If you’re using a different Mobile Device Management solution—such as Intune—you can ignore this section. But if not, read on. Tick ‘Require a password,” then select the length and duration of the password, timeouts and number of failed entries permitted.

Since this can be performed after deployment, you don’t want help desk calls coming in when you set the requirements and users aren’t sure if it’s legitimate or a trick that will end up with a ransomware-encrypted device.

Outlook Web App Policies

Last but not least are the OWA policies. There is some level of security to implement here. Go to the Exchange Administration Center: Permissions section, then click the Outlook Web App Policies tab. Edit the policy that appears there. Go to the File Access option. If the box is ticked, users will be allowed to download files to their local PCs–including personal devices and even insecure kiosks. Thus, you just lost potentially valuable data. And no, that kind of data shouldn’t be sent over email. But we all know it happens, and preventing it is the subject of our next post. If the box is unticked, users will be able to either download the file to their company OneDrive area, or view the document within the web browser.

Summary

Configuring these policies and settings will help you better secure your environment in advance, so anyone moving to Exchange Online will be hosted in a more secure environment than provided by the default Office 365 settings.

For more information on Office 365, please check out my other blog posts here, or go straight to my last post: The Best Way to Secure Your Data on Office 365 and How to Implement. And if you need some help with your Office 365 journey, Anexinet is very happy to help. We provide offerings to help you kickstart both your O365 Migration, and your Data Security & Management. Please don’t hesitate to reach out to us. We’d love to help you get started.