The Microsoft 365 Business Basic and Std SKUs are extremely popular due to their lower price tags. While they lack the serious Security features available in Microsoft 365 Business Premium and EMS E3, they do pack a few Security related features that the Customers SHOULD use.
Here is the Scope of the same:
Basic Mobility and Security
Enroll the mobile device
Wipe a Device in case its lost
Block unsupported devices from accessing Corporate Email
Setup Password Policy
View list of blocked devices
Unblock non-compliant or unsupported device for a user or group of users
Remove users so their devices are no longer managed by Basic Mobility and Security
Basic Audit
Exchange
Teams
OneDrive
SharePoint
Alert Policies
You can create various alert policies and then view alerts that match the conditions of the alert policies. These cover activities such as assigning admin access in Exchange Online, malware attacks, phishing attacks, and unusual volume of file deletions and external sharing
Identity and Access
Basic Multi Factor Authentication
SPF, DKIM, DMARC Records
Email DLP Standard
Restrict certain users to send emails only to Company users.
Auto Forward messages to a sender’s manager for approval
Block messages with executable attachments
Setup Spam Confidence levels for Incoming Emails
Organization wide message disclaimers, signatures, footers
Forward message that contains sensitive information
Forward messages that match one of the several criteria
Setting up policy tips if there is policy violation
Supervisor Mailbox. All messages can be copied to this account or just those sent internally or externally. This feature is very useful in preventing data leakage via email.
Prevent download of attachment in Browser. View only
Block browser access for email. Access only on Outlook app.
Monitor Email forwarding
Archive mailbox – Users can use the archive mailbox, also called a personal archive, to store historical messaging data by moving or copying messages from their primary mailbox to their archive mailbox.
Retention Policies–Retention policies use retention tags to apply retention settings to e-mail messages and folders. Retention tags define an age limit that specifies how long items are retained, and a retention action that specifies what happens to items that reach the retention age limit.
Sensitivity Labels. We can manually create the labels and apply to Documents which will help us to prevent Data Loss.
SharePoint DLP
Setup basic MFA
Restrict user from deleting file
Restrict user from uploading file
Restrict user from creating new files & Folder
Restrict user from downloading file.
Permission can be assigned/restricted to the users and groups to create, upload and delete files and folders in SharePoint. (If only read permission is assigned to any user, edit and download will be restricted).
Share files internally or externally with specific permissions.
Hide specific file and folder from any user.
Audit Logs.
Declare Record – (block edit and delete).
Hide sync button so that Document folders cannot be synced offline.
Restrict external Sharing.
Allow or block Domain level sharing.
Restrict access from different location besides office.
Alert Policy – modified, delete, and download. Email Notification occurs whenever any of the specified alert policy is matched.
Assign different permission (Read, Write And Full control) while sharing file to different users? If No, then how do you handle it?
OneDrive DLP
Do you have a system by which you assign different permission (Read, Write And Full control) while sharing file to different users? If no, then how do you handle it?
If you Shared sensitive Documents and folder with another person and want to prevent from downloading and editing. How do you do?
Can you have a system by which you allow or block Domain level sharing?
If there are certain document that you want, they can’t be access outside the organization. How do you do?
Sharing File With specific permission
Disable Sync Button
Restrict user from deleting file
Restrict user from uploading file
Restrict user from downloading file
Share file with Expiry date
Allow access only from specific IP locations
Block / Allow domain Sharing
Hide Specific File & Folder from any Use
Document Retention Policy Alert for Document Creation, Deletion, Shared, Site Admin Activity etc.
Teams DLP
Setup basic Multi Factor Authentication
External User Restriction: Block external users completely or only selected domains or allow only selected domains. Users in R and D may need strict control. But Sales and Marketing teams may need less controls.
Manage Meeting Policies: You can set various policies to ensure that Teams meeting comply with the Company rules and compliances.
Decide who can edit or delete Chat messages
Disallow Screen share and Private calls
Shared device sign-out: Many Firstline Workers use a single tablet or mobile device that is shared between shifts. This can pose unique security challenges to the organization when different employees who have access to different types of data use the same device over the course of a day. With shared device sign-out, Firstline Workers will be able to log out of all their Microsoft 365 and custom applications and browser sessions with one click at the end of their shift—preventing their data as well as any access to customer data from being accessible to the next user of that device.
Off-shift access controls for Teams app: IT administrators can now configure Teams to limit employee access to the app on their personal device outside of working hours. This feature helps ensure employees are not involuntarily working while not on shift and helps employers to comply with labor regulations.
Chat retention policies (data preservation and deletion): By Default, Content is retained forever. But this can be changed with policies; 1 day delete; one month delete; one year delete; 7 years delete.
Information barriers created using power shells will prevent some groups to communicate from each other.
