Empfehlung für die Grundkonfiguration eines Microsoft Online Tenants

Der folgende Beitrag befasst sich mit meinen Empfehlungen zur Grundeinstellung eines Microsoft Online Tenants im Hinblick auf Datensicherheit, Datenschutz und Administration. Die Einstellungen sind dabei mittelmäßig restriktiv gewählt und können selbstverständlich bei Bedarf mehr oder weniger restriktiv konfiguriert werden.
Grundlage der Einstellung sind die verfügbaren Features einer Office 365 Enterprise E3 Lizenz inkl. EMS Plan E3. Dementsprechend können die eigenen verfügbaren Einstellungen ggf. abweichen, wenn man eine andere Lizenzierung mit anderen Features verwendet.

Die meisten Einstellungen erklären sich von alleine, sodass ich sie größtenteils nur die Einstellungen dokumentiere. Da sich in den Admin-Portal regelmäßig viel ändert, versuche ich, die Einstellungen immer aktuell zu halten, allerdings ohne Gewähr, dass das immer so ist. Gerne könnt ihr mir einen Hinweis in den Kommentaren hinterlassen, falls etwas fehlt oder sich etwas geändert hat.

Office 365 Admin Center

https://portal.office.com/adminportal

Settings Settings Services Azure Speech Services

Allow the organization-wide language model

Settings Settings Services Briefing email

Let people in your organization receive Briefing email
Allow Microsoft to contact me about my feedback

Settings Settings Services Bookings

Allow your organization to use Bookings

Settings Settings Services Calendar

Let your users share their calendars with people outside of your organization …

Settings Settings Services Cortana

Allow Cortana optional connected experiences to use your organization’s Microsoft-hosted data

Settings Settings Services Dynamics 365 Sales Insights – Analytics‎

Allow org data to be used by Dynamics 365 Sales Insights – Analytics

Settings Settings Services Dynamics 365 Sales Insights – Connection Graph

Enable Dynamics 365 Sales Insights – Connection Graph for your entire organization

Settings Settings Services Integrated Apps

Let people in your organization decide whether third-party apps can access their Office 365 information

Settings Settings Services Microsoft communication to users

Using Office 365

Settings Settings Services Microsoft Forms

External Sharing
Send a link to the form and collect responses
Share to collaborate on the form layout and structure
Share the form as a template that can be duplicated
Share form result summary

Record names of people in your org
Record names by default

Allow YouTube and Bing
Include Bing search, YouTube videos

Phishing protection
Add internal phishing protection

Settings Settings Services ‎Microsoft Graph data connect

Turn Microsoft Graph data connect on or off for your entire organization

Settings Settings Services Microsoft Planner

Allow Microsoft Planner users to publish their plans and assigned tasks to Outlook …

Settings Settings Services Microsoft To Do

Allow your users to join and contribute to lists shared from outside your organization

Settings Settings Services Modern Authentication

Enable Modern authentication

Settings Settings Services My Analytics

Which Analytics elements should users have access to?
Insights dashboard
Weekly diges
Insights Outlook add-in

Let us know how we can make MyAnalytics work better for your organization
Allow Microsoft to contact me about my feedback

Settings Settings Services Office 365 Groups

Let group members outside your organization access group content
Let group owners add people outside your organization to groups

Settings Settings Services Office on the web

Let users open files stored in third-party storage services with Office on the web

Settings Settings Services Office Scripts

Let users automate their tasks in Office on the web

Settings Settings Services Office software download settings

Apps for Windows and mobile devices
Office (includes Skype for Business)
Skype for Business (Standalone)

Apps for Mac
Office
Skype for Business (X El Capitan 10.11 or higher)

Settings Settings Services Reports

Display anonymous identifiers instead of user, group, or site names in all reports
Make report data available to Microsoft 365 usage analytics for Power BI

Settings Settings Services SharePoint

Users can share with:
Only people in your organization – no external sharing allowed
Existing guests only – only guests already in your organization’s directory
New and existing guests – guests must sign in or provide a verification code
Anyone – users can share files and folders using links that don’t require sign-in

Settings Settings Services Sway

Sharing
Let people in your organization share their sways with people outside your organization
Let people in your organization look up people and security groups

Content sources
Flickr
Pickit
Wikipedia
YouTube

Settings Settings Services User consent to apps

Let users provide consent when apps request access to your organization’s data on their behalf

Settings Settings Services User owned apps and services

Let users access the Office Store
Let users install trial apps and services

Settings Settings Services Whiteboard

Turn on Whiteboard for everyone in your org

Diagnostic data Level of diagnostic data to send to Microsoft
Required – The minimum amount of data necessary to keep Whiteboard secure, up-to-date, …
Optional – Additional data that helps make product improvements and provides enhanced …
Neither – No diagnostic data about Whiteboard client software running on the devices …

Optional connected experiences
Allow the use of optional connected experiences in Whiteboard

Settings Settings Security & privacy Bing data collection

Allow Bing to collect organization data to improve search experiences

Settings Settings Security & privacy Sharing

Let users add new guests to the organization

Settings Settings Organization profile Release preferences

Standard release for everyone
Targeted release for everyone
Targeted release for selected users

Settings Settings Organization profile Custom themes

Prevent users from overriding their theme
Show the user’s display name

Settings Microsoft Search  Configurations  Allow use of Microsoft Search in Bing Set up

Enable Microsoft Search in Bing to get full enterprise search experience

SharePoint Admin Center

https://<Tenant-Name>-admin.sharepoint.com/

Policies Access control Idle session sign-out

Sign out inactive users automatically
Sign out users after: 4 hours
Give users this much notice befor signing them out: 15 minutes

Policies Access control Apps that don’t use modern authentication

Allow access
Block access

Settings Site creation

Let users create sites from the SharePoint start page and OneDrive

Settings Site storage limits

Automatic – Let sites use as much of your organization’s storage as they need
Manual – Set specific limits for each site

Settings Classic settings page

Delve (powered by Office Graph)
Enable Delve and related features
Disable Delve and related features

Streaming Video Service
Enable streaming video through Azure Media Services and enable the Video Portal
Disable streaming video through Azure Media Services and disable the Video Portal

Personal Blogs
Enable Personal Blogs
Disable Personal Blogs

Site Pages
Allow users to create Site Pages
Prevent users from creating Site Pages

Site Creation
Hide the Create site command
Show the Create site command

Subsite Creation
Hide the Subsite command
Show the Subsite command only for classic sites
Show the Subsite command for all sites

Preview Features
Enable preview features
Disable preview features

Connected Services
cBlock SharePoint 2013 workflows

Comments on Site Pages
Enable comments on Site Pages
Disable comments on Site Pages

OneDrive Admin Center

https://admin.onedrive.com

Sync

Show the Sync button on the OneDrive Website
Allow syncing only on PCs joined to specific domains
Block syncing of specific file types

Wird die Option Allow syncing only on PCs joined to specific domains aktiviert, sind die GUIDs der vertrauenswürdigen Domains einzutragen. Ermitteln lassen sich die GUIDs auf einem Domain Computer mittels folgendem PowerShell Befehl:

(Get-ADForest).domains | foreach {Get-ADDomain $_ | Select Name,ObjectGuid}

Wichtig: Die Funktion steuert lediglich den Sync-Client für Windows Geräte. Um den Sync auf Mac OS Geräten zu deaktivieren, muss zusätzlich im gleichen Menü die Option Block sync on Mac OS eingeschaltet werden. Auch Mobilgeräte sind von der Einschränkung nicht betroffen. Für solche Geräte müssen Access Policies oder Intune Policies verwendet werden, um sie zu reglementieren.

Teams Admin Center

https://admin.teams.microsoft.com

Org-wide settings External access

Users can communicate with Skype for Business and Teams users
Skype for Business users can communicate with Skype users

Org-wide settings Guest access

Allow guest access in Teams

Calling
Make private calls

Meeting
Allow IP video
Screen Sharing mode Single application
Allow Meet Now

Messaging
Edit sent messages
Delete sent messages
Chat
User Giphys in conversations
Use Memes in conversations
Use Stickets in conversations
Allow immersive reader for viewing messages

Org-wide settings Teams settings

Notification and feeds
Suggested feeds can appear in a user’s activity feed

Email integration
Allow users to send emails to a channel email address

Files
Citrix files
DropBox
Box
Google Drive

Organization
Show Organization tab in chats

Devices
Require a secondary form of authentication to access meeting content No access
Set content PIN Required for outside scheduled meeting
Resource accounts can send messages

Search by name
Scope directory search using Exchange address book policy

Security & Compliance Admin Center

https://protection.office.com

Viele Funktionen in Bezug auf Datenschutz und Datensicherheit sind von den einzelnen Admin Centern in das Security & Compliance Admin Center gewandert (z.B. Exchange hat nahezu keine eigene Konfiguration mehr diesbezüglich).

tbd…

Compliance Center

https://compliance.microsoft.com

tbd…

Azure Portal

https://aad.portal.azure.com/

Conditional Access New policy Non-Admins: Block Azure Portal Access

Standardmäßig kann jeder authentifizierte Microsoft Online Benutzer auch das Microsoft Azure Portal aufrufen. Diese Funktion sollte deaktiviert werden, da Benutzer normalerweise im IaaS Bereich von Microsoft Online nichts verloren haben. Wichtig ist, die Admins explizit von der Sperre auszunehmen, um sich nicht selbst von der Administration auszuschließen.

Assignments
Users and groups Include Select users and groups Users and groups Select Users
Users and groups Exclude Select users and groups Users and groups Select Admins
Cloud apps or actions Include Select apps Microsoft Azure Management
Conditions Client apps Browser
Access controls
Grant Block access
Session

Azure Active Directory Group General

Standardmäßig kann jeder authentifizierte Microsoft Online Benutzer in den M365 Portal eigene Gruppen anlegen. Gruppen-Management sollte Admins vorbehalten sein, bzw. durch Workflows abgebildet werden.

Self Service Group Management
Restrict user ability to access groups features in the Access Panel. Yes
Security Groups
Users can create security groups in Azure portals. No
Microsoft 365 Groups
Users can create Microsoft 365 groups in Azure portals. No

Endpoint Management

https://endpoint.microsoft.com/

Tenant Admin Terms and conditions

tbd

PowerShell

Einige nicht unerhebliche Sicherheitseinstellungen lassen sich nicht in den Admin Centern konfigurieren, sondern benötigen eine Konfiguration per PowerShell.

SharePoint Online

Download von als mit Viren-infiziert identifizierte Dateien verbieten:

Set-SPOTenant -DisallowInfectedFileDownload $true

Ausschließlich Modern Authentication zulassen:

Set-SPOTenant -LegacyAuthProtocolsEnabled $false

Legende
Checkbox: checked
Checkbox: unchecked
Selectbox: selected
Selectbox: unselected
Toggle: on
Toggle: off
Dropdown Box

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.