Empfehlung für die Grundkonfiguration eines Microsoft Online Tenants
Der folgende Beitrag befasst sich mit meinen Empfehlungen zur Grundeinstellung eines Microsoft Online Tenants im Hinblick auf Datensicherheit, Datenschutz und Administration. Die Einstellungen sind dabei mittelmäßig restriktiv gewählt und können selbstverständlich bei Bedarf mehr oder weniger restriktiv konfiguriert werden.
Grundlage der Einstellung sind die verfügbaren Features einer Office 365 Enterprise E3 Lizenz inkl. EMS Plan E3. Dementsprechend können die eigenen verfügbaren Einstellungen ggf. abweichen, wenn man eine andere Lizenzierung mit anderen Features verwendet.
Die meisten Einstellungen erklären sich von alleine, sodass ich sie größtenteils nur die Einstellungen dokumentiere. Da sich in den Admin-Portal regelmäßig viel ändert, versuche ich, die Einstellungen immer aktuell zu halten, allerdings ohne Gewähr, dass das immer so ist. Gerne könnt ihr mir einen Hinweis in den Kommentaren hinterlassen, falls etwas fehlt oder sich etwas geändert hat.
Office 365 Admin Center
https://portal.office.com/adminportal
Settings Settings Services Azure Speech Services
Allow the organization-wide language model
Settings Settings Services Briefing email
Let people in your organization receive Briefing email
Allow Microsoft to contact me about my feedback
Settings Settings Services Bookings
Allow your organization to use Bookings
Settings Settings Services Calendar
Let your users share their calendars with people outside of your organization …
Settings Settings Services Cortana
Allow Cortana optional connected experiences to use your organization’s Microsoft-hosted data
Settings Settings Services Dynamics 365 Sales Insights – Analytics
Allow org data to be used by Dynamics 365 Sales Insights – Analytics
Settings Settings Services Dynamics 365 Sales Insights – Connection Graph
Enable Dynamics 365 Sales Insights – Connection Graph for your entire organization
Settings Settings Services Integrated Apps
Let people in your organization decide whether third-party apps can access their Office 365 information
Settings Settings Services Microsoft communication to users
Using Office 365
Settings Settings Services Microsoft Forms
External Sharing
Send a link to the form and collect responses
Share to collaborate on the form layout and structure
Share the form as a template that can be duplicated
Share form result summary
Record names of people in your org
Record names by default
Allow YouTube and Bing
Include Bing search, YouTube videos
Phishing protection
Add internal phishing protection
Settings Settings Services Microsoft Graph data connect
Turn Microsoft Graph data connect on or off for your entire organization
Settings Settings Services Microsoft Planner
Allow Microsoft Planner users to publish their plans and assigned tasks to Outlook …
Settings Settings Services Microsoft To Do
Allow your users to join and contribute to lists shared from outside your organization
Settings Settings Services Modern Authentication
Enable Modern authentication
Settings Settings Services My Analytics
Which Analytics elements should users have access to?
Insights dashboard
Weekly diges
Insights Outlook add-in
Let us know how we can make MyAnalytics work better for your organization
Allow Microsoft to contact me about my feedback
Settings Settings Services Office 365 Groups
Let group members outside your organization access group content
Let group owners add people outside your organization to groups
Settings Settings Services Office on the web
Let users open files stored in third-party storage services with Office on the web
Settings Settings Services Office Scripts
Let users automate their tasks in Office on the web
Settings Settings Services Office software download settings
Apps for Windows and mobile devices
Office (includes Skype for Business)
Skype for Business (Standalone)
Apps for Mac
Office
Skype for Business (X El Capitan 10.11 or higher)
Settings Settings Services Reports
Display anonymous identifiers instead of user, group, or site names in all reports
Make report data available to Microsoft 365 usage analytics for Power BI
Settings Settings Services SharePoint
Users can share with:
Only people in your organization – no external sharing allowed
Existing guests only – only guests already in your organization’s directory
New and existing guests – guests must sign in or provide a verification code
Anyone – users can share files and folders using links that don’t require sign-in
Settings Settings Services Sway
Sharing
Let people in your organization share their sways with people outside your organization
Let people in your organization look up people and security groups
Content sources
Flickr
Pickit
Wikipedia
YouTube
Settings Settings Services User consent to apps
Let users provide consent when apps request access to your organization’s data on their behalf
Settings Settings Services User owned apps and services
Let users access the Office Store
Let users install trial apps and services
Settings Settings Services Whiteboard
Turn on Whiteboard for everyone in your org
Diagnostic data Level of diagnostic data to send to Microsoft
Required – The minimum amount of data necessary to keep Whiteboard secure, up-to-date, …
Optional – Additional data that helps make product improvements and provides enhanced …
Neither – No diagnostic data about Whiteboard client software running on the devices …
Optional connected experiences
Allow the use of optional connected experiences in Whiteboard
Settings Settings Security & privacy Bing data collection
Allow Bing to collect organization data to improve search experiences
Settings Settings Security & privacy Sharing
Let users add new guests to the organization
Settings Settings Organization profile Release preferences
Standard release for everyone
Targeted release for everyone
Targeted release for selected users
Settings Settings Organization profile Custom themes
Prevent users from overriding their theme
Show the user’s display name
Settings Microsoft Search Configurations Allow use of Microsoft Search in Bing Set up
Enable Microsoft Search in Bing to get full enterprise search experience
SharePoint Admin Center
https://<Tenant-Name>-admin.sharepoint.com/
Policies Access control Idle session sign-out
Sign out inactive users automatically
Sign out users after: 4 hours
Give users this much notice befor signing them out: 15 minutes
Policies Access control Apps that don’t use modern authentication
Allow access
Block access
Settings Site creation
Let users create sites from the SharePoint start page and OneDrive
Settings Site storage limits
Automatic – Let sites use as much of your organization’s storage as they need
Manual – Set specific limits for each site
Settings Classic settings page
Delve (powered by Office Graph)
Enable Delve and related features
Disable Delve and related features
Streaming Video Service
Enable streaming video through Azure Media Services and enable the Video Portal
Disable streaming video through Azure Media Services and disable the Video Portal
Personal Blogs
Enable Personal Blogs
Disable Personal Blogs
Site Pages
Allow users to create Site Pages
Prevent users from creating Site Pages
Site Creation
Hide the Create site command
Show the Create site command
Subsite Creation
Hide the Subsite command
Show the Subsite command only for classic sites
Show the Subsite command for all sites
Preview Features
Enable preview features
Disable preview features
Connected Services
cBlock SharePoint 2013 workflows
Comments on Site Pages
Enable comments on Site Pages
Disable comments on Site Pages
OneDrive Admin Center
https://admin.onedrive.com
Sync
Show the Sync button on the OneDrive Website
Allow syncing only on PCs joined to specific domains
Block syncing of specific file types
Wird die Option Allow syncing only on PCs joined to specific domains aktiviert, sind die GUIDs der vertrauenswürdigen Domains einzutragen. Ermitteln lassen sich die GUIDs auf einem Domain Computer mittels folgendem PowerShell Befehl:
(Get-ADForest).domains | foreach {Get-ADDomain $_ | Select Name,ObjectGuid}
Wichtig: Die Funktion steuert lediglich den Sync-Client für Windows Geräte. Um den Sync auf Mac OS Geräten zu deaktivieren, muss zusätzlich im gleichen Menü die Option Block sync on Mac OS eingeschaltet werden. Auch Mobilgeräte sind von der Einschränkung nicht betroffen. Für solche Geräte müssen Access Policies oder Intune Policies verwendet werden, um sie zu reglementieren.
Teams Admin Center
https://admin.teams.microsoft.com
Org-wide settings External access
Users can communicate with Skype for Business and Teams users
Skype for Business users can communicate with Skype users
Org-wide settings Guest access
Allow guest access in Teams
Calling
Make private calls
Meeting
Allow IP video
Screen Sharing mode Single application
Allow Meet Now
Messaging
Edit sent messages
Delete sent messages
Chat
User Giphys in conversations
Use Memes in conversations
Use Stickets in conversations
Allow immersive reader for viewing messages
Org-wide settings Teams settings
Notification and feeds
Suggested feeds can appear in a user’s activity feed
Email integration
Allow users to send emails to a channel email address
Files
Citrix files
DropBox
Box
Google Drive
Organization
Show Organization tab in chats
Devices
Require a secondary form of authentication to access meeting content No access
Set content PIN Required for outside scheduled meeting
Resource accounts can send messages
Search by name
Scope directory search using Exchange address book policy
Security & Compliance Admin Center
https://protection.office.com
Viele Funktionen in Bezug auf Datenschutz und Datensicherheit sind von den einzelnen Admin Centern in das Security & Compliance Admin Center gewandert (z.B. Exchange hat nahezu keine eigene Konfiguration mehr diesbezüglich).
tbd…
Compliance Center
https://compliance.microsoft.com
tbd…
Azure Portal
https://aad.portal.azure.com/
Conditional Access New policy Non-Admins: Block Azure Portal Access
Standardmäßig kann jeder authentifizierte Microsoft Online Benutzer auch das Microsoft Azure Portal aufrufen. Diese Funktion sollte deaktiviert werden, da Benutzer normalerweise im IaaS Bereich von Microsoft Online nichts verloren haben. Wichtig ist, die Admins explizit von der Sperre auszunehmen, um sich nicht selbst von der Administration auszuschließen.
Assignments
Users and groups Include Select users and groups Users and groups Select Users
Users and groups Exclude Select users and groups Users and groups Select Admins
Cloud apps or actions Include Select apps Microsoft Azure Management
Conditions Client apps Browser
Access controls
Grant Block access
Session
Azure Active Directory Group General
Standardmäßig kann jeder authentifizierte Microsoft Online Benutzer in den M365 Portal eigene Gruppen anlegen. Gruppen-Management sollte Admins vorbehalten sein, bzw. durch Workflows abgebildet werden.
Self Service Group Management
Restrict user ability to access groups features in the Access Panel. Yes
Security Groups
Users can create security groups in Azure portals. No
Microsoft 365 Groups
Users can create Microsoft 365 groups in Azure portals. No
Endpoint Management
https://endpoint.microsoft.com/
Tenant Admin Terms and conditions
tbd
PowerShell
Einige nicht unerhebliche Sicherheitseinstellungen lassen sich nicht in den Admin Centern konfigurieren, sondern benötigen eine Konfiguration per PowerShell.
SharePoint Online
Download von als mit Viren-infiziert identifizierte Dateien verbieten:
Set-SPOTenant -DisallowInfectedFileDownload $true
Ausschließlich Modern Authentication zulassen:
Set-SPOTenant -LegacyAuthProtocolsEnabled $false
—
Legende
Checkbox: checked
Checkbox: unchecked
Selectbox: selected
Selectbox: unselected
Toggle: on
Toggle: off
Dropdown Box