# Security Policies Reference

Comprehensive security configuration guide for Microsoft 365 tenants covering Conditional Access, MFA, DLP, and security baselines.

---

## Table of Contents

- [Conditional Access Policies](#conditional-access-policies)
- [Multi-Factor Authentication](#multi-factor-authentication)
- [Data Loss Prevention](#data-loss-prevention)
- [Security Baselines](#security-baselines)
- [Admin Role Security](#admin-role-security)
- [Guest Access Controls](#guest-access-controls)

---

## Conditional Access Policies

### Policy Architecture

| Policy Type | Target Users | Applications | Grant Control |
|-------------|-------------|--------------|---------------|
| Admin MFA | Admin roles | All apps | Require MFA |
| User MFA | All users | All apps | Require MFA |
| Device Compliance | All users | Office 365 | Compliant device |
| Location-Based | All users | All apps | Block non-trusted |
| Legacy Auth Block | All users | All apps | Block |

### Recommended Policies

#### 1. Require MFA for Administrators

**Scope:** Global Admin, Security Admin, Exchange Admin, SharePoint Admin, User Admin

**Settings:**
- Include: Directory roles (admin roles)
- Exclude: Emergency access accounts
- Grant: Require MFA
- Session: Sign-in frequency 4 hours

#### 2. Require MFA for All Users

**Scope:** All users

**Settings:**
- Include: All users
- Exclude: Emergency access accounts, service accounts
- Conditions: All cloud apps
- Grant: Require MFA
- Session: Persistent browser session disabled

#### 3. Block Legacy Authentication

**Scope:** All users

**Settings:**
- Include: All users
- Conditions: Exchange ActiveSync, Other clients
- Grant: Block access

**Why:** Legacy protocols (POP, IMAP, SMTP AUTH) cannot enforce MFA.

#### 4. Require Compliant Devices

**Scope:** All users accessing sensitive data

**Settings:**
- Include: All users
- Applications: Office 365, SharePoint, Exchange
- Grant: Require device compliance OR Hybrid Azure AD joined
- Platforms: Windows, macOS, iOS, Android

#### 5. Block Access from Untrusted Locations

**Scope:** High-risk operations

**Settings:**
- Include: All users
- Applications: Azure Management, Microsoft Graph
- Conditions: Exclude named locations (corporate IPs)
- Grant: Block access

### Named Locations Configuration

| Location Name | Type | IP Ranges |
|--------------|------|-----------|
| Corporate HQ | IP ranges | 203.0.113.0/24 |
| VPN Exit Points | IP ranges | 198.51.100.0/24 |
| Trusted Countries | Countries | US, CA, GB |
| Blocked Countries | Countries | (high-risk regions) |

### Policy Deployment Strategy

1. **Report-Only Mode (Week 1-2)**
   - Enable policies in report-only
   - Monitor sign-in logs for impact
   - Identify false positives

2. **Pilot Group (Week 3-4)**
   - Enable for IT staff first
   - Address issues before broad rollout
   - Document exceptions needed

3. **Gradual Rollout (Week 5-8)**
   - Enable by department
   - Provide user communication
   - Monitor help desk tickets

4. **Full Enforcement**
   - Enable for all users
   - Maintain exception process
   - Quarterly policy review

---

## Multi-Factor Authentication

### MFA Methods (Strength Ranking)

| Method | Security Level | User Experience |
|--------|---------------|-----------------|
| FIDO2 Security Keys | Highest | Excellent |
| Windows Hello | Highest | Excellent |
| Microsoft Authenticator (Passwordless) | High | Good |
| Microsoft Authenticator (Push) | High | Good |
| OATH Hardware Token | High | Fair |
| SMS/Voice | Medium | Good |
| Email OTP | Low | Fair |

### Recommended Configuration

**For Administrators:**
- Require phishing-resistant MFA (FIDO2, Windows Hello)
- Disable SMS/Voice as backup
- Enforce re-authentication every 4 hours

**For Standard Users:**
- Require Microsoft Authenticator
- Allow SMS as backup (temporary)
- Session lifetime: 90 days with risk-based re-auth

**For External/Guest Users:**
- Require MFA from home tenant
- Fall back to email OTP if needed

### MFA Registration Campaign

```
Phase 1: Communication (Week 1)
- Announce MFA requirement
- Provide registration instructions
- Set deadline for registration

Phase 2: Registration (Week 2-3)
- Open registration portal
- IT support available
- Track registration progress

Phase 3: Enforcement (Week 4)
- Enable MFA requirement
- Grace period for stragglers
- Block unregistered after deadline
```

---

## Data Loss Prevention

### Sensitive Information Types

| Category | Examples | Action |
|----------|----------|--------|
| Financial | Credit card, Bank account | Block external sharing |
| PII | SSN, Passport, Driver's license | Require justification |
| Health | Medical records, Insurance | Block and notify |
| Credentials | Passwords, API keys | Block all sharing |

### DLP Policy Templates

#### Financial Data Protection

**Scope:** Exchange, SharePoint, OneDrive, Teams

**Rules:**
1. Credit card numbers (Luhn validated)
2. Bank account numbers
3. SWIFT codes

**Actions:**
- Block external sharing
- Encrypt email to external recipients
- Notify compliance team

#### PII Protection

**Scope:** All Microsoft 365 locations

**Rules:**
1. Social Security Numbers
2. Passport numbers
3. Driver's license numbers

**Actions:**
- Warn user before sharing
- Require business justification
- Log all incidents

#### Healthcare (HIPAA)

**Scope:** Exchange, SharePoint, Teams

**Rules:**
1. Medical record numbers
2. Health insurance IDs
3. Drug names with patient info

**Actions:**
- Block external sharing
- Apply encryption
- Retain for 7 years

### DLP Deployment

1. **Audit Mode First**
   - Enable policies in test mode
   - Review matched content
   - Tune false positives

2. **User Tips**
   - Enable policy tips in apps
   - Educate before enforcing
   - Provide override option with justification

3. **Enforcement**
   - Block high-risk content
   - Warn for medium-risk
   - Log everything

---

## Security Baselines

### Microsoft Secure Score Targets

| Category | Target Score | Key Actions |
|----------|-------------|-------------|
| Identity | 80%+ | MFA, Conditional Access, PIM |
| Data | 70%+ | DLP, Sensitivity labels, Encryption |
| Device | 75%+ | Compliance policies, Defender |
| Apps | 70%+ | OAuth app review, Admin consent |

### Priority Security Settings

#### Identity (Do First)

- [ ] Enable Security Defaults OR Conditional Access
- [ ] Require MFA for all admins
- [ ] Block legacy authentication
- [ ] Enable self-service password reset
- [ ] Configure password protection (banned passwords)

#### Data Protection

- [ ] Enable sensitivity labels
- [ ] Configure DLP policies
- [ ] Enable audit logging
- [ ] Set retention policies
- [ ] Configure information barriers (if needed)

#### Device Security

- [ ] Require device compliance
- [ ] Enable Microsoft Defender for Endpoint
- [ ] Configure BitLocker requirements
- [ ] Set application protection policies
- [ ] Enable Windows Autopilot

#### Application Security

- [ ] Review OAuth app permissions
- [ ] Configure admin consent workflow
- [ ] Block risky OAuth apps
- [ ] Enable app governance
- [ ] Configure MCAS policies

---

## Admin Role Security

### Privileged Identity Management (PIM)

**Configuration:**
- Require approval for Global Admin activation
- Maximum activation: 8 hours
- Require MFA at activation
- Require justification
- Send notification to security team

### Role Assignment Best Practices

| Role | Assignment Type | Approval Required |
|------|-----------------|-------------------|
| Global Admin | Eligible only | Yes |
| Security Admin | Eligible only | Yes |
| User Admin | Eligible | No |
| Help Desk Admin | Permanent (limited) | No |

### Emergency Access Accounts

**Configuration:**
- 2 cloud-only accounts
- Excluded from ALL Conditional Access
- No MFA (break-glass scenario)
- Monitored via alerts
- Passwords in secure vault
- Test quarterly

**Naming:** `emergency-access-01@tenant.onmicrosoft.com`

---

## Guest Access Controls

### Guest Invitation Settings

| Setting | Recommended Value |
|---------|------------------|
| Guest invite restrictions | Admins and users in guest inviter role |
| Enable guest self-service sign-up | No |
| Enable email one-time passcode | Yes |
| Collaboration restrictions | Allow invitations only to specified domains |

### Guest Access Review

**Frequency:** Quarterly

**Scope:**
- All guest users
- Group memberships
- Application access

**Actions:**
- Remove inactive guests (90+ days)
- Revoke unnecessary permissions
- Require re-certification

### B2B Collaboration Settings

**Allowed Domains:**
- Partners: `partner1.com`, `partner2.com`
- Block all others for sensitive resources

**Guest Permissions:**
- Limited directory browsing
- Cannot enumerate users
- Cannot invite other guests