1) Multi-Factor AuthenticationMulti-factor authentication requires more than just a username and password. After users logged in with a username and password, they’ll receive a phone call or text message (depending on the configuration). Then they either answer the call or enter the access code received via text into the browser.

This can be set up on a user-by-user basis. For example, if you only want to set MFA on a particular group such as higher officials or company leads and not on the entire organization, it can be done with few clicks.IP addresses can be whitelisted, meaning that, when users are at the office, they don’t need to use multi-factor authentication. This will only be required if they’re somewhere else.

4) Role-Based Access ControlRole-Based Access Control (RBAC role) is a feature designed to control the administrative access over different services across Office 365. It requires the ability to control these services by separate administrators.

The best example to have such role-based access on the services is the following: let’s say you hired a SharePoint Developer, who will be designing and customizing your SharePoint sites, for a short time period. In that case, he will need admin level access to the SharePoint admin center.

7) Azure AD Connect and Single Sign OnAzure Active Directory provides access control and identity management capabilities for Office 365 cloud services. Azure AD Connect allows you to synchronize on-premises active directory objects with Microsoft Office 365 cloud services. This allows you to provide a common identity for your users for Office 365, Azure, and SaaS applications integrated with Azure AD.

Azure AD Connect is made up of three main components, namely Sync Services, AD FS and Health Monitoring. The Sync services component is the old DirSync and is responsible for replicating on-premises Active Directory users and groups to the Office 365 cloud. AD FS is an optional component and can be used to set up a Hybrid environment with Office 365. Features like SSO, sign-on policy, smart cards, etc. are available after Hybrid setup.

8) Mobile Device Management via IntuneIntune is Microsoft’s mobile device and mobile application management solution. It’s typically available as part of Microsoft’s Enterprise Mobility + Security licensing bundle. Intune allows you to manage employee mobile devices and apps from a single dashboard. Manage across Android, iOS and Window devices. It also allows you to centrally manage the deployment of updates and applications to keep your workers at peak productivity. Key features of Intune are:

• Protect your company information by helping to control the way your workforce accesses and shares it.
• Manage the mobile devices your workforce uses to access company data.
• Manage the mobile apps your workforce uses.
• Ensure devices and apps are compliant with company security requirements.
• Apply conditional access policies so users can follow organization-based access policies even when they are not on the office premises.

9) Microsoft Advanced threat AnalyticsAdvanced Threat Analytics is meant to help businesses block targeted attacks by automatically analyzing, learning and identifying all normal and abnormal behavior.

Microsoft ATA can identify advanced persistent threats, as well as other malicious activity, better than traditional defenses because it is continuously learning about how users, devices, and network resources interact. It is also able to detect when these patterns change.

10) Password PolicyEvery user account that needs to sign in to Office 365 must have a unique user principal name (UPN) or LOGIN ID attribute value associated with their account. Password restrictions are mentioned below:

• 8 characters minimum and 16 characters maximum
• Strong passwords only: Requires 3 out of 4 of the following:
• Lowercase characters
• Uppercase characters
• Numbers (0-9)
• Symbols (see password restrictions above)

You can set password expiration as per your company policy. This configuration can be done via PowerShell or from the Office 365 Admin Center Security settings.

After 10 unsuccessful sign-in attempts (wrong password), the user will be locked out for one minute. Further incorrect sign-in attempts will lock out the user for longer.