Best security practices for Office 365 sign on policies

To ensure that your Office 365 app has maximum security, consider the following best practices:

Disable legacy protocols

Legacy email protocols such as IMAP and POP can't process client access policies or multifactor authentication (MFA). This can present a significant security risk, as potential attackers who acquire user credentials won't be challenged for MFA if they use a legacy protocol. To avoid this, Okta recommends that you disable these legacy protocols in your Office 365 tenant. See the Microsoft Documentation: Enable or disable POP3, IMAP, MAPI, Outlook Web App or Exchange ActiveSync in Office 365.

Secure against spoofed User-Agents

Okta sign on policies evaluate information included in the User-Agent request header sent from the user’s browser. However, User-Agent can be spoofed by a malicious actor. To avoid this, Okta recommends the following practices:

Allow only MFA-supported protocols

Okta recommends that you configure Office 365 sign on policies to only allow protocols that support MFA. Enforcing MFA ensures a robust security framework.

Keep apps updated

Ensure that your end-users are using the most up-to-date app versions, especially for thick clients such as Microsoft Outlook.

Next step

Office 365 default sign on rules