Best security practices for Office 365 sign on policies
To ensure that your Office 365 app has maximum security, consider the following best practices:
Disable legacy protocols
Legacy email protocols such as IMAP and POP can't process client access policies or multifactor authentication (MFA). This can present a significant security risk, as potential attackers who acquire user credentials won't be challenged for MFA if they use a legacy protocol. To avoid this, Okta recommends that you disable these legacy protocols in your Office 365 tenant. See the Microsoft Documentation: Enable or disable POP3, IMAP, MAPI, Outlook Web App or Exchange ActiveSync in Office 365.
Secure against spoofed User-Agents
Okta sign on policies evaluate information included in the User-Agent request header sent from the user’s browser. However, User-Agent can be spoofed by a malicious actor. To avoid this, Okta recommends the following practices:
- Allow only trusted clients when creating the sign on policies.
- Create one or more rules that specify the client type(s), device platform(s), and trust combinations that are allowed to access the app.
- Require Device Trust or MFA to access the app.
See Devices and Multifactor Authentication.
Allow only MFA-supported protocols
Okta recommends that you configure Office 365 sign on policies to only allow protocols that support MFA. Enforcing MFA ensures a robust security framework.
Keep apps updated
Ensure that your end-users are using the most up-to-date app versions, especially for thick clients such as Microsoft Outlook.