Best security practices for Office 365 sign on policies

To ensure that your Office 365 app has maximum security, consider the following best practices:

Disable legacy protocols

Legacy email protocols such as IMAP and POP can't process client access policies or multifactor authentication (MFA). This can present a significant security risk, as potential attackers who acquire user credentials won't be challenged for MFA if they use a legacy protocol. To avoid this, Okta recommends that you disable these legacy protocols in your Office 365 tenant. See the Microsoft Documentation.

Secure against spoofed User-Agents

Okta sign on policies evaluate information included in the User-Agent request header sent from the user’s browser. However, User-Agent can be spoofed by a malicious actor. To avoid this, Okta recommends the following practices:

  • Allow only trusted clients when creating the sign on policies.
  • Create one or more rules that specify the client type(s), device platform(s), and trust combinations that are allowed to access the app.
  • Require Device Trust or MFA to access the app. See Devices and Multifactor authentication.

Allow only MFA-supported protocols

Okta recommends that you configure Office 365 sign on policies to only allow protocols that support MFA. Enforcing MFA ensures a robust security framework.

Keep apps updated

Ensure that your end-users are using the most up-to-date app versions, especially for thick clients such as Microsoft Outlook.

Next step

Office 365 default sign-on rules