Microsoft 365 Migration Security - 10 Things to Consider

A lot of companies are migrating to Microsoft 365. Doing so has a number of advantages, but the migration process itself can be fraught with problems. One worry companies might have is keeping everything secure through the process. Here are some migration security measures to consider to ensure a smooth and secure switch to Microsoft 365.

Set up Multi-Factor Authentication

Multi-factor authentication is available in 365, but it is not a default for administrators. You should, thus, enable it for Global Administrators before starting to migrate data. This protects those accounts from bad actors, particularly internal ones such as disgruntled employees.

Keep global administrators to the minimum required for the migration. Instead, use lesser administrator roles within Azure AD to ensure role-based access control. All users should have multi-factor authentication enabled and you should encourage employees to use it, across all departments and regardless of the level of access they have. It should absolutely be mandatory for anyone with an admin role.

Schedule a Call

Turn on Logs and Alerts

The Unified Audit Log defaults to off and must be enabled by an administrator. You can find it in the Security and Compliance Center. The UAL logs events from the various applications and allows you to run queries. This can help you spot compromises or violations of company protocol

This is still something IT has to check, so you should also turn on suspicious activity alerts, which will proactively inform administrators if there is a potential issue. As a minimum, these alerts should be enabled for suspicious location logins and high levels of outgoing emails (which could indicate that somebody has been hacked and their account is being used to send spam).

Logs can be integrated into Azure Sentinel, Microsoft’s Security Information and Event Management tool, or, if you prefer, into a SIEM tool your organization is already using.

Use the Right Migration Security Method

Microsoft 365 provides several methods for migration. You should investigate these methods and establish which one is right for you from both a security and a user perspective. For email, Microsoft generally recommends a hybrid deployment, which allows you to use your existing on-premises Exchange organization on the cloud, with no changes to your experience or administrative controls. Make sure that, for example, you use Multi-Geo if you have employees in different countries.

Use Encryption

Microsoft 365 encrypts data-at-rest at the application layer. Service encryption using Customer Key lets you control your own encryption keys. To encrypt a mailbox for the first time requires that the mailbox be moved, a process that can take several days.

Thus, it is much easier to deploy service encryption with Customer Key at the time of migration so that you don’t have to mess around with it later. The system encrypts all files in SharePoint Online, OneDrive for Business and Teams, as well as your Exchange Online mailbox and any text conversations with Skype for Business. If you have specific compliance issues, using Customer Key rather than Microsoft’s own encryption keys can help support them much better.

Additionally, use virtual machines encrypted with Azure Disk Encryption, and that if you are using Platform as a Service, you activate the Always Encrypted wizard in SQL Server Management Studio. With modern encryption, there is literally no reason to leave any files unencrypted; the performance impact is minimal to non-existent.

Follow Azure Security Center Recommendations

Administrators should start by familiarizing themselves with Azure Security Center, which provides unified security management across all of your services.

The Security Center provides its own recommendations based on your policy and regulatory requirements and performs continuous security assessments. Although this shouldn’t be considered a tool to guarantee compliance, following those recommendations does help you move in the right direction and provides a quick audit.

Enable Just-in-Time Access

Hackers love open ports. With just-in-time (JIT) access, the key port 3389 opens only when needed with the proper clearances. The access expires after a certain amount of time.

This helps prevent exploits that might come in through the open port and also helps secure role-based access. By enabling this prior to migration you can ensure that your VM is properly protected and those bad actors that probe for open ports can’t find a way in.

Enable Adaptive Application Controls

Shadow IT is a huge problem for some companies. Users, and even administrators, may install unapproved applications that create security holes or cause other problems, such as performance loss. Azure allows you to use dynamic allow lists to block attempts to run unwanted applications. You could also set up an alert system. It’s helpful to know what applications users may be trying to install so proper solutions can be provided. This can also block certain kinds of malware.

Enable File Integrity Monitoring

Microsoft 365 Migration Security - 10 Things to Consider One common reason why VM’s fail is unintentional or malicious changes to system files. While role-based access reduces the changes made to system files, file integrity monitoring notifies you if changes are made to system files and registry settings, allowing you to then investigate whether a change was intentional/necessary or not.

Install Antimalware

Not everyone realizes that virtual machines are vulnerable to malware. If you are migrating an older virtual machine, in particular, it might not be well protected.

Microsoft provides its own antimalware solution for Azure Cloud Services at no extra cost, with automatic updates, and Azure Security Center will detect VMs that don’t already have endpoint protection. Alternatively, you can look into your own antimalware solutions. Make sure that existing solutions will continue to work on Azure, and if not upgrade or replace.

Secure Your Web Apps

Remember that on-premises networks often have strong firewall protection whilst the cloud, by definition, is more open to the internet. Ensure that any web apps you are migrating are properly protected. This might include using Azure Application Gateway’s own firewall or using Azure Key Vault to extract and protect sensitive information.

Learn More About Maintaining Migration Security

Migrating to Office 365 can be a great decision for your company, but it can also be a complicated one that can create security issues (or highlight ones that you were previously unaware of). The Cloud Adoption Framework can help with migration security to Microsoft 365 or another cloud provider. To find out more, contact Agile IT and find out how we can help you manage to migrate to Office 365.

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

How can we help?


Let's start a conversation

location Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

telephone-icon + 1 (619) 292-0800 mail-icon

Don’t want to wait for us to get back to you?