In an ever-increasing effort to protect your accounts and underlying data, Microsoft is continuing to add security features and improvements to your subscriptions over time. Below are a few changes to expect in the upcoming months into 2023.

Security Defaults
A couple of years ago, “Security Defaults” were added to all MS365 accounts. “Security Defaults” were a single setting designed to apply a set of best-practices settings to the myriad of available security and compliance options that are suitable for most small and medium businesses without having to tweak every aspect of their individual environments, but still maintain a reasonable balance between user impact and security.

For most accounts, “Security Defaults” was a setting that was enabled  automatically on all new accounts, but not enabled on existing accounts. KeyStone has been gradually moving our customers into “Security Defaults”, but there are still a number of customers that have not adopted this setting due to preferences, most notably around the distaste for adoption of MFA (Multi-factor Authentication).

Other Settings enforced by “Security Defaults” that may have prevented/slowed adoption for your environment could be:

  • Removing some legacy authentication – This might impact some OLD software that still send emails using your primary domain.
  • Requiring modern authentication on mobile devices – This may preclude some VERY old phones from accessing MS365 data.

By October of 2023, Security Defaults will be ENFORCED on ALL MS365 accounts unless enterprise licensing has been applied (over 300 users).

*IMPORTANT* Microsoft reserves the right to and has already begun rolling this setting to some accounts without warning. In most cases, the impact has been minor, but we want to give our users as mush notices as possible, as KeyStone does not have access to nor notification of this change in advance.

What does this mean for me?  This means that MFA will be required by all users in your account to access Email, SharePoint, Teams, or ANY MS365 data.

While we understand that this might be an additional step for some, it should be something relatively common for most of us in 2023. Additionally, the mobile app process has become very seamless and simple. Your KeyStone account manager can demo this for you at any time if you have concerns and to help your users ease into this transition.

External Sharing Defaults
Many of our customers use OneDrive and SharePoint to securely share documents and content outside of their organization. There are 2 upcoming changes related to external sharing:

  • Anonymous Sharing Links (“Everyone” Links) – External sharing will require that links be sent to specific email addresses if external. Anonymous Links will no longer be supported. This will require the recipient to log in with a Microsoft account to retrieve the data being shared an to prevent anyone from accessing the data simply with an anonymous link.If you have already created Anonymous Links, they will stop working unless you contact your KeyStone Account Manager to discuss your specific situation to override the setting. This can be overridden per customer, but MUST be discussed ahead of time to prevent existing links from failing.
  • If you choose to continue to use anonymous links, the new default setting will be for “View” access only. Again, this setting can be overridden by request by reaching out to your KeyStone Account Manager.

Automatic Forwards
Users will be blocked from creating AUTOMATIC rules that forward email to another email address outside the organization. This helps to improve security on 2 different fronts:

  • If an attacker gains access to your mailbox, a common tactic is set up external forwards of your email to an outside email box to begin monitoring activity to gain insight on day-to-day actions/people/events. This is always used in an attempt to trick you or others into doing something fraudulent.
  • This prevents an employee from creating rules to circumvent using the company’s email system and potentially creating a liability by allowing sensitive data to leave your data network.

Block Insecure Legacy Email Protocols
This setting is the one that can potentially cause the most interruption to your workflows by impacting your non-computer email-related items (copiers, scanners, legacy software).

Once this has been enabled, older email systems will not be able to send email through the MS365 system unless they can be updated to adhere to the newer authentication methods. In these instances, KeyStone will most commonly be required to re-configure the impacted systems to either:

  • Use the newer authentication protocols.
  • Leverage a different system for email delivery outside of the MS365 system.

Unfortunately, we will not be able to anticipate when this setting will be enforced, but we have already begun to identify the customers we know would be most significantly impacted to proactively reconfigure these systems ahead of this change.

External Email Warning Tag in Outlook
Some of you may have already noticed an “EXTERNAL” tag next to the sender in your Outlook software. This has been added as an easier way for you to visually identify when an email has originated outside of your organization. It has no bearing on your ability to sort or search.

We know that these changes to your daily workflows can be difficult to learn and manage. If you have any questions about these or any other security changes, please contact your Account Manager today for assistance or a technical Demo.

Thanks for your continuing trust and business!