okta

Most businesses's that we work with utilize Office 365 to varying degrees. No matter which mix of the O365 services that a business uses, you can pretty much guarantee that Email is at the centerpiece of every environment. After performing a few O365 & Okta integrations, I have seen two key benefits of tying in O365 to Okta that aren't immediately apparent.

First off, Office 365's logging features, they exist but the problem is that they are somewhat limited. You can view user metrics such as number of emails sent, last login, app usage, etc. but where do you look for failed or unusual logins? Does a run-of-the-mill IT admin have any indication when their accounts are being bruteforced? If you enable audit logging you then have access to logs of admin access, but these reports are designed to show when an admin accesses a user's account so that you can maintain a paper trail and have record of possible internal leaks. They are not meant to track the actions of external bad actors.

Immediately after doing an O365 integration with one of our customers, we noticed a fair amount of their users were locked out overnight. Okta's reporting features showed us that these users had hundreds of attempted logins to [portal.office.com] from a province somewhere in China. It appeared that they were attempting to bruteforce the accounts, but with no user lockout feature or logging of that capacity, the admins we were working with had NO IDEA that their user accounts were being hammered like that! We also retrieved a nice list of suspect IP's that they were able to cross-reference on their firewall & SIEM to investigate further.

The second way Okta helped was through Dynamic IP Black/Whitelisting. By default, in O365, an admin can maintain an IP address block list within the ‘Exchange Online’ admin center that allows you to configure rules under the 'Connection Filter' section. Unfortunately, the IP addresses you configure here are not dynamic, you are required to maintain the list of IPs yourself. This can be done if you manually update a host file already, but it can not effectively block logins from specific locations like countries or states.

The customer we worked with here was able to apply company-wide GeoIP settings from Okta to O365. Now, a service which previously had spotty access control, was completely barring users that attempted to login from anywhere outside the US. Instead they were redirected to Okta and subjected to the sign-on policies configured there.

These two features help provide improvement and insight into any O365 environment that hasn't already invested heavily into configuring Microsoft's security tools and provided a uniform access policy across ALL of their cloud apps.