Updated Microsoft 365 security and compliance guidance for the UK public sector
For almost 20 years, Microsoft and the (now) National Cyber Security Centre (NCSC) have been working together. This work started with securing user devices but has evolved to cover not only user devices but the broader secure use of Microsoft 365.
People say that the last part in a trilogy is the perfect way to close out a movie series. But what happens when the last movie was actually the prequel?
Microsoft has remastered existing guidance in “Entra ID vision” as a series of documents under the banner “Microsoft 365 guidance for UK Government”. Following the release of the Information Protection guidance and the update to External Collaboration guidance, we have also remastered the one that kicked it off: Secure Configuration Blueprint.
Microsoft 365 Guidance for UK Government
The three-piece collection provides a common baseline which UK Government departments, and their partners, can use to enable secure use of Microsoft 365.
The goal of the Secure Configuration Blueprint is to create a secure foundation for a Microsoft 365 tenancy. It provides guidance using the “Good, Better, Best” approach targeted on feature availability by licence, offering policies and settings that protect your Microsoft 365 tenancy from the most common attacks. It includes:
- Securing identities that access services, including privileged users.
- Protecting devices that your users use to access services.
- Configuration of services to require use of the above when accessing data.
The updated Secure Configuration Blueprint guidance is the base upon which the other pieces of guidance are built. But how have we got to where we are today?
Securing user devices
It all started as a result of understanding that device trust was key to protecting the data stored locally and in datacentres.
In 2004, on the back of some high-profile worm viruses, SQL Slammer (January 2003) and Blaster (August 2003), Microsoft worked closely with Communications-Electronics Security Group (CESG), now a part of the NCSC. This joint effort developed a set of security controls to take advantage of the security improvements in SP2 for Windows XP, including Windows Firewall on by default, Software Restriction Policies, and Automatic Updates enabled by default.
The outcome of this work was known as the “Government Assurance Pack” or GAP for short. GAP was revised and updated for Vista and Windows 7 and added BitLocker device encryption and AppLocker when those features were released.
Moving forward to 2014, and CESG moved to a model that evaluated all end-user devices, PC and mobile, against a common set of principles, the End User Device Security Principles. Windows 8 (8.1), Windows 10 and Windows 11 have all had End User Device (EUD) security guidance developed with CESG initially and then the NCSC when that was formed in October 2016.
By following the latest guidance provided by NCSC, organisations (including Government departments) can be confident that the devices used by their users to access and handle data are secure against common attacks.
Figure 1. Timeline leading to the updated Secure Configuration Blueprint guidance.
Securing cloud services
The UK Government introduced a “Cloud First” policy in 2013 for all technology decisions with the NCSC, publishing 14 Cloud Security Principles (originally in December 2013) to support Government as it started to adopt cloud services.
Historically, the focus of the guidance was on securing devices but, with the UK Government adopting a Cloud First policy, data was no longer being stored in on-premises datacentres and networks. Instead, it would increasingly be stored in Public Cloud services like Microsoft 365.
To address this, Microsoft worked with the NCSC to produce guidance for Microsoft Azure in October 2017, and in July 2019 we released the initial version of Office 365 Blueprint and a supporting document detailing how Office 365 met the NCSC 14 Cloud Security Principles.
As a result, in parallel to releasing Office 365 guidance, we also worked with NCSC to produce the first MDM (Mobile Device Management) End User Device (EUD) guidance for cloud-managed Windows 10 EUDs using Microsoft Intune. This guidance formed the base for Microsoft’s first cloud-based Privileged Access Workstation (PAW), allowing organisations to manage their risk in Microsoft 365 management. Microsoft recommends using a PAW for administrative access and managed EUDs for standard user access, both using Entra ID to secure access to cloud services – please refer to Protect Microsoft 365 and Securing Privileged Access.
Once the foundational guidance was released, and on the back of the challenges that the COVID-19 pandemic brought to UK Government departments, we worked with NCSC and Government Security Group and released the first iteration of our BYOD guidance in June 2020.
The rest is history, as they say. Working with Central Digital & Data Office (CDDO) and NCSC, the Cross-Government Collaboration guidance was released in 2021 and updated in 2023, along with the release of the Purview Information Protection guidance.
With that, UK Government departments have at their disposal guidance for how to securely configure their Entra ID and Microsoft 365 tenant, classify and protect their data, and use it to securely collaborate with not only other government departments but also industry partners.
But remember, if you don’t pay attention to the film, the sequels might be confusing. So, ensure that you implement the guidance in the Secure Configuration Blueprint before looking to adopt the External Collaboration or External Collaboration guidance.
Find out more
Read the Secure Configuration Blueprint
Guidance on protecting government data using Microsoft Purview
About the author
James has spent his entire IT career of 27 years specialising in the security arena, the last 22 of which have been for Microsoft. Based in the UK, he works in the key areas of security and identity in the public sector as a Security Technical Specialist. He is a regular contributor to Microsoft docs for Securing Privileged Access and was the lead architect for the Microsoft 365, External Collaboration, Information Protection, and BYOD guidance produced for Cabinet Office and NCSC.
