Buenas prácticas en M365 previas a un incidente

Best practices in M365 prior to an incident

Juan Antonio Calles


In cybersecurity, preparation is everything. Especially when we talk about environments like Microsoft 365, where proper prior configuration can make the difference between an effective investigation and a completely opaque situation. It is not enough to react once an incident has occurred; the real forensic work begins much earlier, in the way we prepare the environment to record, retain, and facilitate evidence analysis.

Unified Audit Log (UAL) is the central element of any investigation in M365. Although current tenants have it enabled by default, in legacy environments this is not always the case. Confirming its status from the Microsoft Purview compliance portal is an action to consider. More information is available at the following link:

https://learn.microsoft.com/es-es/windows-server/administration/user-access-logging/get-started-with-user-access-logging

As a clarification, what was previously known as “Microsoft 365 Compliance Center” or “Purview Compliance Portal” has been renamed by Microsoft as Microsoft Purview, consolidating both compliance and data governance functionalities. 

An environment without UAL is a blind environment. Any access, modification, or suspicious behavior can go unnoticed. To activate UAL, just run a simple PowerShell command:


Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true


Log retention: time and licenses

The duration for which records are retained is another essential aspect. In Microsoft 365 E5 or equivalent licenses, Audit (Premium) can be enabled, which extends retention up to 1 year and enables advanced events such as MailItemsAccessed. This allows knowing precisely if an attacker read a specific message. For more stringent compliance cases, it is possible to extend this retention up to 10 years through custom policies.

In the absence of E5 licenses, there are viable alternatives:

  • 90-day free trial of Purview Premium.

  • Automatic export of logs to external storage via API, PowerShell, or automated flows with Azure Logic Apps, with Azure Blob Storage being a common destination.

This type of measures is especially useful for regulated organizations or those operating in critical sectors such as healthcare or finance, where traceability is a legal requirement.


Mailbox auditing: not all events are the same

Since 2019, Microsoft enables basic mailbox auditing by default. However, advanced features — such as logging who has read an email or accessed a shared mailbox — require specific configurations and appropriate licenses. For example, to log access to shared mailboxes, a command like this is usually necessary:


Set-Mailbox -Identity "buzoncompartido@zerolynx.com" -AuditEnabled $true

This type of auditing is essential in internal investigations, especially when there are suspicions of unauthorized access to confidential information. In high-sensitivity environments, it is advisable to also audit service or resource mailboxes, which often fall outside usual controls.


Deliberate preservation: retention and Litigation Hold

A powerful preventive strategy is the use of Litigation Hold on key users. Even if there is no ongoing litigation, this feature ensures that no email can be permanently deleted, not even by the user themselves.

For example, many organizations apply a permanent hold on mailboxes of executives or heads of critical areas. This not only protects against attacks but also against human errors or internal sabotage.

Additionally, defining generalized retention policies for mail and documents — for example, one year — allows recovering any deleted content within the configured period. The important thing is to find the balance between legal needs, privacy, and forensic readiness.


Separate accounts for analysis

Another fundamental principle is the use of separate accounts for investigation operations. The forensic or compliance team should not operate with standard administrative accounts. It is recommended to have specific accounts with the minimum necessary permissions (such as access to eDiscovery, auditing, or Purview), protected with dedicated multi-factor authentication.

This approach offers several advantages:

  • Strengthens traceability: every action is clearly associated with an analysis account.

  • Minimizes the risk of lateral escalation: if an administrative account is compromised, it does not grant immediate access to forensic tools.

  • Allows applying stricter controls, such as using dedicated devices, IP restrictions, or geolocation.


Knowing the technical limitations of the environment

Proper preparation also involves knowing the platform's limits:

  • Entra ID retains audit logs only for 30 days by default.

  • Content searches in eDiscovery are subject to size and time limits.

  • Exporting from Purview may be limited to 2 TB per case.

Anticipating these restrictions helps avoid critical blockages during an investigation. Therefore, integrating a SIEM like Microsoft Sentinel or third-party solutions to store logs long-term is an increasingly common practice.

It is also advisable to divide investigations by custodians or departments to split data volumes and avoid bottlenecks.


Evidence handling and preservation

Once the evidence has been collected—whether PST files, CSV logs, or screenshots—the most delicate phase begins: preservation. Some good practices include:

  • Hash calculation (SHA-256) to verify integrity.

  • Storage in secure repositories with access control (for example, private SharePoint, Azure Key Vault, etc.).

  • Detailed recording of the extraction and preservation process in a forensic logbook.

Although Microsoft facilitates the initial collection, the chain of custody depends entirely on internal processes. Having a dedicated digital space for investigations, accessible only to authorized personnel, greatly facilitates the management and integrity control of the evidence.


Forensic drills: practice before chaos

Just as disaster recovery tests are conducted, it is essential to carry out forensic investigation drills. These exercises should consider realistic scenarios: unauthorized mailbox access, mass file downloads from SharePoint, permission manipulation, etc.

Practicing with the eDiscovery team, verifying that licenses are properly assigned, confirming that permissions work as intended, and measuring response times are actions that can make a difference when a real incident occurs.


Conclusion: the answers are there, if you have known how to keep them

When something fails, questions will inevitably arise: What happened? Who did it? From where? What information was accessed or exfiltrated? And all those answers could already be contained in the Microsoft 365 logs.

The key is that this data exists, has not been tampered with, and can be correctly interpreted. That is the true function of effective preparation: not only to protect the environment but to ensure that, if the worst happens, the truth can be accurately reconstructed.


return to blog

Leave a comment

Please note that comments must be approved before they are published.

Latest articles

See everything
1 3
See everything