O365 for out-of-country pastors

We have a few paid staff pastors that are in “less than friendly” countries and have been asked to set them up with email in our O365 tenant. We are trying to do some due diligence regarding security for our systems, and also for the security of the pastors in those regions. The plan is to limit their license to Exchange only at this point, and MFA will be enabled. Anyone have a similar situation and experience you’d like to share things to think about so we don’t miss stuff to consider?

I have about 15 years doing IT in “less than friendly” countries. Conditional access, Intune (especially for MAM), and AIP are pretty much mandatory in those regions. You can deploy EMS or you can go full-blown M365 to get those features. Very common that security bureaus will steal devices, break-in and drop spyware on devices, spear-phish, and/or force open biometric locks during detainment/interrogations, so you want to be ready to mitigate all of that to at least some degree.

Quick tip: if you have people in “less than friendly” countries, especially the East/Southeast Asian ones where state sponsored cyber-crime/cyber-espionage is well funded, you absolutely need to block legacy authentication so they don’t slip past MFA checks by brute-forcing POP/IMAP protocols.

I recommend going back to Exchange. Some countries that are unfriendly to your mission require Microsoft, Google, and others to give them access. To what extent that might happen on an email system hosted by Microsoft and Google, we can’t say. But it seems that doing your due diligence on this to protect your pastors overseas is worth the low cost associated with hosting and securing your own Exchange server.

Microsoft servers for US-based companies are hosted in the United States, and Microsoft has strongly fought any overseas legal access to United States accounts, and I believe has even won court challenges in this area. Their datacenters are likely better protected than any non-Microsoft systems, so I would feel comfortable using their risk sign-in detection, Intune, MFA, and other security services turned up to high (that are all difficult or impossible to implement well on your own without their full AzureAD system behind them) in an E3 or E5 account (or E3 with the E5 Security add-on license), with as many of the security options turned on and configured/monitored as posisble. It seems like you have a good handle on this to start!

To my knowledge, the only compromised O365 that should concern is the one managed by 21Vianet for China based organizations. Everybody should avoid that, but USA datacenters are safe and I’d argue that other regions, particularly tax shelters where multinationals actually have their intellectual property ownership like Singapore or Ireland, are going to be fiercely defended from overseas data access requests.