Enhancing security in Microsoft Bookings: Best practices for admins

Microsoft Bookings is a powerful scheduling tool that enables organizations to streamline appointment management and enhance customer engagement. As organizations increasingly rely on Bookings to manage external and internal appointments, ensuring the security and integrity of these bookings is paramount.

At Microsoft, security and compliance are at the core of our products. Bookings is designed with security features that empower admins to control access, mitigate risks, and prevent misuse. Below are best practices and key security measures that admins can leverage to reduce risks & maintain a secure and trusted scheduling environment.

1. Accessing Shared Bookings Settings

Admins can configure granular controls for Shared Bookings in Microsoft 365 by:

• Navigating to the Microsoft 365 admin centre.
• Going to Settings > Org settings > Bookings.

Note: Changes to tenant settings may take up to four hours to apply.

2. Control Access to Booking Pages

If the organization wants to restrict the use of Bookings for internal scenarios, and not allow bookings from outside the organization, then admins can:

• Block shared bookings from outside the organization: Restrict bookings to only authenticated users within the organization, i.e. people outside the organization will not be able to access & book appointments via the shared bookings pages.

• Block social sharing options: Control how booking pages are shared on social networks.

These settings are available in M365 admin centre (Settings -> Org settings -> Bookings)

3. Enforce Naming policy for shared booking pages within the organization

Organizations can set naming policy for all the shared booking pages in the organization, thus ensuring consistent naming conventions.  This can help to differentiate shared booking pages (shared mailboxes) from other mailboxes in the organization.

• Prefix/ Suffix: This setting allows administrators to define a Prefix and Suffix for all new pages/ underlying accounts. (Enforcement won't impact existing shared booking pages unless their business information is modified. SMTP addresses of existing calendars won't be affected.)
• Block words: Specifies whether to enforce a blocklist of words not allowed in the organization.

4. Restrict Who Can Create and Manage Booking Pages

Organizations can ensure that only designated individuals have the ability to create and configure booking pages. Admins can:

• Turn Shared Bookings ON/OFF for individual users: Admins can use the Microsoft 365 admin centre to restrict/disable individual users from creating shared booking pages
• Go to the Microsoft 365 admin center, then select Users > Active users.
• Select the desired user, then select Licenses and Apps.
• Expand Apps and clear the checkbox for Microsoft Bookings.

• Allow only selected users to create shared booking pages

By using policy restrictions, admins can restrict licensed users from being able to create shared booking pages. All users in the organization will have shared bookings licenses, but only those included in the policy can create shared booking pages and have full control over who can access the shared booking pages they create.

5. Secure Staff & Customer Data and Prevent Impersonation

To safeguard user and customer data from impersonation threats:

• Block sharing staff details with customers: Prevent staff contact information from being sent to customers via email or other communication methods via granular admin controls. (Manage granular controls for Shared Bookings | Microsoft Learn)

• Use custom domains and verified senders: Configure email notifications to come from verified organization domains to prevent spoofing. (Custom domain support in Shared Bookings | Microsoft Learn)

• Restrict collection of sensitive customer data: Ensure users are not able to collect sensitive customer data via the booking pages.

6. Prevent booking pages to be searchable by search engines

Admins can prevent public booking pages from appearing in search engine results to reduce exposure to unwanted traffic.

Security and Compliance at Microsoft Bookings

We are continuously working to enhance our security measures to ensure a safe and reliable scheduling experience for organizations worldwide.

By following these best practices, admins can prevent misuse & thus strengthen the security of their Microsoft Bookings deployment. For more detailed guidance, refer to our official best practices documentation.

Ensuring security is an ongoing effort, and Microsoft remains committed to providing the tools and guidance necessary to keep your scheduling experience safe and productive.