The Microsoft Security Fundamentals exam is an opportunity to familiarize yourself with the core security, compliance, and identity (SCI) concepts across Microsoft cloud-based services.
Use this exam cram guide to familiarise yourself with Microsoft’s holistic approach and end-to-end solution. Each testing domain is listed along with the key review points that you will need to be familiar with in order to be successful.
Cloud Security Fundamentals
Identity and Authentication
Security and Compliance
Azure Network Security
Section 1: Describe security methodologies
1.1 – Describe the Zero-Trust methodologyReview
Attackers’ ability to bypass conventional access controls is ending any illusion that traditional security strategies are sufficient. By no longer trusting the integrity of the corporate network, security is strengthened.
In practice, this means that we no longer assume that a password is sufficient to validate a user but add multi-factor authentication to provide additional checks. Instead of granting access to all devices on the corporate network, users are allowed access only to the specific applications or data that they need.
The Zero Trust model has three principles which guide and underpin how security is implemented. These are: verify explicitly, least privilege access, and assume breach.
- Verify explicitly. Always authenticate and authorize based on the available data points, including user identity, location, device, service or workload, data classification, and anomalies.
- Least privileged access. Limit user access with just-in-time and just-enough access (JIT/JEA), risk-based adaptive policies, and data protection to protect both data and productivity.
- Assume breach. Segment access by network, user, devices, and application. Use encryption to protect data, and use analytics to get visibility, detect threats, and improve your security.
1.2 – Describe the shared responsibility modelReview
In organizations running only on-premises hardware and software, the organization is 100 percent responsible for implementing security and compliance. With cloud-based services, that responsibility is shared between the customer and the cloud provider.
The responsibilities vary depending on where the workload is hosted:
- Software as a Service (SaaS)
- Platform as a Service (PaaS)
- Infrastructure as a Service (IaaS)
- On-premises datacenter (On-prem)
The shared responsibility model makes responsibilities clear. When organizations move data to the cloud, some responsibilities transfer to the cloud provider and some to the customer organization.
The following diagram illustrates the areas of responsibility between the customer and the cloud provider, according to where data is held.
1.3 – Define defense in depthReview
Example layers of security might include:
- Physical security such as limiting access to a datacenter to only authorized personnel.
- Identity and access security controls, such as multi-factor authentication or condition-based access, to control access to infrastructure and change control.
- Perimeter security including distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
- Network security, such as network segmentation and network access controls, to limit communication between resources.
- Compute layer security such as securing access to virtual machines either on-premises or in the cloud by closing certain ports.
- Application layer security to ensure applications are secure and free of security vulnerabilities.
- Data layer security including controls to manage access to business and customer data and encryption to protect data.
Section 2: Describe security concepts
2.1 – Describe common threatsReview
Data breach: A data breach is when data is stolen, and this includes personal data. Personal data means any information related to an individual that can be used to identify them directly or indirectly.
Common security threats that can result in a breach of personal data include phishing, spear phishing, tech support scams, SQL injection, and malware designed to steal passwords or bank details.
Dictionary attack: A dictionary attack is a type of identity attack where a hacker attempts to steal an identity by trying a large number of known passwords. Each password is automatically tested against a known username. Dictionary attacks are also known as brute force attacks.
Ransomware: Malware is the term used to describe malicious applications and code that can cause damage and disrupt normal use of devices. Malware can give attackers unauthorized access, which allows them to use system resources, lock you out of your computer, and ask for ransom.
Ransomware is a type of malware that encrypts files and folders, preventing access to important files. Ransomware attempts to extort money from victims, usually in the form of cryptocurrencies, in exchange for the decryption key.
Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims.
Disruptive attacks:A Distributed Denial of Service (DDoS) attack attempts to exhaust an application’s resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.
Other common threats include coin miners, rootkits, trojans, worms, and exploits and exploit kits. Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can’t trust any information that the device reports about itself.
Trojans are a common type of malware which can’t spread on their own. This means they either have to be downloaded manually or another malware needs to download and install them. Trojans often use the same file names as real and legitimate apps so it’s easy to accidentally download a trojan thinking that it is legitimate.
A worm is a type of malware that can copy itself and often spreads through a network by exploiting security vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking sites, network shares, removable drives, and software vulnerabilities.
Exploits take advantage of vulnerabilities in software. A vulnerability is a weakness in your software that malware uses to get onto your device. Malware exploits these vulnerabilities to bypass your computer’s security safeguards and infect your device.
These examples are just a few of the threats commonly seen. This is a continually evolving area and new threats emerge all the time.
2.2 – Describe encryptionReview
Section 3: Describe Microsoft Security and compliance principles
3.1 – Describe Microsoft’s privacy principlesReview
The six privacy principles are:
- Control: Putting you, the customer, in control of your privacy with easy-to-use tools and clear choices.
- Transparency: Being transparent about data collection and use so that everyone can make informed decisions.
- Security: Protecting the data that’s entrusted to Microsoft by using strong security and encryption.
- Strong legal protections: Respecting local privacy laws and fighting for legal protection of privacy as a fundamental human right.
- No content-based targeting: Not using email, chat, files, or other personal content to target advertising.
- Benefits to you: When Microsoft does collect data, it’s used to benefit you, the customer, and to make your experiences better.
3.2 – Describe the service trust portalReview
From the main menu, you access:
- Service Trust Portal – home page.
- Compliance Manager – measures your progress in completing actions that help reduce risks around data protection and regulatory standards.
- Trust Documents – links to a security implementation and design information.
- Industries & Regions – contains compliance information about Microsoft Cloud services organized by industry and region.
- Trust Center – links to the Microsoft Trust Center, which provides more information about security, compliance, and privacy in the Microsoft Cloud.
- Resources – links to resources including information about the features and tools available for data governance and protection in Office 365, the Microsoft Global Datacenters, and Frequently Asked Questions.
- My Library – allows you to add documents and resources that are relevant to your organization. Everything is in one place. You can also opt to have email notifications sent when a document is updated, and set the frequency you receive notifications.
Section 4: Define identity principles/concepts
4.1 – Define identity as the primary security perimeterReview
Administration. Administration is about the creation and management of identities for users, devices, and services. As an administrator, you manage how and under what circumstances the characteristics of identities can change (be created, updated, deleted).
Authentication. The authentication pillar tells the story of how much assurance for a particular identity is enough. In other words, how much does an IT system need to know about an identity to have sufficient proof that they really are who they say they are? It involves the act of challenging a party for legitimate credentials.
Authorization. The authorization pillar is about processing the incoming identity data to determine the level of access an authenticated person or service has within the application or service that it wants to access.
Auditing. The auditing pillar is about tracking who does what, when, where, and how. Auditing includes having in-depth reporting, alerts, and governance of identities.
Addressing each of these four pillars is key to a comprehensive and robust identity and access control solution.
4.2 – Define modern authenticationReview
With modern authentication, all services, including all authentication services, are supplied by a central identity provider. Information that’s used to authenticate the user with the server is stored and managed centrally by the identity provider.
With a central identity provider, organizations can establish authentication and authorization policies, monitor user behavior, identify suspicious activities, and reduce malicious attacks.
4.3 – Define authorizationReview
4.4 – Describe identity providersReview
With modern authentication, all services, including all authentication services, are supplied by a central identity provider. Information that’s used to authenticate the user with the server is stored and managed centrally by the identity provider.
With a central identity provider, organizations can establish authentication and authorization policies, monitor user behavior, identify suspicious activities, and reduce malicious attacks.
4.5 – Describe Active DirectoryReview
AD DS is a central component in organizations with on-premises IT infrastructure. AD DS gives organizations the ability to manage multiple on-premises infrastructure components and systems using a single identity per user. AD DS doesn’t, however, natively support mobile devices, SaaS applications, or line of business apps that require modern authentication methods.
4.6 – Describe the concept of Federated servicesReview
A common example of federation in practice is when a user logs in to a third-party site with their social media account, such as Twitter. In this scenario, Twitter is an identity provider, and the third-party site might be using a different identity provider, such as Azure AD. There’s a trust relationship between Azure AD and Twitter.
4.7 – Define common Identity AttacksReview
Brute force attacks try many passwords against one or more accounts, sometimes using dictionaries of commonly used passwords. When a user has assigned a weak password to their account, the hacker will find a match, and access that account.
Phishing: A phishing attack is when a hacker sends an email that appears to come from a reputable source. The email contains a credible story, such as a security breach, instructing the user to sign in and change their password. Instead of going to a legitimate website, the user is directed to the scammer’s website where they enter their username and password. The hacker has now captured the user’s identity, and their password.
Spear phishing: A spear phishing scam is a variant on phishing. Hackers build databases of information about users, which can be used to create highly credible emails. The email may appear to come from someone in your organization who is requesting information. Although careful scrutiny might uncover the fraud, users may not read it carefully enough and send the requested information or login to the website before they realize the fraud. This practice is called spear phishing because it’s highly targeted.
Section 5: Describe the basic identity services and identity types of Azure AD
5.1 – Describe Azure Active DirectoryReview
- Internal resources, such as apps on your corporate network and intranet, and cloud apps developed by your own organization.
- External services, such as Microsoft Office 365, the Azure portal, and any SaaS applications used by your organization.
Azure AD simplifies the way organizations manage authorization and access by providing a single identity system for their cloud and on-premises applications. Azure AD can be synchronized with your existing on-premises Active Directory, synchronized with other directory services, or used as a standalone service.
Azure AD also allows organizations to securely enable the use of personal devices, such as mobiles and tablets, and enable collaboration with business partners and customers.
5.2 – Describe Azure AD identities (users, devices, groups, service principals/applications)Review
A user identity is a representation of something that’s managed by Azure AD. Employees and guests are represented as users in Azure AD. If you have several users with the same access needs, you can create a group. You use groups to give access permissions to all members of the group, instead of having to assign access rights individually.
Azure AD business-to-business (B2B) collaboration, a feature within External Identities, includes the capability to add guest users. With B2B collaboration, an organization can securely share applications and services with guest users from another organization.
A service principal is a security identity used by applications or services to access specific Azure resources. You can think of it as an identity for an application.
For an application to delegate its identity and access functions to Azure AD, the application must first be registered with Azure AD. The process of registering creates a globally unique app object that’s stored in your home tenant or directory. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal defines what the app does in the tenant, such as who accesses the app, and what resources the app can access.
A managed identity is automatically managed in Azure AD. Managed identities are typically used to manage the credentials for authenticating a cloud application with an Azure service.
There are two types of managed identities: system-assigned and user-assigned.
System-assigned. Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, an identity is created in Azure AD that’s tied to the lifecycle of that service instance. When the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.
User-assigned. You may also create a managed identity as a standalone Azure resource. A user-assigned managed identity is assigned to one or more instances of an Azure service. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. With user-assigned managed identities, the identity is managed separately from the resources that use it.
Device identities can be set up in different ways in Azure AD, to determine properties such as who owns the device. Managing devices in Azure AD allows an organization to protect its assets by using tools such as Microsoft Intune to ensure standards for security and compliance. Azure AD also enables single sign-on to devices, apps, and services from anywhere through these devices.
5.3 – Describe hybrid identityReview
With the hybrid model, users accessing both on-premises and cloud apps are hybrid users managed in the on-premises Active Directory. When you make an update in your on-premises AD DS, all updates to user accounts, groups, and contacts are synchronized to your Azure AD. The synchronization is managed with Azure AD Connect.
5.4 – Describe the different external identity types (Guest Users)Review
This ability for external users is enabled through Azure AD support of external identity providers like other Azure AD tenants, Facebook, Google, or enterprise identity providers. Admins can set up federation with identity providers so your external users can sign in with their existing social or enterprise accounts instead of creating a new account just for your application.
There are two different Azure AD External Identities: B2B and B2C.
- B2B collaboration allows you to share your apps and resources with external users.
- B2C is an identity management solution for consumer and customer facing apps.
Section 6: Describe the authentication capabilities of Azure AD
6.1 – Describe the different authentication methodsReview
Multifactor authentication dramatically improves the security of an identity, while still being simple for users. The extra authentication factor must be something that’s difficult for an attacker to obtain or duplicate.
6.2 – Describe self-service password resetReview
If a user’s account is locked or they forget the password, they can follow a prompt to reset it and get back to work.
When a user resets their password using self-service password reset, it can also be written back to an on-premises Active Directory. Password write-back allows users to use their updated credentials with on-premises devices and applications without a delay.
To keep users informed about account activity, admins can configure email notifications to be sent when an SSPR event happens. These notifications can cover both regular user accounts and admin accounts. For admin accounts, this notification provides an extra layer of awareness when a privileged administrator account password is reset using SSPR. All global admins would be notified when SSPR is used on an admin account.
6.3 – Describe password protection and management capabilitiesReview
With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your own business and security needs, you can define entries in a custom banned password list. When users change or reset their passwords, these lists are checked to enforce the use of strong passwords.
You should use extra features like Azure Active Directory multifactor authentication, not just rely on strong passwords enforced by Azure AD Password Protection.
6.4 – Describe Multi-factor AuthenticationReview
Multifactor authentication verification prompts are configured to be part of the Azure AD sign-in event. Azure AD automatically requests and processes multifactor authentication, without you making any changes to your applications or services. When a user signs in, they receive a multifactor authentication prompt, and can choose from one of the additional verification forms that they’ve registered.
6.5 – Describe Windows Hello for BusinessReview
Windows Hello lets users authenticate to:
- A Microsoft account.
- An Active Directory account.
- An Azure Active Directory (Azure AD) account.
- Identity Provider Services or Relying Party Services that support Fast ID Online (FIDO) v2.0 authentication
After initial verification of the user during enrolment, Windows Hello is set up on their device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate them.
Windows stores PIN and biometric data securely on the local device; it’s never sent to external devices or servers. That means there’s no single collection point that an attacker might compromise.
Section 7: Describe access management capabilities of Azure AD
7.1 – Describe conditional accessReview
A Conditional Access policy might state that if a user belongs to a certain group, then they’re required to provide multifactor authentication to sign in to an application.
7.2 – Describe the benefits of Azure AD rolesReview
A few of the most common built-in roles are:
- Global administrator: users with this role have access to all administrative features in Azure Active Directory. The person who signs up for the Azure Active Directory tenant automatically becomes a global administrator.
- User administrator: users with this role can create and manage all aspects of users and groups. This role also includes the ability to manage support tickets and monitor service health.
- Billing administrator: users with this role make purchases, manage subscriptions and support tickets, and monitor service health.
There are many built-in roles for different areas of responsibility. All built-in roles are preconfigured bundles of permissions designed for specific tasks.
Granting permission using custom Azure AD roles is a two-step process that involves creating a custom role definition, consisting of a collection of permissions that you add from a preset list. These permissions are the same ones used in the built-in roles. When you’ve created your role definition, you can assign it to a user by creating a role assignment.
A role assignment grants the user the permissions in a role definition, at a specified scope. A custom role can be assigned at organization-wide scope, meaning the role member has the role permissions over all resources. A custom role can also be assigned at an object scope. An example of an object scope would be a single application.
Unlike built-in roles, which are assigned at a tenant level and are preconfigured bundles of permissions designed for specific tasks, custom roles can be assigned at the resource level (such as a single application) and allow permissions to be added to a custom role definition.
Custom roles require an Azure AD Premium P1 or P2 license.
Section 8: Describe the identity protection & governance capabilities of Azure AD
8.1 – Describe Identity GovernanceReview
- Govern the identity lifecycle.
- Govern access lifecycle.
- Secure privileged access for administration.
These actions can be completed for employees, business partners and vendors, and across services and applications, both on-premises and in the cloud.
It’s intended to help organizations address these four key questions:
- Which users should have access to which resources?
- What are those users doing with that access?
- Are there effective organizational controls for managing access?
- Can auditors verify that the controls are working?
8.2 – Describe entitlement management and access reviewsReview
Azure Active Directory (AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignment. Regular access reviews ensure that only the right people have access to resources. Excessive access rights are a known security risk. However, when people move between teams, or take on or relinquish responsibilities, access rights can be difficult to control.
8.3 – Describe the capabilities of PIMReview
PIM reduces the chance of a malicious actor getting access by minimizing the number of people who have access to secure information or resources. By time-limiting authorized users, it reduces the risk of an authorized user inadvertently affecting sensitive resources. PIM also provides oversight for what users are doing with their administrator privileges.
8.4 – Describe Azure AD Identity ProtectionReview
The signals generated by these services are fed to Identity Protection. These signals can then be used by tools such as Conditional Access, which uses them to make access decisions. Signals are also fed to security information and event management (SIEM) tools, such as Sentinel, for further investigation.
Identity Protection categorizes risk into three tiers: low, medium, and high. It can also calculate the sign-in risk, and user identity risk.
Section 9: Describe basic security capabilities in Azure
9.1 – Describe Network Security GroupsReview
NSG security rules are evaluated by priority using five information points: source, source port, destination, destination port, and protocol to either allow or deny the traffic.
9.2 – Describe Azure DDoS ProtectionReview
In the diagram above, Azure DDoS Protection identifies an attacker’s attempt to overwhelm the network. It blocks traffic from the attacker, ensuring that it doesn’t reach Azure resources. Legitimate traffic from customers still flows into Azure without any interruption of service.
Azure DDoS Protection uses the scale and elasticity of Microsoft’s global network to bring DDoS mitigation capacity to every Azure region. During a DDoS attack, Azure can scale your computing needs to meet demand. DDoS Protection manages cloud consumption by ensuring that your network load only reflects actual customer usage.
9.3 – Describe Azure FirewallReview
With Azure Firewall, you can scale up the usage to accommodate changing network traffic flows, so you don’t need to budget for peak traffic. Network traffic is subjected to the configured firewall rules when you route it to the firewall as the subnet default gateway.
9.4 – Describe Azure BastionReview
Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. When you provision an Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same virtual network.
9.5 – Describe Web Application FirewallReview
WAF can be deployed with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) services from Microsoft.
9.6 – Describe ways Azure encrypts dataReview
Azure Storage Service Encryption helps to protect data at rest by automatically encrypting before persisting it to Azure-managed disks, Azure Blob Storage, Azure Files, or Azure Queue Storage, and decrypts the data before retrieval.
Azure Disk Encryption helps you encrypt Windows and Linux IaaS virtual machine disks. Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks.
Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
Section 10: Describe security management capabilities of Azure
10.1 – Describe the Azure Security centerReview
You can improve your security posture using Azure Security Center to identify and perform hardening tasks across your machines, data services, and applications. With Azure Security Center, you can manage and enforce security policies to ensure compliance across your virtual machines, non-Azure servers, and Azure PaaS services.
Security Center brings continuous assessment of your entire estate, discovering and reporting whether new and existing resources and assets are configured according to security compliance requirements. You’ll get an ordered list of recommendations of what needs to be fixed to maintain maximum protection. Security Center groups the recommendations into security controls and adds a secure score value to each control. This process is crucial in enabling you to prioritize security work.
10.2 – Describe Azure Secure scoreReview
Every control in the recommendations list shows the potential secure score increase if you address the underlying problem. To get every possible security control point, all your resources must follow each security recommendation within the security control.
To improve your secure score, remediate security recommendations from your recommendations list. You can manually remediate each recommendation for every resource or, by using the Quick Fix! option when available, apply remediation for a recommendation to a group of resources.
10.3 – Describe the benefit and use cases of Azure DefenderReview
Azure Defender comes with several different plans that can be enabled separately and will run simultaneously to provide a comprehensive defense for compute, data, and service layers in your environment. The Azure Defender plans you can select from are:
- Azure Defender for servers adds threat detection and advanced defenses for your Windows and Linux machines.
- Azure Defender for App Service uses the cloud scale to identify attacks targeting applications running over App Service.
- Azure Defender for Storage detects potentially harmful activity on your Azure Storage accounts. Data can be protected, whether stored as blob containers, file shares, or data lakes.
- Azure Defender for SQL extends Azure Security Center’s data security package to secure your databases and their data wherever they’re located.
- Azure Defender for Kubernetes provides the best cloud-native Kubernetes security environment hardening, workload protection, and run-time protection.
- Azure Defender for container registries protects all the Azure Resource Manager based registries in your subscription. Azure Defender scans all images pushed to the registry, or imported into the registry, or any images pulled within the last 30 days.
- Azure Defender for Key Vault is Azure-native, advanced threat protection for Azure Key Vault, providing an extra layer of security intelligence.
10.4 – Describe security baselines for AzureReview
CIS benchmarks have been used with Azure security services and tools to make security and compliance easier for customer applications running on Azure services. Every service comes with a baseline that’s already designed to help provide security for most common-use cases. These baselines also provide a consistent experience when securing your environment.
Section 11: Describe security capabilities of Azure Sentinel
11.1 – Define the concepts of SIEM, SOAR, XDRReview
is a tool that an organization uses to collect data from across the whole estate, including infrastructure, software, and resources. It does analysis, looks for correlations or anomalies, and generates alerts and incidents.
Security Orchestration Automated Response (SOAR)takes alerts from many sources, such as a SIEM system. The SOAR system then triggers action-driven automated workflows and processes to run security tasks that mitigate the issue.
Extended Detection and Response (XDR)is designed to deliver intelligent, automated, and integrated security across an organization’s domain. It helps prevent, detect, and respond to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms.
To provide a comprehensive security perimeter, an organization needs to use a solution that embraces or combines all of the above systems.
11.2 – Describe the role and value of Azure Sentinel to provide integrated threat protectionReview
Section 12: Describe threat protection with Microsoft 365 Defender (formerly Microsoft Threat Protection)
12.1 – Describe Microsoft 365 Defender servicesReview
Microsoft 365 Defender allows admins to assess threat signals from applications, email, and identity to determine an attack’s scope and impact. It gives greater insight into how the threat occurred, and what systems have been affected. Microsoft 365 Defender can then take automated action to prevent or stop the attack.
12.2 – Describe Microsoft Defender for Identity (formerly Azure ATP)Review
Monitor and profile user behavior and activities:Defender for Identity monitors and analyzes user activities and information across your network, including permissions and group membership, creating a behavioral baseline for each user. Defender for Identity then identifies anomalies with adaptive built-in intelligence. It gives insights into suspicious activities and events, revealing the advanced threats, compromised users, and insider threats facing your organization.
Protect user identities and reduce the attack surface:Defender for Identity gives invaluable insights on identity configurations and suggested security best practices. Through security reports and user profile analytics, Defender for Identity helps reduce your organizational attack surface, making it harder to compromise user credentials and advance an attack.
Defender for Identity security reports, help identify users and devices that authenticate using clear-text passwords. It also provides extra insights into how to improve security posture and policies.
Identify suspicious activities and advanced attacks across the cyberattack kill-chain:Typically, attacks are launched against any accessible entity, such as a low-privileged user. Attacks then quickly move laterally until the attacker accesses valuable assets. These assets might include sensitive accounts, domain administrators, and highly sensitive data. Defender for Identity identifies these advanced threats at the source throughout the entire cyberattack kill chain:
12.3 – Describe Microsoft Defender for Office 365 (formerly Office 365 ATP)Review
Microsoft Defender for Office 365 covers these key areas:
Threat protection policies: Define threat protection policies to set the appropriate level of protection for your organization.
Reports: View real-time reports to monitor Microsoft Defender for Office 365 performance in your organization.
Threat investigation and response capabilities: Use leading-edge tools to investigate, understand, simulate, and prevent threats.
Automated investigation and response capabilities: Save time and effort investigating and mitigating threats.
12.4 – Describe Microsoft Defender for Endpoint (formerly Microsoft Defender ATP)Review
This technology includes endpoint behavioural sensors that collect and process signals from the operating system, cloud security analytics that turn signals into insights, detections and recommendations, and threat intelligence to identify attacker tools, techniques, generate alerts.
12.5 – Describe Microsoft Cloud App SecurityReview
A CASB acts as a gatekeeper to broker real-time access between your enterprise users and the cloud resources they use, wherever they’re located, and whatever device they’re using.
CASBs address security gaps in an organization’s use of cloud services. Protection is provided by many capabilities across these areas: visibility to detect all cloud services, data security, threat protection, and compliance.
Section 13: Describe security management capabilities of Microsoft 365
13.1 – Describe the Microsoft 365 Defender PortalReview
Here you can view the security health of your organization, act to configure devices, users, and apps, and get alerts for suspicious activity. The Microsoft 365 Defender portal helps security admins and security operations teams manage and protect their organization.
The Microsoft 365 Defender portal home page shows many of the common cards that security teams need. The composition of cards and data depends on the user role. Because the Microsoft 365 Defender portal uses role-based access control, different roles will see cards that are more meaningful to their day-to-day jobs.
The Microsoft 365 Defender portal allows admins to tailor the navigation pane to meet daily operational needs. Admins can customize the navigation pane to show or hide functions and services based on their specific preferences. Customization is specific to the individual admin, so other admins won’t see these changes.
13.2 – Describe how to use Microsoft Secure ScoreReview
Some improvement actions only give points when fully completed. Others give partial points if they’re completed for some devices or users. If you can’t, or don’t want to, enact one of the improvement actions, you can choose to accept the risk or remaining risk.
If you have a license for one of the supported Microsoft products, you’ll see related recommendations. Secure Score will show all possible improvements for the product, whatever the license edition, subscription, or plan. You’ll then see all the security best practices and improvements that can be made to your score.
Your absolute security posture, represented by Secure Score, stays the same whatever licenses your organization owns for a specific product. Keep in mind that security should be balanced with usability, and not every recommendation can work for your environment.
Currently Microsoft Secure Score supports recommendations for Microsoft 365 (including Exchange Online), Azure Active Directory, Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Cloud App Security. New recommendations are being added to Secure Score all the time.
The image below shows an organization’s Secure Score, a breakdown of the score by points, and the improvement actions that can boost the organization’s score. Finally, it provides an indication of how well the organization’s Secure Score compares to other similar organizations.
There’s a Secure Score for both Microsoft 365 Defender and Azure Defender, but they’re subtly different. Secure Score in the Azure Security Center is a measure of the security posture of your Azure subscriptions. Secure Score in the Microsoft 365 Defender portal is a measure of the security posture of the organization across your apps, devices, and identities.
Both the Azure and Microsoft Secure Score provide a list of steps you can take to improve your score. In Microsoft 365 Secure Score, these steps are called improvement actions. In the Azure Secure Score, scores are assessed for each subscription. The steps you can take to improve your score are called security recommendations and they’re grouped into security controls.
Use Microsoft Secure Score to understand and rapidly improve your organization’s security posture.
13.3 – Describe security reports and dashboardsReview
The general security report enables admins to view information about security trends and track the protection status of your identities, data, devices, apps, and infrastructure.
The threat protection report provides high-level information about alerts generated in your organization. The report includes trending information showing the detection sources, categories, severities, statuses, classifications, and determinations of alerts across time.
The device health and compliance report enables admins to monitor the health state, antivirus status, operating system platforms, and Windows 10 versions for devices in your organization.
The email and collaboration reports enable admins to review Microsoft recommended actions to help improve email and collaboration security.
13.4 – Describe incidents and incident management capabilitiesReview
Security personnel can use an incident to determine where an attack started, what methods were used, and to what extent the attack has progressed within the network. They can also determine the scope of the attack, and how many users, devices, and mailboxes were affected. The severity of the attack can also be determined.
Managing incidents is critical in ensuring that threats are contained and addressed. In Microsoft 365 Defender, you can manage incidents on devices, users accounts, and mailboxes.
Section 14: Describe endpoint security with Microsoft Intune
14.1 – Describe IntuneReview
Intune also allows people in your organization to use their personal devices for school or work. On personal devices, Intune helps make sure your organization data stays protected, and can isolate it from personal data.
14.2 – Describe endpoint security with IntuneReview
From this view, you can select devices to drill in for more information, such as which policies a device isn’t compliant with. You can also use access from this view to remediate issues for a device, including restarting, start a scan for malware, or rotate BitLocker keys on a Windows 10 device.
Intune includes security baselines for Windows devices and a growing list of applications, including Microsoft Edge, Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection), and more. Security baselines are preconfigured groups of Windows settings that help admins apply recommended security.
As an example, the MDM Security Baseline automatically enables BitLocker for removable drives, automatically requires a password to unlock a device, and automatically disables basic authentication. Admins can also customize the baselines to enforce only those settings and values that are required.
Use device compliance policy to establish the conditions by which devices and users are allowed to access the corporate network and company resources. With compliance policies, admins can set the rules that devices and users must meet to be considered compliant. Rules can include OS versions, password requirements, device threat levels, and more.
Intune can be integrated with Azure AD conditional access policies to enforce compliance policies. Intune passes the results of your device compliance policies to Azure AD, which then uses conditional access policies to enforce which devices and apps can access your corporate resources.
Intune can integrate with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) for a Mobile Threat Defense solution. Integration can help prevent security breaches and limit the impact of breaches within an organization.
Role-based access control (RBAC) helps manage who has access to the organization’s resources and what they do with them. By assigning roles to Intune users, admins limit what they’ll see and change. Each role has a set of permissions that determine what users with that role can access and change within your organization.
Section 15: Describe the compliance management capabilities in Microsoft
15.1 – Describe the compliance centerReview
When an admin signs in to the Microsoft 365 compliance center portal, they’ll get a bird’s-eye view of how the organization is meeting its compliance requirements, along with which solutions can be used to help with compliance, information about any active alerts, and more.
15.2 – Describe compliance managerReview
The Compliance Manager dashboard shows the current compliance score, helps admins to see what needs attention, and guides them to key improvement actions.
15.3 – Describe use and benefits of compliance scoreReview
Admins can get a breakdown of the compliance score in the Compliance Manager overview pane:
Compliance Manager is an end-to-end solution in Microsoft 365 compliance center to enable admins to manage and track compliance activities. Compliance score is a calculation of the overall compliance posture across the organization. The compliance score is available through Compliance Manager.
Compliance Manager gives admins the capabilities to understand and increase their compliance score, so they can ultimately improve the organization’s compliance posture and help it to stay in line with compliance requirements.
Section 16: Describe information protection and governance capabilities of Microsoft 365
16.1 – Describe data classification capabilitiesReview
Microsoft 365 includes many built-in sensitive information types based on patterns that are defined by a regular expression (regex) or a function.
- Credit card numbers
- Passport or identification numbers
- Bank account numbers
- Health service numbers
Refer to Sensitive information type entity definitions for a listing of available built-in sensitive information types.
Data classification in Microsoft 365 also supports the ability to create custom sensitive information types to address organization-specific requirements. For example, an organization may need to create sensitive information types to represent employee IDs or project numbers.
16.2 – Describe the value of content and activity explorerReview
With content explorer, administrators get a current snapshot of individual items that have been classified across the organization. It enables administrators to further drill down into items by allowing them to access and review the scanned source content that’s stored in different kinds of locations, such as Exchange, SharePoint, and OneDrive.
Activity explorer provides visibility into what content has been discovered and labelled, and where that content is. It makes it possible to monitor what’s being done with labelled content across the organization. Admins gain visibility into document-level activities like label changes and label downgrades (such as when someone changes a label from confidential to public).
Admins use the filters to see all the details for a specific label, including file types, users, and activities. Activity explorer helps you understand what’s being done with labelled content over time. Admins use activity explorer to evaluate if controls already in place are effective.
The value of understanding what actions are being taken with sensitive content is that admins can see if the controls that they’ve already put in place, such as data loss prevention policies, are effective or not. For example, if it’s discovered that a large number of items labeled Highly Confidential have suddenly been downgraded to Public, admins can update policies and act to restrict undesired behavior as a response.
16.3 – Describe sensitivity labelsReview
16.4 – Describe Retention Polices and Retention LabelsReview
Once a sensitivity label is applied to an email or document, any configured protection settings for that label are enforced on the content.
Retention labels and policies help organizations to manage and govern information by ensuring content is kept only for a required time, and then permanently deleted.
Applying retention labels and assigning retention policies helps organizations:
- Comply proactively with industry regulations and internal policies that require content to be kept for a minimum time.
- Reduce risk when there’s litigation or a security breach by permanently deleting old content that the organization is no longer required to keep.
- Ensure users work only with content that’s current and relevant to them. When content has retention settings assigned to it, that content remains in its original location.
16.5 – Describe Records ManagementReview
Microsoft 365’s records management capabilities are flexible. There are different ways in which records management can be used across an organization, including:
- Enabling administrators and users to manually apply retention and deletion actions for documents and emails.
- Automatically applying retention and deletion actions to documents and emails.
- Enabling site admins to set default retain and delete actions for all content in a SharePoint library, folder, or document set.
- Enabling users to automatically apply retain and delete actions to emails by using Outlook rules.
Section 17: Describe insider risk capabilities in Microsoft 365
17.1 – Describe Insider risk management solutionReview
Managing and minimizing risk in an organization starts with understanding the types of risks found in the modern workplace. Some risks are driven by external events and factors, and are outside an organization’s direct control. Other risks are driven by internal events and employee activities that can be eliminated and avoided. Some examples are risks from illegal, inappropriate, unauthorized, or unethical behavior and actions by employees and managers. These behaviours can lead to a broad range of internal risks from employees.
Insider risk management helps organizations to identify, investigate, and address internal risks. With focused policy templates, comprehensive activity signaling across Microsoft 365, and a flexible workflow, organizations can take advantage of actionable insights to help identify and resolve risky behavior quickly.
17.2 – Describe communication complianceReview
Communication compliance enables reviewers to investigate scanned emails, and messages across Microsoft Teams, Exchange Online, Yammer, or third-party communications in an organization, taking appropriate remediation actions to make sure they’re compliant with the organization’s message standards.
17.3 – Describe information barriersReview
It’s important to note that information barriers only support two-way restrictions. One-way restrictions, such as marketing, can communicate with day traders but day traders who can’t communicate with marketing are not supported.
Information barriers are policies that admins can configure to prevent individuals or groups from communicating with each other. When information barrier policies are in place, people who shouldn’t communicate with other specific users can’t find, select, chat, or call those users. With information barriers, checks are in place to prevent unauthorized communication.
17.4 – Describe privileged access managementReview
Enabling privileged access management in Microsoft 365 allows organizations to operate with zero standing access. This means that any user who needs privileged access must request permissions for access, and will receive only the level of access they need just when they need it, and with just-enough access to do the job at hand. Zero standing access provides a layer of protection against standing administrative access vulnerabilities.
17.5 – Describe customer lockboxReview
Customer Lockbox ensures that Microsoft can’t access the content to perform a service operation without explicit approval. Customer Lockbox brings the organization into the approval workflow for requests to access their content.
Customer Lockbox supports requests to access data in Exchange Online, OneDrive for Business, and SharePoint Online. Here’s what the process looks like:
Section 18: Describe the eDiscovery capabilities of Microsoft 365
18.1 – Describe the purpose of eDiscoveryReview
Electronic discovery or eDiscovery tools, can be used to search for content in Exchange Online mailboxes, Microsoft 365 Groups, Microsoft Teams, SharePoint Online and OneDrive for Business sites, Skype for Business conversations, and Yammer teams. You can search across mailboxes and sites in a single eDiscovery search by using the Content Search tool. And you can use Core eDiscovery cases to identify, hold, and export content found in mailboxes and sites.
If your organization has an Office 365 E5 or Microsoft 365 E5 subscription (or related E5 add-on subscriptions), you can further manage custodians and analyse content by using the Advanced eDiscovery solution in Microsoft 365.
18.2 – Describe the capabilities of the content search toolReview
To have access to the content search page to run searches and preview and export results, an administrator, compliance officer, or eDiscovery manager must be a member of the eDiscovery Manager role group in the Security and Compliance Center.
To start using the Content Search tool, you must choose content locations to search and configure a keyword query to find specific items. Or the user can just leave the query blank and return all items in the target locations.
After you run a search and refine it as necessary, the next step is to do something with the results returned by the search. You can export and download the results to your local computer or, if there is an email-based attack, you can delete the results of a search from user mailboxes.
18.3 – Describe the core eDiscovery workflowReview
To access Core eDiscovery or be added as a member of a Core eDiscovery case, a user must be assigned the appropriate permissions. Specifically, a user must be added as a member of the eDiscovery Manager role group in the Office 365 Security and Compliance Center.
You start by creating an eDiscovery case, which starts from within Microsoft 365 compliance center. When you create a case, you must specify a name for it and optionally define a case number. You can assign members to the case. From that point, the case will be displayed in the eDiscovery page and the user can step through the workflow.
The workflow consists of creating holds, searching for content, and exporting and downloading search results.
You can use an eDiscovery case to create a hold to preserve content that might be relevant to the case. You can place a hold on the Exchange mailboxes and OneDrive for Business accounts of people you’re investigating in the case. You can also place a hold on the mailboxes and sites that are associated with Microsoft Teams, Office 365 Groups, and Yammer Groups. When you place content locations on hold, it’s preserved until you remove the hold from the content location, or until you delete the hold.
When you’ve placed a hold, you can create and run searches for content that relates to the case. You start the search from within the home page for that specific case. Searches associated with a case can only be accessed by members assigned to it.
You can specify keywords, message properties such as sent and received dates, or document properties such as file names, or the date a document was last changed. You can use Boolean operators such as AND, OR, NOT, or NEAR. You can also search for sensitive information (for example, social security numbers) in documents, or search for documents that have been shared externally. If you don’t specify keywords, all content located in the specified content locations will be included in the search results.
You can export search results. Mailbox items are downloaded in a PST file or as individual messages. Content from SharePoint, OneDrive for Business sites, copies of native Office documents, and other documents are exported. A Results.csv file that contains information about every item that’s exported and a manifest file (in XML format) that contains information about every search result is also exported.
18.4 – Describe the advanced eDisovery workflowReview
The built-in workflow of Advanced eDiscovery described below aligns with the Electronic Discovery Reference Model (EDRM), a framework that outlines standards for recovery and discovery of digital data.
Section 19: Describe the audit capabilities in Microsoft 365
19.1 – Describe the core audit capabilities of M365Review
When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for the organization. The length of time that an audit record is kept (and searchable in the audit log) depends on the Office 365 or Microsoft 365 Enterprise subscription, and specifically the type of the license that’s assigned to specific users. For core audit capability, the audit record is kept and searchable for 90 days.
19.2 – Describe purpose and value of Advanced AuditingReview
These capabilities differentiate Advanced Audit from the core audit functionality.
Advanced Audit keeps all Exchange, SharePoint, and Azure Active Directory audit records for one year. Keeping audit records for longer periods can help with ongoing forensic or compliance investigations. Microsoft now has the capability to keep audit logs for 10 years. The 10-year retention of audit logs helps support long-running investigations and respond to regulatory, legal, and internal obligations.
Advanced Auditing helps organizations to conduct forensic and compliance investigations by providing access to crucial events, such as when mail items were accessed, when mail items were replied to and forwarded, and when and what a user searched for in Exchange Online and SharePoint Online. These crucial events can help admins and users investigate possible breaches and determine the scope of compromise.
Section 20: Describe resource governance capabilities in Azure
20.1 – Describe the use of Azure Resource locksReview
For example, there may be times when an administrator needs to lock a subscription, a resources group, or a resource. In these situations, a lock would be applied to prevent users from accidentally deleting or modifying a critical resource.
A lock level can be set to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.
A resource can have more than one lock. For example, a resource may have a ReadOnly lock and a CanNotDelete lock. When you apply a lock at a parent scope, all resources within that scope inherit that lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.
20.2 – Describe Azure BlueprintsReview
Azure Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:
- Role Assignments
- Policy Assignments
- Azure Resource Manager templates (ARM templates)
- Resource Groups
Blueprint objects are replicated to multiple Azure regions. This replication provides low latency, high availability, and consistent access to your blueprint objects, whatever region Azure Blueprints deploys your resources to.
With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments.
20.3 – Define Azure Policy and describe its use casesReview
Azure Policy evaluates all resources in Azure and Arc enabled resources (specific resource types hosted outside of Azure).
Azure Policy evaluates whether the properties of resources match with business rules. These business rules are described using JSON format, and referred to as policy definitions. For simplified management, you can group together multiple business rules to form a single policy initiative. After business rules have been formed, you can assign the policy definition, or policy initiative, to any scope of resources that are supported, such as management groups, subscriptions, resource groups, or individual resources.
It’s important not to confuse Azure Policy and Azure RBAC. You use Azure Policy to ensure that the resource state is compliant to your organization’s business rules, no matter who made the change or who has permission to make changes. Azure Policy will evaluate the state of a resource, and act to ensure the resource stays compliant.
Azure RBAC focuses instead on managing user actions at different scopes. Azure RBAC manages who has access to Azure resources, what they can do with those resources, and what areas they can access. If actions need to be controlled, then you would use Azure RBAC. If an individual has access to complete an action, but the result is a non-compliant resource, Azure Policy still blocks the action.
Azure RBAC and Azure Policy should be used together to achieve full scope control in Azure.
20.4 – Describe cloud adoption frameworkReview
Each of the following steps is part of the cloud adoption lifecycle.
- Strategy: define business justification and expected outcomes of adoption.
- Plan: align actionable adoption plans to business outcomes.
- Ready: Prepare the cloud environment for the planned changes.
- Adopt A)Migrate and modernize existing workloads. B) Develop new cloud-native or hybrid solutions.
- Govern: Govern the environment and workloads.
- Manage: Operations management for cloud and hybrid solutions.
When your enterprise’s digital transformation involves the cloud, understanding these fundamental concepts will help you during each step of the process.