Getting Started with Azure & Microsoft365 Security (Part 1)

Getting Started with Azure & Microsoft365 Security (Part 1)


Microsoft Azure is a cloud computing platform and service offered by Microsoft. It provides a wide range of cloud services, including virtual machines, storage, and networking.

Office 365 is a cloud-based subscription service that provides access to Microsoft Office applications, such as Word, Excel, PowerPoint, and others. It also includes email services, calendaring, and online storage.

Microsoft 365 is a subscription service that includes Office 365, Windows 10, and Enterprise Mobility + Security.

Microsoft Entra is a fairly new product family that includes Azure Active Directory, Cloud Infrastructure Entitlement Management (CIEM), and decentralized identity. Per Microsoft, “The products in the Entra family will help provide secure access to everything for everyone, by providing identity and access management, cloud infrastructure entitlement management, and identity verification.” (Microsoft Entra helps secure your identity - Microsoft Security Blog) (Microsoft Entra documentation | Microsoft Learn)

*Tip - If you’re going crazy trying to figure out what licenses cover what check out this really simple but amazingly helpful free tool: Feature Matrix | M365 Maps

Scenario 1

A malicious actor targeting Danilovgrad Capital Management ( conducts a phishing attack by impersonating their CEO Nelly Johnson and originating from [email protected]. One employee falls for the phish and enters their credentials into a HTTP reverse proxy phishing portal (GitHub - drk1wi/Modlishka: Modlishka. Reverse Proxy.) set up by the malicious actor, including the MFA code supplied by their authenticator application. Once inside, the malicious actor establishes persistence by connecting to a malicious third party oAuth application, and establishing another form of MFA. Then the malicious actor searches the available documents and applications for sensitive banking information.


Possible Solution


Scenario 2

A malicious actor conducts a password spraying attack against () which hits on an employee using the password “Winter2023!”. The user has MFA but one of the options is a push notification. The malicious actor sends push after push after push until the frustrated user finally hits accept, granting access. Once inside, sensitive information is identified and downloaded en masse.


SIM Swapping Attack Explanation


Possible Solution


Security Features/Solutions Explained

Password Protection Best Practices

1) The default setting under Authentication Methods would look a lot like this:

With this configuration, a malicious actor could generate a list of valid user accounts and systematically 'spray' those accounts with custom password attempts at a rate as slow as 35 attempts per 10-minute period (on different user accounts) without triggering an alert. Over the course of a continuous week, that scenario would amount to over 35 thousand login attempts. Given enough time, this has a high probability of leading to a first-factor account compromise.


2) Custom banned password lists can be defined up to 1,000 entries which can include terms unique to the business, or popular (yet terrible) passwords like Winter2023!. Consider using a simple tool like Mentalist to help generate a list

Use a Stronger Form of MFA

The use of authentication apps like Microsoft Authenticator can significantly improve the security of the environment compared to traditional call, push notification, or SMS based MFA. (Download and install the Microsoft Authenticator app - Microsoft Support).

SMS and phone call based two-factor authentication can be problematic as a malicious actor could defeat this MFA method through a SIM swapping attack or through call fatigue.

With Microsoft Authenticator enabled, a company would benefit from advanced security features such as additional context. This can be configured to include the application and location of the MFA attempt on the user’s Authenticator app. This is preferable to the traditional call-based MFA as it becomes far more apparent to end users in the event of a fraudulent login.


Block Legacy Authentication

Legacy authentication is a term that refers to authentication requests made by older Office clients that do not use modern authentication or any client that uses legacy mail protocols such as IMAP, SMTP or POP3. Legacy authentication methods introduce unnecessary risks to the environment as many legacy protocols do not support MFA.

Risky User Detection

Microsoft 365 Lighthouse can be used to manage risks detected by Azure AD Identity Protection by providing a single view of risky user activity across the tenant. This includes all the Azure AD identity protection risks including:

  • Leaked Credentials
  • Anonymous IP Use
  • Atypical Travel
  • Signing in from infected devices
  • Signing in from an IP address with suspicious activity
  • Signing in from unfamiliar locations

Using Conditional Access Policies to Block Impossible Travel

Conditional Access policies enable assignment and access control measures to be implemented through the use of tailored if-then statements. Impossible travel is one of the most basic anomaly detections to indicate a compromised user. This feature is included with Azure AD Identity Protection.

Don’t Allow User’s The Ability to Grant Access to Untrusted Applications

A popular method of maintaining persistence to cloud-based environments by malicious actors is to leverage a compromised account to grant access to a malicious third-party application. This can also introduce a social engineering attack vector as users could be misled into granting permissions to untrusted applications.

Domain and User Impersonation Controls

These controls can be set up with Microsoft 365 Defender and can play a huge role in mitigating very common (and very effective) phishing and spearphishing campaigns by malicious actors. When a protected domain or user becomes flagged by this control it will not arrive in the end users inbox.

Safe Links / Safe Attachments

This is a feature within Defender for Office365 (plan 1 and plan 2) which provides dynamic URL and attachment scanning of inbound messages. This occurs in addition to (not in place of) typical anti-spam or anti-malware scanning.

First Contact Safety Tips

These refer to the banners that pop up on emails that say things like “You don’t often get email from <sender>. This is a very simple way to give end users another extra indicator that an email may be phishing and can be included in internal security awareness training.


Data Classification & Data Loss Prevention Controls

Data classification controls refer to automated policies which sort and label data by predefined classification sets and assign different requirements to associated labels. This ensures that sensitive data such as PII or financial data are stored in appropriate ways. Data loss prevention (DLP) controls to safeguard against unauthorized exfiltration of potentially sensitive data.

Suggested Learning Path & Resources

If your goal is to increase your skills surrounding Microsoft’s cloud solutions with a specific emphasis on security, consider a training path similar to this one. This starts with the fundamentals and getting a good understanding on licensing, core products, and how they integrate. This is essential baseline understanding to build regardless of if you use M365 regularly or not. If you jump straight to one of the upper security courses, like AZ-500, you may pass the exam but you’d lack a lot of important context around those solutions without really strong fundamentals.


Fantastic (Free) Learning Content

  1. is the official course material for all of their certifications. The training is free and includes several labs you can go through on your own.
  2. Create a free Azure account. You can actually set up a free account with a $200 credit included to learn about and explore various services.
  3. John Savill's Technical Training - This has been my absolute favorite resources for learning Azure and Microsoft 365 content, from the very basics to advanced topics. It’s all free on YouTube and John does an incredible job with the quality of the videos.
  4. The Cloud Edition of HackTricks has a lot of content surrounding pentesting Azure.