Getting Started with Azure & Microsoft365 Security (Part 2)

Getting Started with Azure & Microsoft365 Security (Part 2)

Part 1 of this series can be found here:

Microsoft 365 Defender

This is the defensive suite of solutions that supports monitoring, detection, incident response, and prevention capabilities. It is referred to as an Extended Detection and Response (XDR) solution. When used holistically with other defender solutions, Microsoft 365 Defender adds protection for endpoints, assets, users, identities, and applications. Thanks to multi-source interactions, it can provide cross-product insights that offer more context to potential incidents or malicious attacks than a single defender product can alone.

Microsoft Defender can also be integrated with Sentinel as a SIEM/SOAR solution, which contributes to the Zero Trust Principle.

  • Verify Explicitly (by covering users, identities, devices, applications, and emails)
  • Use Least Privileged Access (can be integrated with Azure AD Identity Protection (P2 license) to block users based on the level of risk and identity constraints)
  • Assume Breach (by continuously monitoring the environment)
Note - This diagram is from Microsoft’s official documentation, referenced below
Note - This diagram is from Microsoft’s official documentation, referenced below

Microsoft Defender for Endpoint

Available in two plans, plan 1 and plan 2 with Defender for Vulnerability Management available as an add on only with plan 2. It is at it’s core an EDR (endpoint detection & response) platform which provides antivirus, antimalware, and heuristic based analysis. Defender for endpoint uses configured censors embedded on devices to collect and process behavior and operating system data. This data is combined with threat intelligence information and is used to detect various malicious activity such as

  • Discovery techniques
  • Attempts to escalate privilege
  • Keyloggers
  • Brute force attempts

One consideration to be aware of, is that Defender for endpoint is really for Windows devices. While it can support some other options, there are limitations. For example, native compute workloads running in AWS or GCP are not supported.

Microsoft Defender for Vulnerability Management

Designed to discover and remediate vulnerabilities in one place while understanding the full exposure of the organization and specific devices. The prioritization of risk and calculation of exposure is not perfect by any means, but does consider breach likelihood, the business context, and device assessments. One of the best features is the continuous asset discovery and monitoring which enables you to do authenticated windows scans remotely, create customizable baseline profiles against CIS, MITRE ATT&CK, or other frameworks, and get insight into browser extensions & their associated permissions.


Microsoft Defender for Office 365

This comes in two versions, plan 1 (included with Microsoft 365 Business Premium) and plan 2. This enables you to enable great features like:

  • Safe links
  • Safe Attachments
  • Impersonation Controls
  • Anti-spam & Anti-phishing controls

There are several preset policies which can be used to easily set polices to varying levels of ‘strictness’; these can be applied to groups or to all users. But, you can’t adjust individual settings on the presets — for more nuanced policies you’ll have to create them manually.


You can also specify trusted email address or domains to not flag when setting up things like impersonation controls.

Learn How to Configure Defender for Office 365 for Maximum Security

In this video, you will learn how to configure Defender for Office 365. Defender for Office 365 is Microsoft's own email security product. There are two ways to configure, an easy one and a harder one :-) I'll walk you through the preset policies which can be enabled very easily and provide your business with some protection. I will also show you how to create your own: ► Anti-spam policy ► Anti-phishing policy ► Anti-malware policy ► Safe attachments policy ► Safe links policy I hope you enjoy the video. ------------------------------------------------------------------------------------------------------------------------------------------------ Are you using Microsoft 365 to its fullest potential? Are you getting the most from your investment? It's time to supercharge your Microsoft 365 and your business. Our FREE Guide - Discover 5 things in Microsoft 365 that will save your business time and money….. and one feature that increases your Cyber Security by 99.9% ► Download our guide here today: -------- So who am I and what do I do?ll I am an IT expert with over 20 years of industry experience across a multitude of different areas. I am the Founder & Managing Director of Integral IT. Our mission is to deliver IT services that bring real value to each and every one of our customers, no matter how big or small. If you need IT support, we can help. We can help you wherever you are in the world; you just need an internet connection. Contact Us Today ► [email protected] -- Make Sure To Follow Me On My Socials Below -- ► INSTAGRAM: ► FACEBOOK: ► TWITTER: If you have any video ideas, or if you'd like me to make a video on anything specific make sure to let me know in the comments below! 00:00 Introduction 01:08 Exchange Online Protection 04:16 Preset Security Policies 10:24 Quarantine Policy 13:34 Anti-Phishing Policy 18:19 Anti-Spam Policy 21:58 Anti-Malware Policy 23:43 Safe Attachments Policy 26:30 Safe Links Policy 28:13 Tenant Allow/Block Lists 28:46 Configuration Analyzer

Learn How to Configure Defender for Office 365 for Maximum Security

Microsoft Defender for Cloud Apps

Previously known as Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) which can deploy nodes via API connectors to ingest and analyze log data from all of Microsoft’s and most third-party cloud applications. CASB’s can be beneficial in identifying Shadow IT, monitoring user activity across applications, controlling access to resources, and classifying information.

Note - This diagram is from Microsoft’s official documentation, referenced below
Note - This diagram is from Microsoft’s official documentation, referenced below

Azure Active Directory Identity Protection

AAD IP exists for three main purposes:

  • To automate the detection and remediation of identity-based risks {think, anonymous IP use, impossible travel, malicious IP addresses, password spraying, etc)
  • To investigate those risks
  • To export that risk data to other tools

The risk signals can trigger remediation actions, for example if there was a password spaying attack detected against the organization, AAD IP may require any users who do not already have MFA to set it up before logging in again. The information of this event can then be sent along to whatever SIEM solution is in place (such as Sentinel).

Microsoft Azure AD Identity Protection Deep Dive

A deep dive look at the Azure AD Premium P2 Identity Protection feature. What it is and how best to use it. 🔎 Looking for content on a particular topic? Search the channel. If I have something it will be there! ▬▬▬▬▬▬ C H A P T E R S ⏰ ▬▬▬▬▬▬ 0:00 - Introduction 1:17 - The pillars of risk 3:22 - Where is risk? 7:19 - Risk pyramid 10:15 - Risk signal types 14:29 - Processing risk 18:21 - Enforcement on risk with Conditional Access 25:45 - Locking down security registration 28:48 - Risky sign-in experience 30:40 - Remediation 31:30 - Manual remediation and reports 37:35 - AAD Identity Protection policy and MFA registration 42:47 - Reporting and detail based on licensing 46:10 - Notifications 47:45 - Identity score 48:54 - Protection for external accounts 53:50 - Summary ▬▬▬▬▬▬ K E Y L I N K S 🔗 ▬▬▬▬▬▬ ► Whiteboard: 🔗 ► Azure AD Portal: 🔗 ► Risk types: 🔗 ► Combined Security registration: 🔗 ► License requirements: 🔗 ► Risk Analysis Workbook: 🔗 ▬▬▬▬▬▬ Want to learn more? 🚀 ▬▬▬▬▬▬ 📖 Recommended Learning Path for Azure 🔗 🥇 Certification Content Repository 🔗 📅 Weekly Azure Update 🔗 ☁ Azure Master Class 🔗 ⚙ DevOps Master Class 🔗 💻 PowerShell Master Class 🔗 🎓 Certification Cram Videos 🔗 🧠 Mentoring Content 🔗 ❔ Question about my setup? 🔗 👕 Cure Childhood Cancer Charity T-Shirt Channel Store 🔗 SUBSCRIBE ✅ #microsoft #azure #johnsavillstechnicaltraining #doyouevenazure #onboardtoazure #cloud

Microsoft Azure AD Identity Protection Deep Dive

Microsoft Sentinel

Sentinel is Microsoft’s Azure-native security incident event management (SIEM) & security orchestration, automation, and response (SOAR) solution. Sentinel can not only collect log information from across the Microsoft365 and on prem servers/workstations, but also other cloud products via connectors. With these connectors in place and the proper logs ingested, Sentinel then provides security analytics and threat intelligence insights across the enterprise.

You can also create custom workbooks which can provide handy high-level views of the data which can aid analysts.

Note - This diagram is from Microsoft’s official documentation referenced below
Note - This diagram is from Microsoft’s official documentation referenced below

Azure Firewall

Azure’s cloud native firewall comes in a few flavors depending on what the needs and size of your organization are.

Standard - Provides filtering of Layer 3 to Layer 7and receives threat intelligence feeds from Microsoft. This intelligence can be used to filter, alert, or deny traffic to or from known malicious IPs and domains.

Basic - This SKU is designed for small businesses and is similar to Standard with limitations on the data throughput and scalability.

Premium - Also includes signature-based intrusion detection and prevention system (IDPS)

Azure firewalls (or other firewalls) can leverage Azure Firewall Manager which allows engineers to conduct security management of either an Azure Virtual WAN or VNET. This would include things like VNET to internet (V2I) traffic filtering and establishing user defended routes (UDR).

You can deploy the firewall on any VNET, but typically it is recommended to deploy it on a central VNET and peer all other VNETs to it in a hub & spoke model.

Network Security Groups (NSGs)

NSGs provide the ability to have specific control of allowed traffic and security rules between virtual networks. Note, these VNETS do need to be within the same region and subscription. Configuring the rules for NSGs is very much like doing so for a typical firewall, define the action that is taken (allow / deny) for the IP, port, protocol, etc. This may sound just like the Azure Firewall, and indeed they are similar, but they are designed to be utilized together (not one or the other).

Microsoft Security Copilot

Announced in late March of 2023 Security Copilot is a chatbot powered by OpenAI’s GPT-4 generative AI and trained on Microsoft’s security model. It’s designed to aid a security analyst in understanding their risk posture, and making informed decisions related to security configurations, best practices, remediations or next-steps. Some of the potential use cases researchers have been experimenting with include:

  • Automatically making PowerPoint slides describing recent incidents & attacks
  • Reverse engineering a malicious script
  • Creating a network diagram including security zones
  • Analyze individual incidents