PLAN

Step 1: Deploy your identity infrastructure and access protection for Microsoft
365
Decide which identity model is best for your environment
Select an authentication method
Implement and manage external identities
Protecting Privileged and User Accounts
Step 2: Manage Endpoints with Intune and Microsoft 365
Configure and manage Microsoft Defender Application Guard
Add Applications
Implement application protection policies
Set up compliance policies
Configure device configuration policies
Enrol devices
Step 3: Deploy Microsoft 365 Defender
Secure identity by using Microsoft Defender for Identity
Secure collaboration by using Microsoft Defender for Office 365
Secure endpoints by using Microsoft Defender for Endpoint
Microsoft Defender for Cloud Apps
Detect and respond to threats in Microsoft 365 by using Microsoft Sentinel
Step 4: Protect and govern sensitive data
Deploy a Microsoft Information Protection Solution
Manage Data Privacy and Data Protection
Step 1: Deploy your identity infrastructure and access protection for
Microsoft 365

I. Decide which identity model is best for your environment

II. Select an authentication method (Hybrid)

To choose an authentication method, you need to consider the time, existing infrastructure,
complexity, and cost of implementing your choice. These factors are different for every
organization and might change over time.
1. Cloud authentication
Once you've decided on a hybrid identity model, you need to choose the appropriate
managed authentication method based on your business needs:

• Password Hash Synchronization (PHS): A sign-in method that synchronizes a hash of a

user's on-premises AD password with Azure AD, Hash is stored in Azure.
• Pass-Through Authentication (PTA): A sign-in method that allows users to use the
same password on-premises and in the cloud, credentials are passed through to the
organization’s on-prem active directory.
Here is a comparison between Password Hash Synchronization (PHS) and Pass-through
Authentication (PTA):

PHS PTA

Security Synchronizes password hashes to Azure
AD, which could potentially be attacked
Infrastructure Requires less infrastructure since it only
requires a synchronization agent to be
installed on a domain controller
Latency Requires a round-trip to Azure AD to
check the password hash
High Provides better high availability since
availability password hashes are synchronized to
Azure AD.
If the on-premises Active Directory
becomes unavailable, users can still
authenticate against Azure AD using
their synchronized password hash
Deployment Requires an additional server to be
complexity installed and configured, which can add
complexity to the deployment
More secure since passwords are not
stored in Azure AD.
Instead, the authentication takes place
on-premises, and only the result is
passed to Azure AD
Requires an additional server to be
installed and configured in the on-
premises environment
Has lower latency since authentication
takes place on-premises
Requires a connection to the on-
premises environment to authenticate
users
Easier to deploy and configure since it
only requires a synchronization agent
to be installed on a domain controller

Overall, the choice between PHS and PTA depends on the specific needs and requirements of
your organization. PTA provides better security but requires additional infrastructure and
configuration, while PHS provides better high availability and is easier to deploy but may be
less secure.
2. Federated authentication
When you choose this authentication method, Azure AD hands off the authentication
process to a separate trusted authentication system, such as on-premises Active Directory
Federation Services (AD FS), to validate the user’s password.

III. Implement and manage external identities

Azure AD B2B Collaboration enables you to securely share your organization's applications
and services with external users, while maintaining control over your own corporate data.
Collaborate securely with external partners from small to large enterprises, even if they don't
use Azure AD or don't have an IT department.
IV. Protecting Privileged and User Accounts

▪ Design Administrator Roles for Privileged Accounts

▪ Privileged Identity Management (PIM)
▪ Emergency Access Accounts
▪ MFA for Privileged and User Accounts
▪ Enable Self-service password reset (SSPR)
▪ Implement Azure AD Smart Lockout
▪ Azure AD Identity Governance
▪ Windows Hello for Business for User Accounts, FIDO2 security key, Microsoft
Authenticator app
▪ AAD Password Protection
▪ Tenant Security Defaults
▪ Implement Conditional Access policy
▪ Manage Azure AD Identity Protection
Step 2: Manage Endpoints with Intune and Microsoft 365
By enrolling the device with Intune, you gain greater management control over your
endpoints, allowing for more sophisticated security controls.
With device management enabled through Intune, administrators can enforce policies such
as password requirements, encryption, and device wipe capabilities. Additionally, Intune
provides the ability to push software and security patches, monitor device health and
performance, and enable remote assistance (new feature) to end users.

Manage Endpoints with Intune and Microsoft 365

I. Configure and manage Microsoft Defender Application Guard

Microsoft Defender Application Guard (Application Guard) is designed to help prevent old
and newly emerging attacks to help keep employees productive. Using our unique hardware
isolation approach, our goal is to destroy the playbook that attackers use by making current
attack methods obsolete.
▪ Install Application Guard
▪ Configure Microsoft Defender Application Guard policy settings

II. Add Applications

Before you can configure, assign, protect, or monitor apps, you must add them to Microsoft
Intune.
III. Implement application protection policies
App protection policies (APP) are rules that ensure an organization's data remains safe or
contained in a managed app. A policy can be a rule that is enforced when the user attempts
to access or move "corporate" data, or a set of actions that are prohibited or monitored when
the user is inside the app. A managed app is an app that has app protection policies applied
to it, and can be managed by Intune.

You can use App protection policies to prevent company data from saving to the local
storage of the device (see the image below). You can also restrict data movement to other
apps that aren't protected by App protection policies. App protection policy settings include:

• Data relocation policies like Save copies of org data, and Restrict cut, copy, and
paste.
 • Access policy settings like Require simple PIN for access and block managed apps
from running on jailbroken or rooted devices.

IV. Set up compliance policies

Device compliance policies are a key feature when using Intune to protect your
organization's resources. In Intune, you can create rules and settings that devices must meet
to be considered compliant, such as a minimum OS version. If the device isn't compliant, you
can then block access to data and resources using Conditional Access. You can also take
actions for non-compliance, such as sending a notification email to the user.
 V. Configure device configuration policies

Microsoft Intune includes settings and features you can enable or disable on different
devices within your organization. These settings and features are added to "configuration
profiles". You can create profiles for different devices and different platforms, including
iOS/iPadOS, Android device administrator, Android Enterprise, and Windows. Then, use
Intune to apply or "assign" the profile to the devices.

Some profile examples include:

• Allow or prevent access to bluetooth on the device.

• Create a WiFi or VPN profile that gives different devices access to your corporate
network.
• Manage software updates, including when they're installed.
• Run an Android device as dedicated kiosk device that can run one app, or run many
apps.
• On iOS/iPadOS and macOS devices, allow users to use AirPrint printers in your
organization.

VI. Enrol devices

Microsoft Intune, in conjunction with Azure Active Directory (Azure AD), facilitates a secure,
streamlined process for registering and enrolling devices that want access to your internal
resources. Once users and devices are registered within your Azure AD (also called a tenant),
then you can utilize Intune for its endpoint management capabilities.
Step 3: Deploy Microsoft 365 Defender
Deploying Microsoft 365 Defender represents the next level of Zero Trust security, providing
enhanced protection against threats. This extended detection and response (XDR) solution
automatically gathers, correlates, and analyzes signal, threat, and alert data from various
sources within your Microsoft 365 environment, including endpoints, email, applications, and
identities.

I. Secure identity by using Microsoft Defender for Identity

Microsoft Defender for Identity, also known as MDI, is a cloud-based solution from Microsoft
designed to protect an organization’s Active Directory environment.
MDI leverages on-premises Active Directory signals to identify, detect, and investigate
advanced threats, compromised identities, and malicious insider actions directed at an
organization.

Microsoft Defender for Identity prerequisites:

• Licensing: Acquire a license for Enterprise Mobility + Security E5 (EMS E5/A5), Microsoft 365
E5 (M365 E5/A5/G5) or Microsoft 365 E5/A5/G5 Security directly via the Microsoft 365 portal
or use the Cloud Solution Partner (CSP) licensing model.
 • Accounts: At least one Directory Service account with read access to all objects in the
monitored domains.
• Permissions: You need to be a global administrator or security administrator on the tenant to
access the Identity section on the Microsoft 365 Defender portal and be able to create the
workspace.

1. Download the Microsoft Defender for Identity sensor

2. Install the Microsoft Defender for Identity sensor

3. Manage Actions Accounts

Defender for Identity allows you to take remediation actions targeting on-premises Active
Directory accounts in the event that an identity is compromised. To take these actions,
Microsoft Defender for Identity needs to have the required permissions to do so.
Microsoft Defender for Identity Alerts Detection :
 II. Secure collaboration by using Microsoft Defender for Office 365
Microsoft Defender for Office 365 is a cloud-based email filtering service that helps protect
your organization against unknown malware and viruses by providing robust zero-day
protection. It includes features to safeguard your organization from harmful links in real time.
Microsoft Defender for Office 365 has rich reporting and URL trace capabilities that give
administrators insight into the kind of attacks happening in your organization.
 1. Configure Strategies

1.1 Anti-Phishing Policies : Protect users from phishing attacks and set up safety tips on
suspicious messages.
▪ Add users, groups, and domains to include or exclude in this policy
▪ Threshold value and anti-phishing protection
▪ Define what actions this policy should take on messages
1.2 Anti-Spam Policies : Protect your organization's messages from spam, including
actions to take if spam is detected
▪ Inbound anti-spam policy
▪ Anti-spam outbound policy
1.3 Anti-malware Policies : Protect your organization's messages from malware (actions
to take and who to notify if detected)
1.4 Safe Attachments : Protect your organization against malicious content in
attachments and files in SharePoint, OneDrive and Teams
1.5 Safe Links : Prevent users from opening and sharing malicious links in messages and
Office apps

2. Configure Rules

2.1 Customer Green/Red Lists : Block external email addresses or domains to prevent
communication with users in your organization (sending or receiving emails)
2.2 Quarantine policies

3. Configuration Analyzer
Help you identify issues in your current configuration and improve your policies to
strengthen your security (Recommendations).

4. Investigations
Automated investigation and response features let you run automated investigation
processes in response to well-known threats.

5. Threat tracking
Informative widgets and views that provide you with intelligence on different cybersecurity
issues that might impact your company.

6. Attack simulation
Allows you to run simulations of mild cyberattacks on your organization to test your security
strategies and practices.

7. Threat Explorer
Can help you investigate and respond to various threats that might exist coming in via email.
III. Secure endpoints by using Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is a platform designed to help enterprise networks prevent,
detect, investigate, and respond to advanced threats on their endpoints.

1. Create a Microsoft Defender for Endpoint environment

Data storage location - Determine where you want to be primarily hosted: US, EU, or UK.
Data retention - The default is six months.
Configure rules , Advanced features
Network configuration

2. Onboard Devices

3. Configure Permissions
Create and manage roles for role-based access control
Configure device groups
4. Configure capabilities

4.1 Threat and Vulnerability Management

• Dashboard: Provides information about vulnerabilities, exposure, and
recommendations.
You can see recent remediation activities, exposed devices, and ways to improve your
company's overall security. Each card in the dashboard includes a link to more
detailed information or to a page where you can take a recommended action.

• Recommendations: Lists current security recommendations and related threat

information to review and consider. When you select an item in the list, a flyout panel
opens with more details about threats and actions you can take.
• Remediation: Lists any remediation actions and their status. Remediation activities
can include sending a file to quarantine, stopping a process from running, and
blocking a detected threat from running. Remediation activities can also include
updating a device, running an antivirus scan, and more.

• Inventories: Lists software and apps currently in use in your organization. You'll see
browsers, operating systems, and other software on devices, along with identified
weaknesses and threats.
• Weaknesses: Lists vulnerabilities along with the number of exposed devices in your
organization.
If you see "0" in the Exposed devices column, you do not have to take any immediate
action. However, you can learn more about each vulnerability listed on this page.
Select an item to learn more about it and what you can do to mitigate the potential
threat to your company.

• Event timeline: Lists vulnerabilities that affect your organization in a timeline view.
 4.2 Endpoint Detection and Response (EDR)
Les fonctionnalités de protection évolutive des points de terminaison Microsoft Defender
pour point de terminaison fournissent des détections d’attaques avancées qui sont en quasi-
temps réel et actionnables. Les analystes de sécurité peuvent définir des priorités de manière
efficace, améliorer la visibilité de l’ensemble des violations et prendre des mesures
correctives pour corriger les menaces.

4.3 Attack Surface Reduction (ASR)

Politiques de réduction de la surface d'attaque : Les règles de réduction de la surface
d’attaque ciblent les comportements que les programmes malveillants et les applications
malveillantes utilisent généralement pour infecter des ordinateurs, notamment : Fichiers
exécutables et scripts utilisés dans les applications Office ou la messagerie web qui essaient
de télécharger ou d’exécuter des fichiers Scripts masqués ou suspects Comportements que
les applications n’exécutent pas habituellement lors des tâches quotidiennes normales.
 4.4 Next-Gen Protection
Microsoft Defender for Endpoint includes next-generation protection to reinforce the
security perimeter of your network. Next-generation protection was designed to catch all
types of emerging threats.
4.5 Automated Investigation
AIR capabilities are designed to examine alerts and take immediate action to resolve
breaches. AIR capabilities significantly reduce alert volume, allowing security operations to
focus on more sophisticated threats and other high-value initiatives.
IV. Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that operates on
multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics
to identify and combat cyberthreats across all your cloud services.

1. Deploy Microsoft Defender for Cloud Apps

MDCA needs to have data on what apps your users are browsing on the internet. You can
continuously upload logs from your on-premises firewalls and proxy servers, you can
integrate directly with a set of cloud services that have API connections and you can use
Microsoft Defender for Endpoint as an agent for MDCA. The number of cloud services that
can be integrated into MDCA are increasing, at the time of writing they are:
Atlassian (Preview), AWS, Azure, Dropbox, GCP, GitHub Enterprise Cloud, Google Workspace,
Office 365….

2. Shadow IT Discovery
Once you have data flowing into Defender for Cloud Apps, you’ll start getting Cloud Discovery
reports. This will tell you what service categories are most used, which apps are most used
by your users and if there’s the usage of high/medium and low-risk apps.

Defender for Cloud Apps Cloud Discovery dashboard

Based on this data you can start digging into the riskiest apps with high usage and identify
why they’re being used and what the risks are. Each app/cloud service in the catalog has an
overall score from 1-10, based on four categories, General, Security, Compliance and Legal.
 Defender for Cloud Apps catalog listing

The point of the catalog is to give you instant visibility into the security stance (perhaps of a
service you’ve just found out is used by the entire finance department) and regulatory
compliance of an app, without having to spend hours digging through their website or
requesting more information from them.

3. Using Defender for Cloud Apps

There are several types of policies you can use to detect risky behavior, and suspicious
activity and in some cases, automatically remediate the issue. Activity policies use the APIs of
integrated applications and let you build custom alerts for multiple failed sign-ins, large
amounts of file downloads or logins from unusual countries or regions.

Anomaly detection uses User and Entity Behavioral Analytics (UEBA) and Machine Learning
and for most detections, it takes seven days to establish a baseline so it can identify what’s
unusual. Signals used in these policies include risky IP addresses, inactive accounts, location,
device, user agent etc. Malware detection across Box, Dropbox, Google Workspace and
Office 365 (when used with Defender for Office 365) are one of these policies.
OAuth app policies keep an eye on apps that are granted permissions in Azure AD, either by
end-users (if you allow this) or by administrators.
File policies bring a built-in DLP engine to inspect content across 100+ file types and allow
you to take automated action when the content matches your criteria. You can create
policies for publicly shared files, files shared with a specific domain or with a specific set of
unauthorized users, and even for specific high-risk file extensions.
 Defender for Cloud Apps cloud discovery anomaly detection policy

Finally, App discovery policies alert you to new cloud services that are being used (to
continue the fight against Shadow IT) and cloud discovery anomaly detection policies alert
you to unusual activity in cloud apps.

Alerts from these policies can be sent as emails, or text messages or you can use a Power
Automate playbook to notify the right people. You can also automatically disable a user
account, require the user to sign in again or confirm them as compromised to automatically
contain a potential attack.
 V. Detect and respond to threats in Microsoft 365 by using Microsoft
Sentinel

Microsoft Sentinel is a scalable, cloud-native solution that provides:

• Security information and event management (SIEM)

• Security orchestration, automation, and response (SOAR)

Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the
enterprise. With Microsoft Sentinel, you get a single solution for attack detection, threat
visibility, proactive hunting, and threat response.

Microsoft Sentinel is your bird's-eye view across the enterprise alleviating the stress of
increasingly sophisticated attacks, increasing volumes of alerts, and long resolution time
frames

1. Collect security data

Azure Sentinel has built-in connectors that help collect data across all sources in an
organization easily.

Data connectors are used to configure connections with different Microsoft services, partner
solutions, and other resources.
Azure Sentinel provided support for the following Microsoft services:
• Azure AD, Office 365, Cloud App Security, Azure Activity Log, Azure AD Identity Protection,
Azure Information Protection, Azure ATP, Azure Security Center, Domain Name Server,
Microsoft Defender ATP, Microsoft Web Application Firewall, Windows Firewall, Windows
Security Events
The following external connectors were available:
▪ Amazon Web Services (AWS), Barracuda, Check Point, Palo Alto Networks, Fortinet, F5,
Symantec ICDX
 2. Use overview dashboard and workbooks to get visibility across
enterprise
By connecting data sources to Azure Sentinel, we can instantly visualize and analyze data
from all connected sources. This allows us to stay informed about what's happening and
customize interactive dashboards as needed.

3. Leverage analytics to detect threats

Once we connect data sources to Azure Sentinel, we can use its built-in templates to identify
suspicious activities and threats. These templates were created by Microsoft's security
experts and analysts, using their knowledge of common attack patterns and suspicious
activity escalation chains. By using these templates, we can be notified of any threats
detected.
 4. Hunt for threats
Security analysts must actively search for potential threats that may not have been detected
by security applications. Azure Sentinel offers built-in hunting queries to help analysts ask the
right questions and identify previously unknown threats.

5. Investigate incidents
With Azure Sentinel we can easily investigate the detected threats and the entire incident.
we can quickly view the status of each incidents and manage the full lifecycle of this event.
 6. Automate and orchestrate security operations
Azure Sentinel has built-in automation and orchestration, including pre-defined or custom
playbooks, to automate repetitive tasks and respond to threats quickly.
Step 4: Protect and govern sensitive data
I. Deploy a Microsoft Information Protection Solution

1. Know your data

A sensitive information type is defined by a pattern that can be identified by a regular

expression or a function. In addition, corroborative evidence such as keywords and
checksums can be used to identify a sensitive information type.

2. Protect your data

Sensitivity labels from Microsoft Purview Information Protection let you classify and protect
your organization's data, while making sure that user productivity and their ability to
collaborate isn't hindered.
You can use sensitivity labels to:

• Provide protection settings that include encryption and content markings. For
example, apply a "Confidential" label to a document or email, and that label encrypts
the content and applies a "Confidential" watermark. Content markings include
headers and footers as well as watermarks, and encryption can also restrict what
actions authorized people can take on the content.
• Protect content in Office apps across different platforms and devices. Supported by
Word, Excel, PowerPoint, and Outlook on the Office desktop apps and Office on the
web. Supported on Windows, macOS, iOS, and Android.
 • Protect meetings and chat by labeling (and optionally, encrypting) meeting invites
and any responses, and enforce Teams-specific options for the meeting and chat.

In all these cases, sensitivity labels from Microsoft Purview can help you take the right
actions on the right content. With sensitivity labels, you can identify the sensitivity of data
across your organization, and the label can enforce protection settings that are appropriate
for the sensitivity of that data. That protection then stays with the content.

3. Avoid data loss

3.1 Create and manage DLP policies for Microsoft 365 workloads

In Microsoft Purview, you implement data loss prevention by defining and applying DLP
policies. With a DLP policy, you can identify, monitor, and automatically protect sensitive
items across:

• Microsoft 365 services such as Teams, Exchange, SharePoint, and OneDrive

• Office applications such as Word, Excel, and PowerPoint
• Windows 10, Windows 11 and macOS (three latest released versions)
endpoints
• non-Microsoft cloud apps
• on-premises file shares and on-premises SharePoint.
 3.2 Implement and manage Endpoint DLP
Endpoint data loss prevention (Endpoint DLP) extends the activity monitoring and protection
capabilities of DLP to sensitive items on Windows 10, Windows 11, and macOS. Activities
(like copying to USB devices or printing) performed on sensitive items is visible to users who
have access to the activity explorer after devices are onboarded into the Microsoft Purview
compliance portal.

3.3 Monitor DLP Reports

After you create your Microsoft Purview data loss prevention (DLP) policies, you'll want to
verify that they're working as you intended and helping you to stay compliant. With the DLP
reports in the Microsoft Purview compliance portal, you can quickly view:
DLP policy matches This report shows the count of DLP policy matches over time.
DLP false positives and overrides If your DLP policy allows users to override it or report a
false positive, this report shows a count of such instances over time.

3.4 Respond to DLP alerts and notifications

When a DLP policy alert notifies you of a DLP policy violation, it could mean several
things. Not all alerts mean that data loss is imminent or has been prevented.
DLP policies don't make decisions about why you're trying to share protected data, but they
notify you if a violation is observed.
Responding to policy violations can include escalating issues to your security team and
working closely with other business stakeholders. You should know the process for
contacting other teams and security before they are needed.
Configure DLP rule exclusions: This helps reduce the number of false positives from your
policy

II. Manage Data Privacy and Data Protection

By using Microsoft Purview and Microsoft Priva, you can take your Zero Trust security to the
next level and implement advanced data protection measures.
With Microsoft Purview Information Protection, you can easily discover, classify, and protect
sensitive information and govern sensitive data
The steps for this solution are as follows:

Manage data Privacy and Data Protection

1. Assess your organization's data and risk : Start your journey by understanding your
data and possible risks.
2. Protect and govern your data : Identify, categorize and manage the data you need to
protect.
3. Follow privacy regulations : Monitor your progress in running assessments and stay
up to date as regulations change.
4. Respond to data privacy incidents and subject requests : Set up alerts so you can
respond to privacy risks and automate your handling of data subject request