Describe Microsoft 365 security and compliance capabilities Flashcards
Describe Microsoft Entra ID
Microsoft Entra ID, formerly Azure Active Directory, is Microsoft’s cloud-based identity and access management service. Organizations use Microsoft Entra ID to enable their employees, guests, and others to sign in and access the resources they need, including:
Internal resources, such as apps on your corporate network and intranet, and cloud apps developed by your own organization.
External services, such as Microsoft Office 365, the Azure portal, and any SaaS applications used by your organization.
Microsoft Entra ID simplifies the way organizations manage authorization and access by providing a single identity system for their cloud and on-premises applications. Microsoft Entra ID can be synchronized with your existing on-premises Active Directory, synchronized with other directory services, or used as a standalone service.
Microsoft Entra ID also allows organizations to securely enable the use of personal devices, such as mobiles and tablets, and enable collaboration with business partners and customers.
Identity Secure Score
Microsoft Entra ID includes an identity secure score, which is a percentage that functions as an indicator for how aligned you are with Microsoft’s best practice recommendations for security. Each improvement action in identity secure score is tailored to your specific configuration.
Identity secure score, which is available in all editions of Microsoft Entra ID, helps you to objectively measure your identity security posture, plan identity security improvements, and review the success of your improvements.
Microsoft Entra ID Basic terminology
When talking about Microsoft Entra ID, there’s some basic terminology that is important to understand.
Tenant - A Microsoft Entra tenant is an instance of Microsoft Entra ID in which information about a single organization resides including organizational objects such as users, groups, devices, and application registrations. A tenant also contains access and compliance policies for resources, such as applications registered in the directory. Each Microsoft Entra tenant has a unique ID (tenant ID) and a domain name (for example, contoso.onmicrosoft.com) and serves as a security and administrative boundary, allowing the organization to manage and control access to resources, applications, devices, and services.
Directory - The terms Microsoft Entra directory and Microsoft Entra tenant are often used interchangeably. The directory is a logical container within a Microsoft Entra tenant that holds and organizes the various resources and objects related to identity and access management including users, groups, applications, devices, and other directory objects. Basically, the directory is like a database or catalog of identities and resources associated with an organization’s tenant. A Microsoft Entra tenant consists of only one directory.
Multi-tenant - A multi-tenant organization is an organization that has more than one instance of Microsoft Entra ID. Reasons why an organization might have multiple tenants include organizations with multiple subsidiaries or business units that operate independently, organizations that merge or acquire companies, multiple geographical boundaries with various residency regulations, and more.
Who uses Microsoft Entra ID?
Microsoft Entra ID is used by IT admins to control access to corporate apps and resources, based on business requirements. For example, Microsoft Entra ID can also be set up to require multi-factor authentication when accessing important organizational resources. It provides powerful tools to automatically help protect user identities and credentials and to meet an organization’s access governance requirements.
Developers use Microsoft Entra ID as a standards-based approach for adding single sign-on (SSO) to their apps, so that users can sign in with their pre-existing credentials. Microsoft Entra ID also provides application programming interfaces (APIs) that allow developers to build personalized app experiences using existing organizational data.
Subscribers to Azure services, Microsoft 365, or Dynamics 365 automatically have access to Microsoft Entra ID. Users of these services can take advantage of included services and can also enhance their Microsoft Entra implementation by upgrading to premium licenses.
Describe types of identities In Microsoft Entra ID
When you ask the question, to what can I assign an identity in Microsoft Entra ID, there are three categories.
You can assign identities to people (humans). Examples of identities assigned to people are employees of an organization that are typically configured as internal users, and external users that include customers, consultants, vendors, and partners. For our purposes, we’ll refer to these as user identities.
You can assign identities to physical devices, such as mobile phones, desktop computers, and IoT devices.
Lastly, you can assign identities to software-based objects, such as applications, virtual machines, services, and containers. These identities are referred to as workload identities.
User identities
Internal member: These users are typically considered employees of your organization. The user authenticates internally via their organization’s Microsoft Entra ID, and the user object created in the resource Microsoft Entra directory has a UserType of Member.
External guest: External users or guests, including consultants, vendors, and partners, typically fall into this category. The user authenticates using an external Microsoft Entra account or an external identity provider (such as a social identity). The user object created in the resource Microsoft Entra directory has a UserType of Guest, giving them limited, guest-level permissions.
External member: This scenario is common in organizations consisting of multiple tenants. Consider the scenario where the Contoso Microsoft Entra tenant and the Fabrikam Microsoft Entra tenant are tenants within one large organization. Users from the Contoso tenant need member level access to resources in Fabrikam. In this scenario, Contoso users are configured in the Fabrikam Microsoft Entra directory such that they authenticate with their Contoso account, which is external to Fabrikam, but have a UserType of Member to enable member-level access to Fabrikam’s organizational resources.
Internal guest: This scenario exists when organizations who collaborate with distributors, suppliers, and vendors set up internal Microsoft Entra accounts for these users but designate them as guests by setting the user object UserType to Guest. As a guest, they have reduced permissions in the directory. This is considered a legacy scenario as it is now more common to use B2B collaboration. With B2B collaboration users can use their own credentials, allowing their external identity provider to manage authentication and their account lifecycle.
Workload identities
A workload identity is an identity you assign to a software workload. This enables the software workload to authenticate to and access other services and resources. This helps secure your workload.
Securing your workload identities is important because unlike a human user, a software workload may deal with multiple credentials to access different resources and those credentials need to be stored securely. It’s also hard to track when a workload identity is created or when it should be revoked. Enterprises risk their applications or services being exploited or breached because of difficulties in securing workload identities.
Microsoft Entra Workload ID helps resolve these issues when securing workload identities.
In Microsoft Entra, workload identities are applications, service principals, and managed identities.
Applications and service principals
A service principal is essentially, an identity for an application. For an application to delegate its identity and access functions to Microsoft Entra ID, the application must first be registered with Microsoft Entra ID to enable its integration. Once an application is registered, a service principal is created in each Microsoft Entra tenant where the application is used. The service principal enables core features such as authentication and authorization of the application to resources that are secured by the Microsoft Entra tenant.
For the service principals to be able to access resources secured by the Microsoft Entra tenant, application developers must manage and protect the credentials. If not done correctly, this can introduce security vulnerabilities. Managed identities help off-load that responsibility from the developer.
system-assigned and user-assigned managed identities
There are two types of managed identities: system-assigned and user-assigned.
System-assigned. Some Azure resources, such as virtual machines, allow you to enable a managed identity directly on the resource. When you enable a system-assigned managed identity an identity is created in Microsoft Entra that’s tied to the lifecycle of that Azure resource. Because the identity is tied to the lifecycle of that Azure resource when the resource is deleted, Azure automatically deletes the identity for you. An example where you may find a system-assigned identity is when a workload is contained within a single Azure resource, such as an application that runs on a single virtual machine.
User-assigned. You may also create a managed identity as a standalone Azure resource. Once you create a user-assigned managed identity, you can assign it to one or more instances of an Azure service. For example, a user-assigned managed identity can be assigned to multiple VMs. With user-assigned managed identities, the identity is managed separately from the resources that use it. Deleting the resources that use the user-assigned managed identity doesn’t delete the identity. The user-assigned managed identity must be explicitly deleted. This is useful in a scenario where you may have multiple VMs that all have the same set of permissions but may get recycled frequently. Deleting any of the VMs doesn’t impact the user-assigned managed identity. Similarly, you can create a new VM and assign it the existing user-assigned managed identity.
Device
A device is a piece of hardware, such as mobile devices, laptops, servers, or printers. A device identity gives administrators information they can use when making access or configuration decisions. Device identities can be set up in different ways in Microsoft Entra ID.
Microsoft Entra registered devices. The goal of Microsoft Entra registered devices is to provide users with support for bring your own device (BYOD) or mobile device scenarios. In these scenarios, a user can access your organization’s resources using a personal device. Microsoft Entra registered devices register to Microsoft Entra ID without requiring an organizational account to sign in to the device.
Microsoft Entra joined. A Microsoft Entra joined device is a device joined to Microsoft Entra ID through an organizational account, which is then used to sign in to the device. Microsoft Entra joined devices are generally owned by the organization.
Microsoft Entra hybrid joined devices. Organizations with existing on-premises Active Directory implementations can benefit from the functionality provided by Microsoft Entra ID by implementing Microsoft Entra hybrid joined devices. These devices are joined to your on-premises Active Directory and Microsoft Entra ID requiring organizational account to sign in to the device.
Registering and joining devices to Microsoft Entra ID gives users Single Sign-on (SSO) to cloud-based resources. Additionally, devices that are Microsoft Entra joined benefit from the SSO experience to resources and applications that rely on on-premises Active Directory.
IT admins can use tools like Microsoft Intune, a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM), to control how an organization’s devices are used. For more information, see Microsoft Intune.
Groups
In Microsoft Entra ID, if you have several identities with the same access needs, you can create a group. You use groups to give access permissions to all members of the group, instead of having to assign access rights individually. Limiting access to Microsoft Entra resources to only those identities who need access is one of the core security principles of Zero Trust.
There are two group types:
Security: A security group is the most common type of group and it’s used to manage user and device access to shared resources. For example, you may create a security group for a specific security policy such as Self-service password reset or for use with a conditional access policy to require MFA. Members of a security group can include users (including external users), devices, other groups, and service principals. Creating security groups requires a Microsoft Entra administrator role.
Microsoft 365: A Microsoft 365 group, which is also often referred to as a distribution group, is used for grouping users according to collaboration needs. For example, you can give members of the group access to a shared mailbox, calendar, files SharePoint sites, and more. Members of a Microsoft 365 group can only include users, including users outside of your organization. Because Microsoft 365 groups are intended for collaboration, the default is to allow users to create Microsoft 365 groups, so you don’t need an administrator role.
Groups can be configured to allow members to be assigned, that is manually selected, or they can be configured for dynamic membership. Dynamic membership uses rules to automatically add and remove identities.
Describe hybrid identity
Microsoft’s identity solutions span on-premises and cloud-based capabilities. These solutions create a common identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity.
Hybrid identity is accomplished through provisioning and synchronization.
Inter-directory provisioning is provisioning an identity between two different directory services systems. For a hybrid environment, the most common scenario for inter-directory provisioning is when a user already in Active Directory is provisioned into Microsoft Entra ID.
Synchronization is responsible for making sure identity information for your on-premises users and groups is matching the cloud.
One of the available methods for accomplishing inter-directory provisioning and synchronization is through Microsoft Entra Cloud Sync. Microsoft Entra Cloud Sync is designed to meet and accomplish your hybrid identity goals for the provisioning and synchronization of users, groups, and contacts to Microsoft Entra ID. It accomplishes this by using the Microsoft Entra cloud provisioning agent. The agent provides a lightweight inter-directory provisioning experience that acts as a bridge between Microsoft Entra ID and Active Directory. An organization only needs to deploy the agent in their on-premises or IaaS-hosted environment. The provisioning configuration is stored in Microsoft Entra ID and managed as part of the service.
The Microsoft Entra Cloud Sync provisioning agent uses the System for Cross-domain Identity Management (SCIM) specification with Microsoft Entra ID to provision and deprovision users and groups. The SCIM specification is a standard that is used to automate the exchanging of user or group identity information between identity domains such as Microsoft Entra ID and is becoming the de facto standard for provisioning.
Describe external identities
Today’s world is about collaboration, working with people both inside and outside of your organization. That means you’ll sometimes need to provide access to your organization’s applications or data to external users.
Microsoft Entra External ID combines powerful solutions for working with people outside of your organization. With External ID capabilities, you can allow external identities to securely access your apps and resources. Whether you’re working with external partners, consumers, or business customers, users can bring their own identities. These identities can range from corporate or government-issued accounts to social identity providers like Google or Facebook.
Microsoft Entra External ID addresses the scenarios that are encountered when it comes to working with external users.
Collaborate with business guests
Secure your apps for consumers and business customers
Also, each of these scenarios suggests a different approach for how an organization configures their Microsoft Entra ID tenant.
There are two ways to configure a tenant, depending on how the organization intends to use the tenant and the resources they want to manage:
A workforce tenant configuration is for your employees, internal business apps, and other organizational resources. You can invite external business partners and guests to your workforce tenant.
An external tenant configuration is used exclusively for External ID scenarios where you want to publish apps to consumers or business customers.
Describe Conditional Access
Conditional Access is a feature of Microsoft Entra ID that provides an extra layer of security before allowing authenticated users to access data or other assets. Conditional Access is implemented through policies that are created and managed in Microsoft Entra ID. A Conditional Access policy analyses signals including user, location, device, application, and risk to automate decisions for authorizing access to resources (apps and data).
Conditional Access policies at their simplest are if-then statements. For example, a Conditional Access policy might state that if a user belongs to a certain group, then they’re required to provide multifactor authentication to sign in to an application.
Assignments
When creating a conditional access policy, admins can determine which signals to use through assignments. The assignments portion of the policy controls the who, what, where, and when of the Conditional Access policy. All assignments are logically ANDed. If you have more than one assignment configured, all assignments must be satisfied to trigger a policy. Some of the assignments include:
Users assign who the policy will include or exclude. This assignment can include all users in the directory, specific users and groups, directory roles, external guests, and workload identities.
Target resources include applications or services, user actions, Global Secure Access (preview), or authentication context.
Cloud apps - Administrators can choose from the list of applications or services that include built-in Microsoft applications, including Microsoft Cloud applications, Office 365, the Windows Azure Service Management API, Microsoft Admin portals, and any Microsoft Entra registered applications.
User actions - Administrators can choose to define policy not based on a cloud application but on a user action like Register security information or Register or join devices, allowing Conditional Access to enforce controls around those actions.
Global Secure Access (preview) - Administrators can use conditional Access policies to secure the traffic that passes through the Global Secure Access service. This is done by defining traffic profiles in Global Secure Access. Conditional Access policies can then be assigned to the Global Secure Access traffic profile.
Authentication context - Authentication context can be used to further secure data and actions in applications. For example, users that have access to specific content in a SharePoint site may be required to access that content via a managed device or agree to specific terms of use.
Network allows you to control user access based on the user’s network or physical location. You can include any network or location, locations marked as trusted networks or trusted IP address ranges, or named locations. You can also identify compliant networks that are made up of users and devices that comply with your organization’s security policies.
Conditions define where and when the policy will apply. Multiple conditions can be combined to create fine-grained and specific Conditional Access policies. Some of the conditions include:
Sign-in risk and user risk. Integration with Microsoft Entra ID Protection allows Conditional Access policies to identify suspicious actions related to user accounts in the directory and trigger a policy. Sign-in risk is the probability that a given sign-in, or authentication request, isn’t authorized by the identity owner. User risk is the probability that a given identity or account is compromised.
Insider risk. Administrators with access to Microsoft Purview adaptive protection can incorporate risk signals from Microsoft Purview into Conditional Access policy decisions. Insider risk takes into account your data governance, data security, and risk and compliance configurations from Microsoft Purview.
Devices platform. Device platform, which is characterized by the operating system that runs on a device can be used when enforcing Conditional Access policies.
Client apps. Client apps, the software the user is employing to access the cloud app, including browsers, mobile apps, desktop clients, can also be used in access policy decision.
Filters for devices. Organizations can enforce policies based on device properties, by using the filters for devices option. As an example, this option may be used to target policies to specific devices like privileged access workstations.
In essence, the assignments portion controls the who, what, and where of the Conditional Access policy.
Access controls
When the Conditional Access policy has been applied, an informed decision is reached on whether to block access, grant access, grant access with extra verification, or apply a session control to enable a limited experience. The decision is referred to as the access controls portion of the Conditional Access policy and defines how a policy is enforced. Common decisions are:
Block access
Grant access. Administrators can grant access without any additional control, or they can choose to enforce one or more controls when granting access. Examples of controls used to grant access include requiring users to perform multifactor authentication, requiring specific authentication methods to access a resource, requiring devices to meet specific compliance policy requirements, require a password change, and more. For a complete list, refer to Grant controls in Conditional Access policy.
Session. Within a Conditional Access policy, an administrator can make use of session controls to enable limited experiences within specific cloud applications. As an example, Conditional Access App Control uses signals from Microsoft Defender for Cloud Apps to block the download, cut, copy, and print capabilities for sensitive documents, or to require labeling of sensitive files. Other session controls include sign-in frequency and application enforced restrictions that, for selected applications, use the device information to provide users with a limited or full experience, depending on the device state. For a complete list, refer Session controls in Conditional Access policy.
In summary, the assignments portion controls the who, what, and where of the Conditional Access policy while the access controls portion controls how a policy is enforced.
Describe Global Secure Access in Microsoft Entra
Microsoft Entra now provides a new set of products under the heading of Microsoft Global Secure Access. Global Secure Access is the unifying term used for both Microsoft Entra Internet Access and Microsoft Entra Private Access.
Microsoft Entra Internet Access secures access to Software as a Service (SaaS) applications, including Microsoft Services, and public internet apps while protecting users, devices, and data against internet threats.
Microsoft Entra Private Access provides your users, whether in an office or working remotely, secure access to your private, corporate resources.
Microsoft Entra Internet Access and Microsoft Entra Private Access come together as a solution that converges Zero Trust network, identity, and endpoint access controls so that you can secure access to any app or resource, from any location, device, or identity. This type of solution represents a new network security category called Security Service Edge (SSE).
SSE helps address security challenges such as:
The need to reducing the risk of lateral movement through a compromised VPN tunnel.
The need to put a perimeter around internet-based assets.
The need to improve service in remote office locations, such branch offices.
Microsoft’s Security Service Edge solution, Global Secure Access, provides advanced protections for your internet-based resources and resources running in your private cloud or on-premises infrastructure, to help address security challenges.
The solution employs a Global Secure Access client that gives organizations control over network traffic at the end-user computing device. Organizations gain the ability to route specific traffic profiles through Microsoft Entra Internet Access and Microsoft Entra Private Access. Routing traffic in this method allows for more controls enabled by deep integration with conditional access policies and risks assessed in real time, across identity, device, location, and applications to protect any app or resource.
Microsoft Entra Private Access
VPN solutions are often used as a primary method to control corporate network access. Once private network connectivity is established, the front door to your network is unlocked and on top of that, it’s common for users and devices to be over-permissioned. This significantly increases your organization’s attack surface.
Microsoft Entra Private Access can be deployed to block lateral attack movement, reduce excessive access, and replace legacy VPNs. The service provides your users - whether in an office or working remotely - secured access to your private, corporate resources.
Conceptually, the way Private Access works is that for a given set of private resources you want to secure, you set up a new enterprise application that serves as a container for those private resources. The new application has a network connector that serves as a broker between the Private Access service and the resource a user wants to access. Now clearly, enterprises have different requirements for accessing different private resources, so Microsoft Entra Private Access provides two ways in which you can set up the private resources you want to have accessed through the service.
Quick Access - As previously described, Private Access works by creating a new enterprise application that serves as a container for the private resources you want to secure. With Quick Access, you determine which private resources to add to the “container” or enterprise application; which, we’ll call the Quick Access application. The private resources you add to the Quick Access Application are defined by the FQDN, IP address, IP or address range, and ports used to access the resource. This information is referred to as a Quick Access application segment. You can add many application segments to the Quick Access application. You can then link conditional access policies to the Quick Access application.
Global Secure Access app - Global Secure Access app, also referred to as Per-app Access, provides a more granular approach. With Global Secure Access app, you can create multiple “containers” or enterprise application. For each of these new enterprise apps, you define the properties of the private resource, and you assign users and groups and assign specific conditional access policies. For example, you may have a group of private resources you need to secure, but for which you want to set different access policies based on how they’re accessing the resource or for a specific time frame.
Microsoft Entra Internet Access
A Secure Web Gateway (SWG) is a cybersecurity solution that protects users from web-based threats by filtering internet traffic and enforcing security policies.
Microsoft Entra Internet Access provides an identity-centric Secure Web Gateway (SWG) solution for Software as a Service (SaaS) applications, including Microsoft Services, and other Internet traffic. It protects users, devices, and data from the Internet’s wide threat landscape with best-in-class security controls and visibility through Traffic Logs.
Some of the key features include:
Protection against user identity or token theft by using Conditional Access policies to perform a compliant network check for access to resources.
Compliant network enforcement happens at authentication plane and at the data plane. Authentication plane enforcement is performed by Microsoft Entra ID at the time of user authentication. Data plane enforcement works with services that support Continuous Access Evaluation (CAE)
Continuous Access Evaluation (CAE) is a security feature where apps and Microsoft Entra constantly communicate to ensure user access is up-to-date and secure. If something changes, like a user’s location or a security concern arises, the system can quickly adjust or block access in near real-time, ensuring policies are always enforced.
Tenant restrictions to prevent data exfiltration to other tenants or personal accounts including anonymous access.
Internet Access traffic forwarding profile policies to control which internet sites can be accessed to ensure remote workers connect to the internet in a controlled and secure way.
Web content filtering to regulate access to websites based on their content categories and domain names.
Global Secure Access Dashboard
Global Secure Access includes a dashboard that provides you with visualizations of the network traffic acquired by the Microsoft Entra Private and Microsoft Entra Internet Access services. The dashboard compiles the data from your network configurations, including devices, users, and tenants into several widgets. Those widgets, in turn, provide you with information you can use to monitor and improve your network configurations. Some of the available widgets include:
Global Secure Access snapshot
Alerts and notifications (preview)
Usage profiling (preview)
Cross-tenant access
Web category filtering
Device status
Global Secure Access snapshot
The Global Secure Access snapshot widget provides a summary of how many users and devices are using the service and how many applications were secured through the service. The widget defaults to showing all types of traffic, but you can change the filter to show Internet Access, Private Access, or Microsoft traffic.
Describe Microsoft Entra roles and role-based access control (RBAC)
Microsoft Entra roles control permissions to manage Microsoft Entra resources. For example, allowing user accounts to be created, or billing information to be viewed. Microsoft Entra ID supports built-in and custom roles.
Managing access using roles is known as role-based access control (RBAC). Microsoft Entra built-in and custom roles are a form of RBAC in that Microsoft Entra roles control access to Microsoft Entra resources. This is referred to as Microsoft Entra RBAC.
Built-in roles
Microsoft Entra ID includes many built-in roles, which are roles with a fixed set of permissions. A few of the most common built-in roles are:
Global administrator: users with this role have access to all administrative features in Microsoft Entra. The person who signs up for the Microsoft Entra tenant automatically becomes a global administrator.
User administrator: users with this role can create and manage all aspects of users and groups. This role also includes the ability to manage support tickets and monitor service health.
Billing administrator: users with this role make purchases, manage subscriptions and support tickets, and monitor service health.
All built-in roles are preconfigured bundles of permissions designed for specific tasks. The fixed set of permissions included in the built-in roles can’t be modified.
Custom roles
Although there are many built-in admin roles in Microsoft Entra, custom roles give flexibility when granting access. A custom role definition is a collection of permissions that you choose from a preset list. The list of permissions to choose from are the same permissions used by the built-in roles. The difference is that you get to choose which permissions you want to include in a custom role.
Granting permission using custom Microsoft Entra roles is a two-step process. The first step involves creating a custom role definition, consisting of a collection of permissions that you add from a preset list. Once you’ve created your custom role definition, the second step is to assign that role to users or groups by creating a role assignment.
A role assignment grants the user the permissions in a role definition, at a specified scope. A scope defines the set of Microsoft Entra resources the role member has access to. A custom role can be assigned at organization-wide scope, meaning the role member has the role permissions over all resources. A custom role can also be assigned at an object scope. An example of an object scope would be a single application. The same role can be assigned to one user over all applications in the organization and then to another user with a scope of only the Contoso Expense Reports app.
Custom roles require a Microsoft Entra ID P1 or P2 license.
Categories of Microsoft Entra roles
Microsoft Entra ID is an available service if you subscribe to any Microsoft Online business offer, such as Microsoft 365 and Azure.
Available Microsoft 365 services include Microsoft Entra ID, Exchange, SharePoint, Microsoft Defender, Teams, Intune, and many more.
Over time, some Microsoft 365 services, such as Exchange and Intune, have developed their own role-based access control systems (RBAC), just like the Microsoft Entra service has Microsoft Entra roles to control access to Microsoft Entra resources. Other services such as Teams and SharePoint don’t have separate role-based access control systems, they use Microsoft Entra roles for their administrative access.
To make it convenient to manage identity across Microsoft 365 services, Microsoft Entra ID has added some service-specific, built-in roles, each of which grants administrative access to a Microsoft 365 service. This means that Microsoft Entra built-in roles differ in where they can be used. There are three broad categories.
Microsoft Entra specific roles: These roles grant permissions to manage resources within Microsoft Entra-only. For example, User Administrator, Application Administrator, Groups Administrator all grant permissions to manage resources that live in Microsoft Entra ID.
Service-specific roles: For major Microsoft 365 services, Microsoft Entra ID includes built-in, service-specific roles that grant permissions to manage features within the service. For example, Microsoft Entra ID includes built-in roles for Exchange Administrator, Intune Administrator, SharePoint Administrator, and Teams Administrator roles that can manage features with their respective services.
Cross-service roles: There are some roles within Microsoft Entra ID that span services. For example, Microsoft Entra ID has security-related roles, like Security Administrator, that grant access across multiple security services within Microsoft 365. Similarly, the Compliance Administrator role grants access to manage Compliance-related settings in Microsoft 365 Compliance Center, Exchange, and so on.
Difference between Microsoft Entra RBAC and Azure RBAC
As described above, Microsoft Entra built-in and custom roles are a form of RBAC in that they control access to Microsoft Entra resources. This is referred to as Microsoft Entra RBAC. In the same way that Microsoft Entra roles can control access to Microsoft Entra resources, so too can Azure roles control access to Azure resources. This is referred to as Azure RBAC. Although the concept of RBAC applies to both Microsoft Entra RBAC and Azure RBAC, what they control are different.
Microsoft Entra RBAC - Microsoft Entra roles control access to Microsoft Entra resources such as users, groups, and applications.
Azure RBAC - Azure roles control access to Azure resources such as virtual machines or storage using Azure Resource Management.
There are different data stores where role definitions and role assignments are stored. Similarly, there are different policy decision points where access checks happen.
Describe Microsoft Defender XDR services
Microsoft Defender XDR is an enterprise defense suite of solutions that protects against sophisticated cyberattacks. Microsoft Defender XDR allows admins to assess threat signals from endpoints, applications, email, and identities to determine an attack’s scope and impact. It gives greater insight into how the threat occurred, and what systems have been affected. Microsoft Defender XDR can then take automated action to prevent or stop the attack.
The Microsoft Defender XDR suite includes:
Microsoft Defender for Endpoint - Microsoft Defender for Endpoint is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response.
Defender Vulnerability Management - Microsoft Defender Vulnerability Management delivers continuous asset visibility, intelligent risk-based assessments, and built-in remediation tools to help your security and IT teams prioritize and address critical vulnerabilities and misconfigurations across your organization.
Microsoft Defender for Office 365 - Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.
Microsoft Defender for Identity - Microsoft Defender for Identity uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
Microsoft Defender for Cloud Apps - Microsoft Defender for Cloud Apps delivers full protection for software as a service (SaaS) applications. Defender for Cloud apps is a cloud access security broker that brings deep visibility, strong data controls, and enhanced threat protection to your cloud apps.
Microsoft Defender XDR now also integrates with Microsoft Security Copilot. Integration with Security Copilot can be experienced through the standalone and embedded experiences.
The information and insights surfaced by the Microsoft Defender XDR suite of solutions are centralized in the Microsoft Defender portal, which delivers a unified security operations platform. As a unified security operations platform, the Microsoft Defender portal now includes information and insights from other Microsoft security products, including Microsoft Sentinel and Microsoft Defender for Cloud.
Users also access the Microsoft Threat Intelligence solution from the Microsoft Defender XDR portal. Microsoft Defender TI aggregates and enriches critical threat information to help security analyst triage, incident response, threat hunting, and vulnerability management workflows.
Describe Microsoft Defender for Office 365
Microsoft Defender for Office 365 is a seamless integration into your Office 365 subscription that provides protection against threats, like phishing and malware that arrive in email links (URLs), attachments, or collaboration tools like SharePoint, Teams, and Outlook. Defender for Office 365 provides real-time views of threats. It also provides investigation, hunting, and remediation capabilities to help security teams identify, prioritize, investigate, and respond to threats.
Microsoft Defender for Office 365, which is available in two plans Microsoft Defender for Office 365 Plan 1 and Plan 2, safeguards organizations against malicious threats by providing admins and security operations (sec ops) teams a wide range of capabilities.
These capabilities can be categorized into the following security emphases:
Preventing and detecting threats
Investigating threats
Responding to threats
Prevent and detect
Some of the features of Microsoft Defender for Office 365 that help organizations prevent and detect email and collaboration based threats include:
Anti-malware protection that protects against major categories of malware, including viruses, spyware, and ransomware.
Anti-spam protection that uses content filtering technologies to identify and separate junk email from legitimate email.
Anti-phishing (spoofing) protection to protect against phishing (spoofed) email attacks that try to steal sensitive information in messages that appear to be from legitimate or trusted senders.
Outbound spam filtering
Connection filtering to help identify good or bad source email servers by IP addresses.
Quarantine policies to define the user experience for quarantined messages
The Submissions page in the Microsoft Defender portal to submit messages, URLs, and attachments to Microsoft for analysis.
Safe attachments that provide an additional layer of protection against malware. After files are scanned by the common virus detection engine in Microsoft 365, Safe Attachments opens files in a virtual environment to see what happens (a process known as detonation).
Safe Links scanning that protects your organization from malicious links that are used in phishing and other attacks.
Email and collaboration alerts
Attack simulation training, which allows admins to run realistic attack scenarios in your organization. These simulated attacks help identify and train vulnerable users before a real attack impacts your bottom line.
Security information and event management (SIEM) integration for alerts.
Investigate
Some of the features of Microsoft Defender for Office 365 that help organizations detect email and collaboration based threats include:
Audit log search by users with appropriate permissions such as admins, insider risk teams, compliance and legal investigators, to provide visibility into the activities of the organization.
Message trace capabilities. Message trace follows email messages as they travel through your Microsoft 365 organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.
Reports to help you see how email security features are protecting your organization.
Explorer (also known as Threat Explorer) or Real-time detections that are near real-time tools to help Security Operations (SecOps) teams investigate and respond to threats. Explorer allows admins to see malware detected by Microsoft 365 security features, start an automated investigation and response process, Investigate malicious email, and more.
Security information and event management (SIEM) integration for detections.
URL trace that allows admins to investigate a domain to see if the devices and servers in your enterprise network have been communicating with a known malicious domain.
Threat trackers that are queries that you create and save to automatically or manually discover cybersecurity threats in your organization.
The campaigns feature that identifies and categorizes coordinated phishing and malware email attacks. The campaigns feature lets you see the overall picture of an email attack faster and more completely than any human.
Respond
Some of the features of Microsoft Defender for Office 365 that help organizations detect email and collaboration based threats include:
Zero-hour auto purge (ZAP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes.
Automated investigation and response (AIR) capabilities that include automated investigation processes in response to well-known threats that exist today.
Security information and event management (SIEM) integration for automated responses.
For a complete listing of the features in each plan, see the Microsoft Defender for Office 365 security product overview document that is linked in summary and resources unit of this module.
Describe Microsoft Defender for Endpoint
Microsoft Defender for Endpoint is a platform designed to help enterprise networks protect endpoints including laptops, phones, tablets, PCs, access points, routers, and firewalls. It does so by preventing, detecting, investigating, and responding to advanced threats. Microsoft Defender for Endpoint embeds technology built into Windows 10 and beyond, and Microsoft cloud services. This technology includes:
Endpoint behavioral sensors that are embedded in Windows 10 and beyond that collect and process signals from the operating system.
Cloud security analytics that translate behavioral signals into insights, detections, and recommended responses to advanced threats.
Threat intelligence that enables Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when they’re observed in collected sensor data.
Microsoft Defender for Endpoint includes:
Core Defender Vulnerability Management: Built-in core vulnerability management capabilities use a risk-based approach to the discovery, assessment, prioritization, and remediation of endpoint vulnerabilities and misconfigurations.
Attack surface reduction: The attack surface reduction set of capabilities provides the first layer of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, the capabilities resist attacks and exploitation. This set of capabilities also includes network protection and web protection, which regulate access to malicious IP addresses, domains, and URLs.
Next generation protection: Next-generation protection was designed to catch all types of emerging threats. In addition to Microsoft Defender Antivirus, your next-generation protection services include the following capabilities:
Behavior-based, heuristic, and real-time antivirus protection.
Cloud-delivered protection, which includes near-instant detection and blocking of new and emerging threats.
Dedicated protection and product updates, which include updates related to keeping Microsoft Defender Antivirus up to date.
Endpoint detection and response: Provides advanced attack detections that are near real time and actionable. Security analysts can prioritize alerts, see the full scope of a breach, and take response actions to remediate threats.
Automated investigation and remediation (AIR): The technology in automated investigation uses various inspection algorithms and is based on processes that are used by security analysts. AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives.
Microsoft Secure Score for Devices: Microsoft Secure Score for Devices helps you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
Microsoft Threat Experts: Microsoft Threat Experts is a managed threat hunting service that provides proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.
Management and APIs: Defender for Endpoint offers an API model designed to expose entities and capabilities through a standard Microsoft Entra ID-based authentication and authorization model.
Microsoft Defender for Endpoint also integrates with various components in the Microsoft Defender suite, and with other Microsoft solutions including Intune and Microsoft Defender for Cloud.
Microsoft Defender for Endpoint is available in two plans, Defender for Endpoint Plan 1 and Plan 2. Information on what’s included in each plan is detailed in the Compare Microsoft Defender for Endpoint plans document linked in the summary and resources unit.
Describe Microsoft Defender for Cloud Apps
Software as a service (SaaS) apps are ubiquitous across hybrid work environments. Protecting SaaS apps and the important data they store is a significant challenge for organizations. The rise in app usage, combined with employees accessing company resources outside of the corporate perimeter has also introduced new attack vectors. To combat these attacks effectively, security teams need an approach that protects their data within cloud apps beyond the traditional scope of cloud access security brokers (CASBs).
Microsoft Defender for Cloud Apps delivers full protection for SaaS applications, helping you monitor and protect your cloud app data across the following feature areas:
Fundamental cloud access security broker (CASB) functionality. A CASB acts as a gatekeeper to broker real-time access between your enterprise users and the cloud resources they use. CASBs help organizations protect their environment by providing a wide range of capabilities across key functional areas including: discovery into cloud app usage and shadow IT, protection against app-based threats from anywhere in the cloud, information protection, and compliance.
SaaS Security Posture Management (SSPM) features, enabling security teams to improve the organization’s security posture
Advanced threat protection, as part of Microsoft’s extended detection and response (XDR) solution, enabling powerful correlation of signal and visibility across the full kill chain of advanced attacks
App-to-app protection, extending the core threat scenarios to OAuth-enabled apps that have permissions and privileges to critical data and resources.
Discover SaaS applications
Defender for Cloud Apps shows the full picture of risks to your environment from SaaS app usage and resources, and gives you control of what’s being used and when.
Identify: Defender for Cloud apps uses data based on an assessment of network traffic and an extensive app catalog to identify apps accessed by users across your organization.
Assess: Evaluate discovered apps for more than 90 risk indicators, allowing you to sort through the discovered apps and assess your orgs security and compliance posture.
Manage: Set policies that monitor apps around the clock. For example, if anomalous behavior happens, like unusual spikes in usage, you’re automatically alerted and guided to action.
Information protection
Defender for Cloud Apps connects to SaaS apps to scan for files containing sensitive data uncovering which data is stored where and who is accessing it. To protect this data, organizations can implement controls such as:
Apply a sensitivity label
Block downloads to an unmanaged device
Remove external collaborators on confidential files
The Defender for Cloud Apps integration with Microsoft Purview also enables security teams to leverage out-of-the-box data classification types in their information protection policies and control sensitive information with data loss protection (DLP) features.
SaaS Security Posture Management (SSPM)
Optimizing an organization’s security posture is important, but security teams are challenged by needing to research best practices for each app individually. Defender for Cloud Apps helps by surfacing misconfigurations and recommending specific actions to strengthen the security posture for each connected app. Recommendations are based on industry standards like the Center for Internet Security and follow best practices set by the specific app provider.
Defender for Cloud Apps automatically provides SSPM data in Microsoft Secure Score, for any supported and connected app.
Advanced threat protection
Cloud apps continue to be a target for adversaries trying to exfiltrate corporate data. Sophisticated attacks often cross modalities. Attacks often start from email as the most common entry point then move laterally to compromise endpoints and identities, before ultimately gaining access to in-app data.
Defender for Cloud Apps offers built-in adaptive access control (AAC), provides user and entity behavior analysis (UEBA), and helps you mitigate these types of attacks.
Defender for Cloud Apps is also integrated directly into Microsoft Defender XDR, correlating eXtended detection and response (XDR) signals from the Microsoft Defender suite and providing incident-level detection, investigation, and powerful response capabilities. Integrating SaaS security into Microsoft’s XDR experience gives SOC teams full kill chain visibility and improves operational efficiency and effectivity.
App to app protection with app governance
OAuth, an open standard for token-based authentication and authorization, enables a user’s account information to be used by third-party services, without exposing the user’s password. Apps that use OAuth often have extensive permissions to access data in other apps on behalf of a user, making OAuth apps susceptible to a compromise.
Defender for Cloud Apps closes the gap on OAuth app security, helping you protect inter-app data exchange with application governance. With Defender for Cloud Apps, you can watch for unused apps and monitor both current and expired credentials to govern the apps used in your organization and maintain app hygiene.
Describe Microsoft Defender for Identity
Microsoft Defender for Identity is a cloud-based security solution that uses signals from your on-premises identity infrastructure servers to detect threats, like privilege escalation or high-risk lateral movement, and reports on easily exploited identity issues.
At a high level, the way Microsoft Defender for Identity works is as follows:
Microsoft Defender for Identity uses software-based sensors installed on your on-premises identity infrastructure servers (domain controllers and servers running Active Directory Federated Services and Active Directory Certificate Services).
The Defender for Identity sensor accesses the event logs it requires directly from the servers. After the logs and network traffic are parsed by the sensor, Defender for Identity sends only the parsed information to the Defender for Identity cloud service. The Defender for Identity cloud service uses the data/signals obtained to deliver an identity threat detection and response (IDTR) solution. Microsoft Defender for Identity helps security professionals, managing a hybrid environment, the functionality to:
Prevent breaches, by proactively assessing your identity posture.
Detect threats, using real-time analytics and data intelligence.
Investigate suspicious activities, using clear, actionable incident information.
Respond to attacks, using automatic response to compromised identities.
The configuration of the service and the signals and insights generated by the Microsoft Defender for Identity service are exposed through the Microsoft Defender portal that provides security teams a unified experience for investigating and responding to attacks.
Proactively assess your identity posture
Defender for Identity provides you with a clear view of your identity security posture, helping you to identify and resolve security issues before they can be exploited by attackers. For example, Microsoft Defender for Identity continuously monitors your environment to identify sensitive accounts with the riskiest lateral movement paths that expose a security risk, and reports on these accounts to assist you in managing your environment. Defender for Identity security assessments, available from Microsoft Secure Score, provide extra insights to improve your organizational security posture and policies.
Detect threats, using real-time analytics and data intelligence
Defender for Identity monitors and analyzes user activities and information across your network, including permissions and group membership, creating a behavioral baseline for each user. Defender for Identity then identifies anomalies with adaptive built-in intelligence. It gives insights into suspicious activities and events, revealing the advanced threats, compromised users, and insider threats facing your organization. Defender for Identity identifies these advanced threats at the source throughout the entire cyberattack kill-chain:
Reconnaissance - Identify rogue users and attackers’ attempts to gain information.
Compromised credentials - Identify attempts to compromise user credentials using brute force attacks, failed authentications, user group membership changes, and other methods.
Lateral movements - Detect attempts to move laterally inside the network to gain further control of sensitive users.
Domain dominance - View attacker behavior if threat actors gain control over Active Directory, referred to as domain dominance, through remote code execution on the domain controller or other methods.
Investigate alerts and user activities
Defender for Identity is designed to reduce general alert noise, providing only relevant, important security alerts in a simple, real-time organizational attack timeline.
Use the Defender for Identity attack timeline view and the intelligence of smart analytics to stay focused on what matters. Also, you can use Defender for Identity to quickly investigate threats, and gain insights across the organization for users, devices, and network resources.
Microsoft Defender for Identity protects your organization from compromised identities, advanced threats, and malicious insider actions.
Remediation actions
Microsoft Defender for Identity supports remediation actions to be performed directly on your on-premises identities. Examples include:
Disable user in Active Directory: This will temporarily prevent a user from signing in to the on-premises network. This can help prevent compromised users from moving laterally and attempting to exfiltrate data or further compromise the network.
Reset user password – This will prompt the user to change their password on the next sign-in, ensuring that this account can’t be used for further impersonation attempts.
Depending on your Microsoft Entra ID roles, you may see additional Microsoft Entra ID actions, such as requiring users to sign in again and confirming a user as compromised.
Describe Microsoft Defender Vulnerability Management
Defender Vulnerability Management delivers asset visibility, intelligent assessments, and built-in remediation tools for Windows, macOS, Linux, Android, iOS, and network devices.
Using Microsoft threat intelligence, breach likelihood predictions, business contexts, and devices assessments, Defender Vulnerability Management rapidly and continuously prioritizes the biggest vulnerabilities on your most critical assets and provides security recommendations to mitigate risk.
Continuous asset discovery and monitoring
Defender Vulnerability Management built-in and agentless scanners continuously monitor and detect risk in your organization even when devices aren’t connected to the corporate network.
Consolidated inventories provide a real-time view of your organization’s software applications, digital certificates, hardware and firmware, and browser extensions to help you monitor and assess all your organization’s assets. Examples include:
Visibility into software and vulnerabilities - Get a view of the organization’s software inventory, and software changes like installations, uninstalls, and patches.
Network share assessment - Assess vulnerable internal network shares configuration with actionable security recommendations.
Browser extensions assessment - View a list of the browser extensions installed across different browsers in your organization. View information on an extension’s permissions and associated risk levels.
Digital certificates assessment - View a list of certificates installed across your organization in a single central certificate inventory page. Identify certificates before they expire and detect potential vulnerabilities due to weak signature algorithms.
And more…
Risk-based intelligent prioritization
Defender Vulnerability Management uses Microsoft’s threat intelligence, breach likelihood predictions, business contexts, and device assessments to quickly prioritize the biggest vulnerabilities in your organization.
Risk-based intelligent prioritization focuses on emerging threats to align the prioritization of security recommendations with vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk. Risk-based intelligent prioritization also pinpoints active breaches and protects high value assets.
A single view of prioritized recommendations from multiple security feeds, along with critical details including related Common Vulnerabilities and Exposures (CVEs) and exposed devices, helps you quickly remediate the biggest vulnerabilities on your most critical assets.
Remediation and tracking
Remediation and tracking enable security administrators and IT administrators to collaborate and seamlessly remediate issues with built-in workflows.
Remediation requests sent to IT - Create a remediation task in Microsoft Intune from a specific security recommendation.
Block vulnerable applications - Mitigate risk with the ability to block vulnerable applications for specific device groups.
Alternate mitigations - Gain insights on other mitigations, such as configuration changes that can reduce risk associated with software vulnerabilities.
Real-time remediation status - Real-time monitoring of the status and progress of remediation activities across the organization.
Describe Microsoft Defender Threat Intelligence
Threat intelligence analysts struggle with balancing a breadth of threat intelligence ingestion with the analysis of which threat intelligence poses the biggest threats to their organization and/or industry. Similarly, vulnerability intelligence analysts battle correlating their asset inventory with Common Vulnerabilities and Exposures (CVE) information to prioritize the investigation and remediation of the most critical vulnerabilities associated with their organization.
Microsoft Defender Threat Intelligence addresses these challenges by aggregating and enriching critical data sources and displaying them in an innovative, easy-to-use interface. Analysts can then correlate indicators of compromise (IOCs) with related articles, actor profiles, and vulnerabilities. Defender TI also lets analysts collaborate with fellow Defender TI-licensed users within their tenant on investigations.
Microsoft Defender Threat Intelligence functionality includes:
Threat analytics
Intel Profiles
Intel Explorer
Projects
Threat analytics
Threat analytics helps you, as an analyst, understand how emerging threats impact your organization’s environment.
Threat analytics reports provide an analysis of a tracked threat and extensive guidance on how to defend against that threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable protections in place. You can filter and search on reports, but Defender TI also provides a dashboard.
The threat analytics dashboard highlights the reports that are most relevant to your organization. It summarizes the threats into three categories:
Latest threats - Lists the most recently published or updated threat reports, along with the number of active and resolved alerts.
High-impact threats - Lists the threats that have the highest impact to your organization. This section lists threats with the highest number of active and resolved alerts first.
Highest exposure - Lists threats to which your org has the highest exposure. Your exposure level to a threat is calculated using two pieces of information: how severe the vulnerabilities associated with the threat are, and how many devices in your organization could be exploited by those vulnerabilities.
Each report provides an overview, an analyst report, related incidents, impacted assets, endpoints exposure, and recommended actions.
Intel profiles
Intel profiles are a definitive source of Microsoft’s shareable knowledge on tracked threat actors, malicious tools, and vulnerabilities. This content is curated and continuously updated by Microsoft’s Threat Intelligence experts to provide relevant and actionable threat context.
Intel explorer
The intel explorer is where analysts can quickly scan new featured articles and perform a keyword, indicator, or CVE ID search to begin their intelligence gathering, triage, incident response, and hunting efforts.
Microsoft Defender Threat Intelligence articles are narratives that provide insight into threat actors, tooling, attacks, and vulnerabilities. The articles summarize different threats and also link to actionable content and key IOCs to help users take action.
Defender TI offers CVE-ID searches to help users identify critical information about the CVE. CVE-ID searches result in Vulnerability Articles.
Intel Projects
Microsoft Defender Threat Intelligence (Defender TI) lets you create projects to organize indicators of interest and indicators of compromise (IOCs) from an investigation. Projects contain a listing of all associated artifacts and a detailed history that retains the names, descriptions, collaborators, and monitoring profiles.
Describe the Microsoft Defender portal
A unified security operations platform is a fully integrated toolset for security teams to prevent, detect, investigate, and respond to threats across their entire environment. For Microsoft, this means delivering the best of SIEM, XDR, posture management, and threat intelligence with advanced generative AI as a single platform.
Through the Microsoft Defender portal, Microsoft delivers on the promise of a unified security operations platform so you can view the security health of your organization. The Microsoft Defender portal combines protection, detection, investigation, and response to threats across your entire organization and all its components, in a central place.
To access the portal, you must be assigned an appropriate role such as Global Reader or Administrator, Security Reader or Administrator, or Security Operator in Microsoft Entra ID to access the Microsoft Defender portal.
The Defender portal emphasizes quick access to information, simpler layouts, and bringing related information together for easier use.
The Microsoft Defender portal home page shows many of the common cards that security teams need. The composition of cards and data depends on the user role. Because the Microsoft Defender portal uses role-based access control, different roles see cards that are more meaningful to their day-to-day jobs.
The Microsoft Defender portal allows you to tailor the navigation pane to meet daily operational needs. You can customize the navigation pane to show or hide functions and services based on their specific preferences. Customization is specific to you, so other admins won’t see these changes.
The left navigation pane provides easy access to the suite of Microsoft Defender XDR services. You also get access to Microsoft Sentinel and many other capabilities The sections that follow provide a brief description of the capabilities accessible from the left navigation bar in the Microsoft Defender portal.
Exposure management
Microsoft Security Exposure Management is a security solution that provides a unified view of security posture across company assets and workloads. Security Exposure Management enriches asset information with security context that helps you to proactively manage attack surfaces, protect critical assets, and explore and mitigate exposure risk.
With Security Exposure Management you can discover and monitor assets, get rich security insights, investigate specific risk areas with security initiatives, and track metrics across the organization to improve security posture.
Attack surface
Security Exposure Management automatically generates attack paths based on the data collected across assets and workloads. It simulates attack scenarios, and identifies vulnerabilities and weaknesses that an attacker could exploit.
Security insights
Exposure insights in Microsoft Security Exposure Management continuously aggregate security posture data and insights across workloads and resources, into a single pipeline.
Initiatives provide a simple way to assess security readiness for a specific security area or workload, and to constantly track and measure exposure risk for that area or workload over time.
Metrics in Microsoft Security Exposure Management measure security exposure for a specific scope of assets or resources within a security initiative.
Recommendations help you to understand the compliance state for a specific security initiative.
Events help you to monitor initiative changes.
Secure score
Microsoft Secure Score, one of the tools in the Microsoft Defender portal, is a representation of a company’s security posture. The higher the score, the better your protection. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices.
Secure Score provides a breakdown of the score, the improvement actions that can boost the organization’s score, and how well the organization’s Secure Score compares to other similar organizations.
Data connectors
Using data connectors you can connect data sources for a richer, more centralized exposure management experience.
Investigation & response
The investigation and response tab includes access to incidents and alerts, hunting, actions & submissions, and a partner catalog.
Incidents and alerts
An incident in the Microsoft Defender portal is a collection of related alerts, assets, investigations, and evidence to give you a comprehensive look into the entire breadth of an attack. It serves as a case file that your SOC can use to investigate that attack and manage, implement, and document the response to it. Because the Microsoft Defender portal is built upon a unified security operations platform, you get a view of all incidents including incidents generated from the suite of Microsoft Defender XDR solutions, Microsoft Sentinel, and other solutions.
Within an incident, you analyze the alerts that affect your network, understand what they mean, and collate the evidence so that you can devise an effective remediation plan. The information provided for an incident includes:
The full story of the attack, including all the alerts, assets, and remediation actions taken.
All the alerts related to the incident.
All the assets (devices, users, mailboxes, and apps) that have been identified to be part of or related to the incident.
All the automated investigations triggered by the alerts in the incident.
All the supported evidence and response.
Hunting
Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data, from Microsoft Defender XDR and Microsoft Sentinel. You can proactively inspect events in your network to locate threat indicators and entities, through hunting queries. Hunting queries can be created via the query editor, if you’re familiar with Kusto Query Language (KQL), using a query builder, or through Security Copilot. For users onboarded to Microsoft Security Copilot, you can make a request or ask a question in natural language and Security Copilot generates a KQL query that corresponds to the request.
You can use the same threat hunting queries to build custom detection rules. These rules run automatically to check for and then respond to suspected breach activity, misconfigured machines, and other findings.
Actions and submissions
The unified Action center brings together remediation actions across Microsoft Defender for Endpoint and Microsoft Defender for Office 365. It lists pending and completed remediation actions for your devices, email & collaboration content, and identities in one location.
In Microsoft 365 organizations with Exchange Online mailboxes, admins can use the Submissions page in the Microsoft Defender portal to submit messages, URLs, and attachments to Microsoft for analysis.
Partner catalog
The partner catalog lists supported technology partners and professional services that can help your organization enhance the detection, investigation, and threat intelligence capabilities of the platform.
Threat intelligence
From the Threat Intelligence tab, users access Microsoft Defender Threat Intelligence. For more information, see the unit “Describe Microsoft Defender Threat Intelligence.”
Assets
The Assets tab allows you to view and manage your organization’s inventory of protected and discovered assets (devices and identities).
The Device inventory shows a list of the devices in your network where alerts were generated. By default, the queue displays devices seen in the last 30 days. At a glance, you see information such as domain, risk level, OS platform, and other details for easy identification of devices most at risk.
The identity inventory provides a comprehensive view of all corporate identities, both cloud and on-premises.
Microsoft Sentinel
Some Microsoft Sentinel capabilities, like the unified incident queue, are accessed through the incidents and alerts page of the Defender portal, along with incidents from other Microsoft Defender services. Many other Microsoft Sentinel capabilities are available in the Microsoft Sentinel section of the Defender portal.
Identities
The Identities node on the left navigation panel of the Microsoft Defender portal maps to functionality associated with Microsoft Defender for Identity. For more information, see the unit “Describe Microsoft Defender for Identity.”
Endpoints
The Endpoints node on the left navigation panel of the Microsoft Defender portal maps to functionality associated with Microsoft Defender for Endpoints. For more information, see to the unit “Describe Microsoft Defender for Endpoints.”
Email and collaboration
The email and collaboration node on the left navigational panel is where you find Microsoft Defender for Office 365 functionality that allows you to track and investigate threats to your users’ email, track campaigns, and more. For more information, see the unit “Describe Microsoft Defender for Office 365.”
Cloud apps
The Cloud apps node on the left navigational panel is where you find Microsoft Defender for Cloud Apps functionality. For more information, see the unit “Describe Microsoft Defender for Cloud Apps.”
SOC Optimization
Security operations center (SOC) teams actively look for opportunities to optimize both processes and outcomes.
SOC optimization surfaces ways you can optimize your security controls, gaining more value from Microsoft security services as time goes on.
Reports
Reports are unified in the Microsoft Defender portal. Admins can start with a general security report, and branch into specific reports about endpoints, email & collaboration, cloud apps, infrastructure, and identities. The links here are dynamically generated based upon workload configuration.
Learning hub
The learning hub links you Microsoft Learn where you can get access to training courses, tutorials, documentation, and other relevant material.
System
The system option in the Defender portal includes selections to configure permissions, view service health, and general settings.
Describe Copilot integration with Microsoft Defender XDR
Microsoft Defender XDR integrates with Microsoft Security Copilot. Integration with Security Copilot can be experienced through the standalone and embedded experiences.
The standalone experience
For businesses that are onboarded to Microsoft Security Copilot, the integration is enabled through plugins accessed through the Copilot portal (the standalone experience). There are two separate plugins that support integration with Microsoft Defender XDR:
Microsoft Defender XDR
Natural language to KQL for Microsoft Defender XDR
Microsoft Defender XDR plugin
The Microsoft Defender XDR plugin includes capabilities that enable users to:
Analyze files
Generate an incident report
Generate a guided response
List incidents and related alerts
Summarize the security state of the device
more…
Microsoft Defender XDR capabilities in Copilot are built-in prompts that you can use, but you can also enter your own prompts based on the capabilities supported.
Copilot also includes a builtin promptbook for Microsoft Defender XDR incident investigation you can use to get a report about a specific incident, with related alerts, reputation scores, users, and devices.
Natural language to KQL for Microsoft Defender plugin
The Natural language to KQL for Microsoft Defender plugin enables query assistant functionality that converts any natural-language question in the context of threat hunting, into a ready-to-run Kusto Query Language (KQL) query. The query assistant saves security teams time by generating a KQL query that can then be automatically run or further tweaked according to the analyst’s needs.
The embedded experience
With the plugin enabled, Copilot integration with Defender XDR can also be experienced through the embedded experience, which is referred to as Copilot in Microsoft Defender XDR.
Copilot in Microsoft Defender XDR enables security teams to quickly and efficiently investigate and respond to incidents, through the Microsoft Defender XDR portal. Copilot in Microsoft Defender XDR supports the following features.
Summarize incidents
Guided responses
Script analysis
Natural language to KQL queries
Incident reports
Analyze files
Device and identity summaries
Users can also seamlessly pivot from the embedded experience to the standalone experience.
Summarize incidents
To immediately understand an incident, you can use Copilot in Microsoft Defender XDR to summarize an incident for you. Copilot creates an overview of the attack containing essential information for you to understand what transpired in the attack, what assets are involved, the timeline of the attack, and more. Copilot automatically creates a summary when you navigate to an incident’s page. Incidents containing up to 100 alerts can be summarized into one incident summary.
Guided responses
Copilot in Microsoft Defender XDR uses AI and machine learning capabilities to contextualize an incident and learn from previous investigations to generate appropriate response actions, which are shown as guided responses. The guided response capability of Copilot allows incident response teams at all levels to confidently and quickly apply response actions to resolve incidents with ease.
Guided responses recommend actions in the following categories:
Triage - includes a recommendation to classify incidents as informational, true positive, or false positive
Containment - includes recommended actions to contain an incident
Investigation - includes recommended actions for further investigation
Remediation - includes recommended response actions to apply to specific entities involved in an incident
Each card contains information about the recommended action, including why the action is recommended, similar incidents, and more. For example, the View similar incidents action becomes available when there are other incidents within the organization that are similar to the current incident. Incident response teams can also view user information for remediation actions such as resetting passwords.
Analyze scripts and codes
The script analysis capability of Copilot in Microsoft Defender XDR provides security teams added capacity to inspect scripts and code without using external tools. This capability also reduces complexity of analysis, minimizing challenges and allowing security teams to quickly assess and identify a script as malicious or benign.
There are several ways you can access the script analysis capability. The image that follows shows the process tree for an alert that includes execution of a PowerShell script. Selecting the analyze button generates the Copilot script analysis.
Generate KQL queries
Copilot in Microsoft Defender XDR comes with a query assistant capability in advanced hunting.
To access the natural language to KQL query assistant, users with access to Copilot select advanced hunting from the left navigation pane of the Defender XDR portal.
Copilot provides prompts you can use to start hunting for threats with Copilot, or you can write your own natural language question, in the prompt bar, to generate a KQL query. For example,”Give me all the devices that signed in within the last 10 minutes.” Copilot then generates a KQL query that corresponds to the request using the advanced hunting data schema.
The user can then choose to run the query by selecting Add and run. The generated query then appears as the last query in the query editor. To make further tweaks, select Add to editor.
Create incident reports
A comprehensive and clear incident report is an essential reference for security teams and security operations management. However, writing a comprehensive report with the important details present can be a time-consuming task for security operations teams as it involves collecting, organizing, and summarizing incident information from multiple sources. Security teams can now instantly create an extensive incident report within the portal.
While an incident summary provides an overview of an incident and how it happened, an incident report consolidates incident information from various data sources available in Microsoft Sentinel and Microsoft Defender XDR. The incident report also includes all analyst-driven steps and automated actions, the analysts involved in the response, the comments from the analysts, and more.
To create an incident report, the user selects Generate incident report on the top right corner of the incident page or the icon in the Copilot pane. Once the incident report is generated, selecting the ellipses on the incident report presents the user with the option to copy the report to the clipboard, post to an activity log, regenerate the report, or opt to open in the Copilot standalone experience.
Analyze files
Sophisticated attacks often use files that mimic legitimate or system files to avoid detection. Copilot in Microsoft Defender XDR enables security teams to quickly identify malicious and suspicious files through AI-powered file analysis capabilities.
There are many ways to access the detailed profile page of a specific file. In this example, you navigate to files through the incident graph of an incident with impacted files. The incident graph shows the full scope of the attack, how the attack spread through your network over time, where it started, and how far the attacker went.
From the incident graph, selecting files displays the option to view files. Selecting view files opens a panel on the right side of the screen listing impacted files. Selecting any file displays an overview of the file details and the option to analyze the file. Selecting Analyze opens the Copilot file analysis.
Summarize devices and identities
The device summary capability of Copilot in Defender enables security teams to get a device’s security posture, vulnerable software information, and any unusual behaviors. Security analysts can use a device’s summary to speed up their investigation of incidents and alerts.
There are many ways to access a device summary. In this example, you navigate to the device summary through the incident assets page. Selecting the assets tab for an incident displays all the assets. From the left navigation panel, select Devices then select a specific device name. From the overview page that opens on the right is the option to select Copilot.
Similarly, Copilot in Microsoft Defender XDR can summarize identities.
Move to the Standalone experience
As an analyst using Microsoft Defender XDR, you’re likely to spend a good amount time in Defender XDR, so the embedded experience is a great place to start a security investigation. Depending on what you learn you may determine that a deeper investigation is needed. In this scenario, you can easily transition to the standalone experience to pursue a more detailed, cross product investigation that brings to bear all the Copilot capabilities enabled for your role.
For content generated through the embedded experience you can easily transition to the standalone experience. To move to the standalone experience, select the ellipses within the generated content window then choose Open in Security Copilot.
Get acquainted with Microsoft Security Copilot
The top security challenges organizations face include:
An increase in the number and sophistication of attacks.
A talent shortage that is driving the need for automation, integration, and consolidation of security tools.
Visibility into security, privacy, compliance, and governance.
Organizations need to act quickly to address all the security challenges they face, but working at human speed, even if there weren’t a talent shortage, isn’t enough. Organizations need to work at machine speed.
Microsoft Security Copilot is an AI-powered, cloud-based security analysis tool that enables analysts to respond to threats quickly, process signals at machine speed, and assess risk exposure more quickly than may otherwise be possible.
Use cases
Security Copilot focuses on making the following highlighted use cases easy to use.
Investigate and remediate security threats - gain context for incidents to quickly triage complex security alerts into actionable summaries and remediate quicker with step-by-step response guidance
Build KQL queries or analyze suspicious scripts - eliminate the need to manually write query-language scripts or reverse engineer malware scripts with natural language translation to enable every team member to execute technical tasks
Understand risks and manage security posture of the organization - get a broad picture of your environment with prioritized risks to uncover opportunities to improve posture more easily
Troubleshoot IT issues faster - synthesize relevant information rapidly and receive actionable insights to identify and resolve IT issues quickly
Define and manage security policies - define a new policy, cross-reference it with others for conflicts, and summarize existing policies to manage complex organizational context quickly and easily
Configure secure lifecycle workflows - build groups and set access parameters with step-by-step guidance to ensure a seamless configuration to prevent security vulnerabilities
Develop reports for stakeholders - get a clear and concise report that summarizes the context and environment, open issues, and protective measures prepared for the tone and language of the report’s audience
These use cases represent just a few of the capabilities that Copilot delivers and that helps make analysts more productive and also helps up-level them.
Standalone and embedded experience
You can experience Copilot through the dedicated site, also referred to as the standalone experience. Users interact with Copilot through the prompt bar. In the prompt bar, users make requests in natural language and receive response outputs as text, images, or documents.
Additionally, some Microsoft security products embed Copilot capabilities directly within the products’ user interface. This experience is referred to as the embedded experience. Microsoft Defender XDR, for example, enables Copilot capabilities including summarizing incidents, analyzing scripts, generating KQL queries, and more.
Natural language processing (NLP)
Copilot is built using Azure OpenAI Services and is designed to integrate with existing security tools and processes, making it easier for organizations to improve their overall security posture. Azure OpenAI Services provides REST API access to OpenAI’s powerful large language models (LLMs) for natural language processing (NLP), while providing security capabilities of Microsoft Azure.
With access to the powerful LLMs for NLP, Copilot is able to read, decipher, and make sense of human languages, enabling users to securely interact with it using natural language. Although the LLMs are trained on a vast amount of information that endows Copilot with broad general knowledge and problem solving abilities, it’s not enough. Security analysts expect their copilot to be trained on security and that is where the integration with existing security tools and processes comes into play.
Integration with Security-specific sources
Copilot combines powerful LLMs with security-specific sources from Microsoft. These security-specific sources are informed by Microsoft’s unique global threat intelligence, more than 65 trillion daily signals, and incorporates information from a growing set of security solutions using plug-ins and connections to knowledge bases. Through plug-ins, Copilot integrates with Microsoft’s own security products, non-Microsoft products, and open-source intelligence feeds. Connections to an organization’s knowledge bases gives Copilot more context, resulting in responses that are more relevant, specific, and customized to the user. Through the powerful combination of advanced general models and security specific sources, Copilot is able to learn at machine speed to help analysts identify and respond to emerging threats.
The information you give Copilot will only be accessible to your organization. Your data is your data, and it’s protected by comprehensive enterprise compliance and security controls. Your data isn’t used to train the foundation AI models.
Describe Microsoft Security Copilot terminology
Terminology
The following terms are important for understanding the way Microsoft Security Copilot works:
Session – A particular conversation within Copilot. Copilot maintains context within a session.
Prompt – A specific statement or question within a session. A user enters a prompt in the prompt bar.
Capability – A function Copilot uses to solve part of a problem. A capability may sometimes be referred to as a skill.
Plugin – A collection of capabilities by a particular resource.
Workspace - Copilot workspaces are separate Copilot work environments within the tenant in which your Copilot instance is operating.
Orchestrator – Copilot’s system for composing capabilities together to answer a user’s prompt.
Describe how Microsoft Security Copilot processes prompt requests
Submit a prompt: The process starts when a user submits a prompt in the prompt bar.
Orchestrator: Security Copilot sends the information to the Copilot backend referred to as the orchestrator. The orchestrator is Copilot’s system for composing capabilities together to answer a user’s prompt. It determines the initial context and builds a plan using all the available capabilities (skills).
Build context: Once a plan is defined and built, Copilot executes that plan to get the required data context to answer the prompt.
Plugins: In the course of executing the plan, Copilot analyzes all data and patterns to provide intelligent insights. This includes reasoning over all the plugins and sources of data, enabled and available to Copilot.
Responding: Copilot combines all the data and context and uses the power of its advanced LLM to compose a response using language that makes sense to a human being.
Response: Before the response can be sent back to the user, Copilot formats and reviews the response as part of Microsoft’s commitment to responsible AI.
Receives response: The process culminates with the user receiving the response from the Copilot.
Describe Communication Compliance
Microsoft Purview Communication Compliance is an insider risk solution that helps you detect, capture, and act on inappropriate messages that can lead to potential data security or compliance incidents within your organization. Communication compliance evaluates text and image-based messages in Microsoft and third-party apps (Teams, Viva Engage, Outlook, WhatsApp, etc.) for potential business policy violations. Including inappropriate sharing of sensitive information, threatening or harassing language and potential regulatory violations.
Communication Compliance has predefined and custom policies that allow you to check internal and external communications for policy matches so that designated reviewers can examine them. Reviewers can investigate email, Microsoft Teams, Microsoft Copilot for Microsoft 365, Viva Engage, or third-party communications in your organization and take appropriate actions to make sure they’re compliant with your organization’s message standards.
With role-based access controls, Communication compliance supports the separation of duties between your IT admins and your compliance management team. For example, the IT group for your organization might be responsible for setting up communication compliance role permissions, groups, and policies. While investigators and reviewers might be responsible for message triage, review, and mitigation actions.
Configure – in this step, admins identify compliance requirements and configure applicable communication compliance policies.
Investigate – admins look deeper into the issues detected when matching your communication compliance policies. Tools and steps that help include alerts, issue management to help remediation, document reviews, reviewing user history, and filters.
Remediate – remediate communications compliance issues. Options include: resolving an alert, tagging a message, notifying the user, escalating to another reviewer, marking an alert as a false positive, removing a message in Teams, and escalating for investigation.
Monitor – Keeping track and managing compliance issues identified by communication compliance policies spans the entire workflow process. Communication compliance dashboard widgets, export logs, and events recorded in the unified audit logs can be used to continually evaluate and improve your compliance posture.
Some important compliance areas where communication compliance policies can assist with reviewing messages include:
Corporate policies - Users have to follow corporate policies like usage and ethical standards in their day-to-day business communications. With communication compliance, admins can scan user communications across the organization for potential concerns of offensive language or harassment.
Risk management - Communication compliance can help admins scan for unauthorized communication about projects that are considered to be confidential, such as acquisitions, earnings disclosures, and more.
Regulatory compliance - Most organizations are expected to follow some regulatory compliance standards during their day-to-day operations. For example, a regulation might require organizations to review communications of its brokers to safeguard against potential insider trading, money laundering, or bribery. Communication compliance enables the organization to scan and report on these types of communications in a way that meets their requirements.
Communication compliance is a powerful tool that can help maintain and safeguard your staff your data and your organization.
Describe Data Lifecycle Management
Microsoft Purview Data Lifecycle Management provides you with tools and capabilities to retain the content that you need to keep, and delete the content that you don’t. Retaining and deleting emails, documents, and messages are often needed for compliance and regulatory requirements. However, deleting content that no longer has business value also reduces your attack surface.
Retention policies and retention labels
Retention policies and retention labels are important tools for data lifecycle management. They help organizations to manage and govern information by ensuring content is kept only for a required time, and then permanently deleted. Applying retention labels and assigning retention policies helps organizations:
Comply proactively with industry regulations and internal policies that require content to be kept for a minimum time.
Reduce risk when there’s litigation or a security breach by permanently deleting old content that the organization is no longer required to keep.
Ensure users work only with content that’s current and relevant to them. Content that is no longer relevant should be deleted.
Managing content commonly requires two actions: retaining content and deleting content.
Retaining content prevents permanent deletion and ensures content remains available for eDiscovery.
Deleting content permanently deletes content from your organization.
With these two retention actions, you can configure retention settings for the following outcomes:
Retain-only: Retain content forever or for a specified period of time.
Delete-only: Permanently delete content after a specified period of time.
Retain and then delete: Retain content for a specified period of time and then permanently delete it.
When content has retention settings assigned to it, that content remains in its original location. People can continue to work with their documents or mail as if nothing changed. But if they edit or delete content included in the retention policy, a copy of the content is automatically kept in a secure location. The secure locations and the content aren’t visible to most people. In most cases, people don’t even need to know that their content is subject to retention settings.
Retention settings work with the following different workloads:
SharePoint
OneDrive
Microsoft Teams
Viva Engage
Exchange
To assign your retention settings to content, use retention policies and retention labels with label policies. You can use just one of these methods, or combine them.
When using retention policies and retention labels to assign retention settings to content, there are some points to understand about each. Listed below are just a few of the key points. For more information, see the article, “Learn about retention policies and retention labels” linked in the Summary and resources unit of this module.
Retention policies
Retention policies are used to assign the same retention settings to content at a site level or mailbox level.
A single policy can be applied to multiple locations, or to specific locations or users.
Items inherit the retention settings from their container specified in the retention policy. If a policy is configured to keep content, and an item is then moved outside that container, a copy of the item is kept in the workload’s secured location. However, the retention settings don’t travel with the content in its new location.
Retention labels
Retention labels are used to assign retention settings at an item level, such as a folder, document, or email.
An email or document can have only a single retention label assigned to it at a time.
Retention settings from retention labels travel with the content if it’s moved to a different location within your Microsoft 365 tenant, but don’t persist if the content is moved outside of your Microsoft 365 tenant.
Admins can enable users in the organization to apply a retention label manually.
A retention label can be applied automatically if it matches defined conditions.
A default label can be applied for SharePoint documents.
Retention labels support disposition review to review the content before it’s permanently deleted.
Consider the following scenarios. If all documents in a SharePoint site should be kept for five years, it’s more efficient to do so with a retention policy than apply the same retention label to all documents in that site.
However, if some documents in that site should be kept for five years and others for 10 years, you’d need to apply a policy to the SharePoint site with a retention period of five years. You’d then apply a retention label to the individual items with a retention setting of 10 years.
Retention labels and policies that apply them
When you publish retention labels, they’re included in a retention label policy that makes them available for admins and users to apply to content.
Describe Records Management
Organizations of all types require a management solution to manage regulatory, legal, and business-critical records across their corporate data. Microsoft Purview Records Management helps an organization look after their legal obligations. It also helps to demonstrate compliance with regulations, and increases efficiency with regular disposition of items that are no longer required to be kept, no longer of value, or no longer required for business purposes. Microsoft Purview Records Management includes many features, including:
Labeling content as a record.
Establishing retention and deletion policies within the record label.
Triggering event-based retention.
Reviewing and validating disposition.
Proof of records deletion.
Exporting information about disposed items.
When content is labeled as a record, by using a retention label, the following happens:
Restrictions are put in place to block certain activities.
Activities are logged.
Proof of disposition is kept at the end of the retention period.
To enable items to be marked as records, an administrator sets up retention labels.
An admin can choose for items to be marked as records when configuring a policy.
Items such as documents and emails can then be marked as records based on those retention labels. Items might be marked as records, but they can also be shown as regulatory records. Regulatory records provide other controls and restrictions such as:
A regulatory label can’t be removed when an item has been marked as a regulatory record.
The retention periods can’t be made shorter after the label has been applied.
For more information on comparing restrictions between records and regulatory records, see the section, “Compare restrictions for what actions are allowed or blocked section” in the article “Learn about records management,” linked in the summary and resources unit of this module.
The most important difference is that if content has been marked as a regulatory record, nobody, not even a global administrator, can remove the label. Marking an item as a regulatory record can have irreversible consequences, and should only be used when necessary. As a result, this option isn’t available by default, and has to be enabled by the administrator using PowerShell.
Common use cases for Microsoft Purview Records Management
There are different ways in which Microsoft Purview Records Management can be used across an organization, including:
Enabling administrators and users to manually apply retention and deletion actions for documents and emails.
Automatically applying retention and deletion actions to documents and emails.
Enabling site admins to set default retain and delete actions for all content in a SharePoint library, folder, or document set.
Enabling users to automatically apply retain and delete actions to emails by using Outlook rules.
To ensure Microsoft Purview Records Management is used correctly across the organization, administrators can work with content creators to put together training materials. Documentation should explain how to apply labels to drive usage, and ensure a consistent understanding.
Describe the offerings of the Service Trust portal
The Microsoft Service Trust Portal provides a variety of content, tools, and other resources about how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization.
The Service Trust Portal (STP) is Microsoft’s public site for publishing audit reports and other compliance-related information associated with Microsoft’s cloud services. STP users can download audit reports produced by external auditors and gain insight from Microsoft-authored whitepapers that provide details on how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization.
Accessing the Service Trust Portal
To access some of the resources on the Service Trust Portal, you must log in as an authenticated user with your Microsoft cloud services account (Microsoft Entra organization account) and review and accept the Microsoft non-disclosure agreement for Compliance Materials.
Service Trust Portal Content Categories
The Service Trust Portal landing page includes content that is organized into the following categories:
Certifications, Regulations, and Standards
Reports, Whitepapers, and Artifacts
Industry and Regional Resources
Resources for your Organization
Screenshot of the Service Trust Portal home page.
As users navigate to content in the different categories, selecting the Service Trust Portal link at the top of the page provides a quick way to get back to the home page.
Screenshot of the Service Trust Portal link at the top of the home page.
Certifications, Regulations and Standards
The certification, regulations, and standards section of the STP provides a wealth of security implementation and design information with the goal of making it easier for you to meet regulatory compliance objectives by understanding how Microsoft Cloud services keep your data secure.
Screenshot of the tiles available in the certifications, regulations, and standards section of the Service Trust Portal home page.
Selecting a tile will provide a list of available documents, including a description and when it was last updated. The screenshot that follows shows some of the documents available by selecting the ISO/IEC tile.
Screenshot of the list of documents available by selecting the ISO/IEC tile.
Reports, Whitepapers, and Artifacts
This section includes general documents relating to the following categories:
BCP and DR - Business Continuity and Disaster Recovery
Pen Test and Security Assessments - Attestation of Penetration tests and security assessments conducted by third parties
Privacy and Data Protection - Privacy and Data Protection Resources
FAQ and Whitepapers - Whitepapers and answers to frequently asked questions
Screenshot that shows the tiles available in the reports, whitepapers, and artifacts section of the Service Trust Portal home page.
Industry and Regional Resources
This section includes documents that apply to the following industries and regions:
Financial Services - Resources elaborating regulatory compliance guidance for FSI (by country/region)
Healthcare and Life Sciences - Capabilities offered by Microsoft for Healthcare Industry
Media and Entertainment - Media and Entertainment Industry Resources
United States Government - Resources exclusively for US Government customers
Regional Resources - Documents describing compliance of Microsoft’s online services with various regional policies and regulations
Screenshot of the tiles available in the reports, whitepapers, and artifacts section of the Service Trust Portal home page.
Resources for your Organization
This section lists documents applying to your organization (restricted by tenant) based on your organization’s subscription and permissions.
Screenshot showing tiles available in the resources for your organization section of the Service Trust Portal home page.
My Library
Use the My Library feature to add documents and resources on the Service Trust Portal to your My Library page. This lets you access documents that are relevant to you in a single place. To add a document to your My Library, select the ellipsis (…) menu to the right of a document and then select Save to library.
Additionally, the notifications feature lets you configure your My Library so that an email message is sent to you whenever Microsoft updates a document that you’ve added to your My Library. To set up notifications, go to your My Library and select Notification Settings. You can choose the frequency of notifications and specify an email address in your organization to send notifications to. Email notifications include links to the documents that have been updated and a brief description of the update.
If a document is part of a series, you’ll be subscribed to the series, and will receive notifications when there’s an update to that series.
Describe Microsoft’s privacy principles
Microsoft’s products and services run on trust. At Microsoft, we value, protect, and defend privacy. We believe in transparency, so that people and organizations can control their data and have meaningful choices in how it’s used. We empower and defend the privacy choices of every person who uses our products and services.
Microsoft’s approach to privacy is built on the following six principles:
Control: Putting you, the customer, in control of your data and your privacy with easy-to-use tools and clear choices. Your data is your business, and you can access, modify, or delete it at any time. Microsoft will not use your data without your agreement, and when we have your agreement, we use your data to provide only the services you have chosen. Your control over your data is reinforced by Microsoft compliance with broadly applicable privacy laws and privacy standards.
Transparency: Being transparent about data collection and use so that everyone can make informed decisions. We only process your data based on your agreement and in accordance with the strict policies and procedures that we’ve contractually agreed to. When we deploy subcontractors or subprocessors to perform work that requires access to your data, they can perform only the functions that Microsoft has hired them to provide, and they’re bound by the same contractual privacy commitments that Microsoft makes to you. The Microsoft Online Services Subprocessor List identifies authorized, subprocessors, who have been audited against a stringent set of security and privacy requirements in advance. This document is available as one of the data protection resources in the Service Trust Portal.
Security: Protecting the data that’s entrusted to Microsoft by using strong security and encryption. With state-of-the-art encryption, Microsoft protects your data both at rest and in transit. Our encryption protocols erect barriers against unauthorized access to the data, including two or more independent encryption layers to protect against compromises of any one layer. All Microsoft-managed encryption keys are properly secured and offer the use of technologies such as Azure Key Vault to help you control access to passwords, encryption keys, and other secrets.
Strong legal protections: Respecting local privacy laws and fighting for legal protection of privacy as a fundamental human right. Microsoft defends your data through clearly defined and well-established response policies and processes, strong contractual commitments, and if necessary, the courts. We believe all government requests for your data should be directed to you. We don’t give any government direct or unfettered access to customer data. We will not disclose data to a government or law enforcement agency, except as you direct or where required by law. Microsoft scrutinizes all government demands to ensure they’re legally valid and appropriate. If Microsoft receives a request for your data, we’ll promptly notify you and provide a copy of the request unless legally prohibited from doing so. Moreover, we’ll direct the requesting party to seek the data directly from you. Our contractual commitments to our enterprise and public sector customers include defending your data, which builds on our existing protections. We’ll challenge every government request for commercial and public sector customer data where we can lawfully do so.
No content-based targeting: Not using email, chat, files, or other personal content to target advertising. We do not share your data with advertiser-supported services, nor do we mine it for any purposes like marketing research or advertising.
Benefits to you: When Microsoft does collect data, it’s used to benefit you, the customer, and to make your experiences better. For example:
Troubleshooting: Troubleshooting for preventing, detecting, and repairing problems affecting operations of services.
Feature improvement: Ongoing improvement of features including increasing reliability and protection of services and data.
Personalized customer experience: Data is used to provide personalized improvements and better customer experiences.
These principles form Microsoft’s privacy foundation, and they shape the way that products and services are designed.
Describe Microsoft Priva
Privacy is top of mind for organizations and consumers today, and concerns about how private data is handled are steadily increasing. Regulations and laws impact people around the world, setting rules for how organizations store personal data and giving people rights to manage personal data collected by an organization.
To meet regulatory requirements and build customer trust, organizations need to take a “privacy by default” stance. Rather than manual processes and a patchwork of tools, organizations need a comprehensive solution.
Microsoft Priva is a comprehensive set of privacy solutions that support privacy operations across your organization’s entire digital estate and enables your organization to consolidate privacy protection across your data landscape, streamline compliance to regulations, and mitigate privacy risk.
The Priva suite of solutions has expanded to include the following solutions:
Subject Rights Requests
Privacy Risk Management
Consent Management (preview)
Privacy Assessments (preview)
Tracker Scanning (preview)
These solutions can be found in the new Microsoft Priva portal (preview).
A diagram showing the Priva solutions, which include Privacy Assessments, Privacy Risk Management, Tracker Scanning, Consent Management, and Subject Rights Requests.
Priva Privacy Risk Management
Microsoft Priva Privacy Risk Management gives you the capability to set up policies that identify privacy risks in your Microsoft 365 environment and enable easy remediation. Policy options in Privacy Risk Management can help you find issues in the following areas of privacy concern and guide your users through recommended steps for remediation.
Limit data overexposure. Data overexposure policies, which can be set up to cover both Microsoft 365 and multicloud (preview) locations, can help you detect and handle situations in which data that your organization has stored is insufficiently secure. For example, Privacy Risk Management can alert you if access to an internal site is open to too many people or your permissions settings haven’t been maintained. Privacy Risk Management also offers remediation options that help your users resolve any issues that are found. For data overexposure, these include making content items private, notifying content owners, or tagging items for further review.
Find and mitigate data transfers. Data transfer policies allow you to monitor for transfers between different world regions or between departments in your organization, and transfers outside of your organization. When a policy match is detected, you can send users email notifications that allow them to take corrective action right in the email, such as making content items private, notifying content owners, or tagging items for further review.
Minimize stored data. Data minimization policies allow you to look for data that your organization has been storing for at least a certain length of time. This can help you manage your ongoing storage practices. When policy matches are found, remediation options include marking items for deletion, notifying content owners, or tagging items for further review.
The summary and resources unit of this module, includes a link to learn more about Privacy Risk Management policies that provides more details on policy settings, including data sources supported and the data types to monitor.
Priva Subject Rights Requests
In accordance with certain privacy regulations around the world, individuals (or data subjects) may make requests to review or manage the personal data about themselves that companies have collected. These requests are sometimes also referred to as data subject requests (DSRs), data subject access requests (DSARs), or consumer rights requests. For companies that store large amounts of information, finding the relevant data can be a formidable task.
Microsoft Priva can help you handle these inquiries through the Subject Rights Requests solution, which can address subject rights request for data within your organization’s Microsoft 365 environment or for subject rights request for data beyond Microsoft 365, currently in preview. The solution provides automation, insights, and workflows to help organizations fulfill requests more confidently and efficiently.
Consent Management (preview)
Nearly all interactions with companies, service providers, websites, programs, and apps are conducted digitally, which has resulted in an explosion of data belonging to individuals. It’s never been more important for organizations to meet the requirements of data privacy regulations to provide the right type of consent and notice around the collection and use of personal data.
Consent models refer to the approaches used by organizations to obtain, manage, and record user consent for the collection, processing, and sharing of personal data. These models are crucial for ensuring that organizations comply with privacy regulations.
Priva Consent Management is a regulatory-independent solution for streamlining the management of consented personal data. Consent management empowers organizations to effectively track consumer consent across their entire data estate.
Consent management provides customizable consent models that allow you to add branding and style elements specific to your organization. Consent models also support adding, importing, or machine-generating language translations to support visitors in multiple regions who have different language requirements. The consent models you create don’t need to be created for specific websites, meaning you can use the same model across your public domains.
When you’re ready to publish your consent models, a centralized process allows you to publish consent models at scale to multiple regions.
Privacy Assessments (preview)
Organizations today face significant challenges in maintaining current justified documentation of data usage across their data estates. The assessment of personal data use often involves manual and time-consuming tasks like generating and updating custom questionnaires as well as monitoring data use across the business. As a result, privacy impact assessments are performed after the fact or quickly become stale, failing to accurately reflect the current state of data use within the organization.
Priva Privacy Assessments automates the discovery, documentation, and evaluation of personal data use across your entire data estate. Using this regulatory-independent solution, you can automate privacy assessments and build a complete compliance record for the responsible use of personal data.
Tracker Scanning (preview)
Web tracker compliance refers to the adherence of websites to legal and regulatory requirements regarding the use of web tracking technologies. These technologies, such as cookies and other tracking mechanisms, are used to monitor and collect data about users’ activities on a website.
Many organizations find it challenging to effectively manage and monitor web tracker compliance. Navigating the intricate realm of tracker compliance is a complex and often burdensome task due to the swift evolution of technology, the proliferation of websites, and the evolving landscape of privacy regulations.
Priva Tracker Scanning empowers organizations to automate the identification of tracking technologies across multiple web properties, driving the efficient management of website privacy compliance. With Tracker Scanning you can automate scans for trackers, evaluate and manage web trackers, and streamline compliance reporting.
Priva portal (preview)
The new Priva portal (preview) has a unified experience that streamlines navigation for all Priva solutions and provides a single-entry point for settings, search, and roles and permissions management.
The classic Microsoft Purview compliance portal doesn’t support the newest solutions currently in preview: Consent Management, Privacy Assessments, Tracker scanning, and Subject Rights Request beyond Microsoft 365.
