Part 3 - Security solutions

Question 1

Describe Azure Network Security groups

Answer 1

Network security groups (NSGs) let you allow or deny network traffic to and from Azure resources that exist in your Azure virtual network; for example, a virtual machine. When you create an NSG, it can be associated with multiple subnets or network interfaces in your VNet. An NSG consists of rules that define how the traffic is filtered.

NSG security rules are evaluated by priority using five information points: source, source port, destination, destination port, and protocol to either allow or deny the traffic. As a guideline, you shouldn’t create two security rules with the same priority and direction.

By default, Azure creates a series of rules, three inbound and three outbound rules, to provide a baseline level of security. You can’t remove the default rules, but you can override them by creating new rules with higher priorities.

Question 2

Describe the seven inbound and outbound security rules properties

Answer 2

Each rule specifies one or more of the following properties:

1. Name: Every NSG rule needs to have a unique name that describes its purpose. For example, AdminAccessOnlyFilter.
2. Priority: A number between 100 and 4096. Rules are processed in priority order, with lower numbers processed before higher numbers. When traffic matches a rule, processing stops. This means that any other rules with a lower priority (higher numbers) won’t be processed.
3. Source or destination: Specify either individual IP address or an IP address range, service tag (a group of IP address prefixes from a given Azure service), or application security group. Specifying a range, a service tag, or application security group, enables you to create fewer security rules.
4. Protocol: What network protocol will the rule check? The protocol can be any of: TCP, UDP, ICMP or Any.
5. Direction: Whether the rule should be applied to inbound or outbound traffic.
6. Port range: You can specify an individual or range of ports. For example, you could specify 80 or 10000-10005. Specifying ranges enables you to create fewer security rules. You can’t specify multiple ports or port ranges in the same security rule in NSGs created through the classic deployment model.
7. Action: Finally, you need to decide what will happen when this rule is triggered.

There are limits to the number of security rules you can create in an NSG. Use Azure NSGs to automatically allow or deny traffic to your cloud-based resources and assets.

Question 3

Describe Azure DDoS protection

Answer 3

The Azure DDoS Protection service is designed to help protect your applications and servers by analyzing network traffic and discarding anything that looks like a DDoS attack. Azure DDoS Protection uses the scale and elasticity of Microsoft’s global network to bring DDoS mitigation capacity to every Azure region. During a DDoS attack, Azure can scale your computing needs to meet demand. DDoS Protection manages cloud consumption by ensuring that your network load only reflects actual customer usage.

Azure DDoS Protection comes in two tiers:

1. Basic: The Basic service tier is automatically enabled for every property in Azure, at no extra cost, as part of the Azure platform. Always-on traffic monitoring and real-time mitigation of common network-level attacks provide the same defenses that Microsoft’s online services use. Azure’s global network is used to distribute and mitigate attack traffic across regions.
2. Standard: The Standard service tier provides extra mitigation capabilities that are tuned specifically to Microsoft Azure Virtual Network resources. DDoS Protection Standard is simple to enable and requires no application changes. Protection policies are tuned through dedicated traffic monitoring and machine learning algorithms. Policies are applied to public IP addresses, which are associated with resources deployed in virtual networks, such as Azure Load Balancer and Application Gateway.

Question 4

Describe Azure DDoS protection pricing

Answer 4

The DDoS Standard Protection service has a fixed monthly charge that includes protection for 100 resources. Protection for additional resources are charged on a monthly per-resource basis.

Question 5

Describe what is Azure Firewall

Answer 5

Azure Firewall is a managed, cloud-based network security service that protects your Azure virtual network (VNet) resources from attackers. You can deploy Azure Firewall on any virtual network but the best approach is to use it on a centralized virtual network. All your other virtual and on-premises networks will then route through it. The advantage of this model is the ability to centrally exert control of network traffic for all your VNets across different subscriptions.

Azure Firewall comes with many features, including but not limited to:

1. Built-in high availability and availability zones: High availability is built in so there’s nothing to configure. Also, Azure Firewall can be configured to span multiple availability zones for increased availability.
2. Network and application level filtering: Use IP address, port, and protocol to support fully qualified domain name filtering for outbound HTTP(s) traffic and network filtering controls.
3. Outbound SNAT and inbound DNAT to communicate with internet resources: Translates the private IP address of network resources to an Azure public IP address (source network address translation) to identify and allow traffic originating from the virtual network to internet destinations. Similarly, inbound internet traffic to the firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses of resources on the virtual network.
4. Multiple public IP addresses: These addresses can be associated with Azure Firewall.
5. Threat intelligence: Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains.
6. Integration with Azure Monitor: Integrated with Azure Monitor to enable collecting, analyzing, and acting on telemetry from Azure Firewall logs.

Use Azure Firewall to help protect the Azure resources you’ve connected to Azure Virtual Networks.

Question 6

Describe what is Azure Bastion

Answer 6

Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal using Transport Layer Security (TLS). When you connect via Azure Bastion, your virtual machines don’t need a public IP address, agent, or special client software.

Bastion provides secure RDP and SSH connectivity to all VMs in the virtual network in which it’s provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. When you provision an Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same virtual network.

Question 7

Describe the key features of Azure Bastion

Answer 7

The following features are available:

1. RDP and SSH directly in Azure portal: You get to the RDP and SSH session directly in the Azure portal, using a single-click experience.
2. Remote session over TLS and firewall traversal for RDP/SSH: Use an HTML5-based web client that’s automatically streamed to your local device. You’ll get your Remote Desktop Protocol (RDP) and Secure Shell (SSH) to traverse the corporate firewalls securely.
3. No Public IP required on the Azure VM: Azure Bastion opens the RDP/SSH connection to your Azure virtual machine using private IP on your VM. You don’t need a public IP.
4. No hassle of managing NSGs: A fully managed platform PaaS service from Azure that’s hardened internally to provide secure RDP/SSH connectivity. You don’t need to apply any NSGs on an Azure Bastion subnet.
5. Protection against port scanning: Because you don’t need to expose your virtual machines to the internet, your VMs are protected against port scanning by rogue and malicious users located outside your virtual network.
6. Protect against zero-day exploits: A fully platform-managed PaaS service. Because it sits at the perimeter of your virtual network, you don’t need to worry about hardening each virtual machine in the virtual network. The Azure platform protects against zero-day exploits by keeping the Azure Bastion hardened and always up to date for you.

Use Azure Bastion to establish secure RDP and SSH connectivity to your virtual machines in Azure.

Question 8

Describe what is Web Application Firewall

Answer 8

Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. A centralized WAF helps make security management simpler, improves the response time to a security threat, and allows patching a known vulnerability in one place, instead of securing each web application. A WAF also gives application administrators better assurance of protection against threats and intrusions.

Question 9

Describe ways Azure encrypts data

Answer 9

Microsoft Azure provides many different ways to secure your data, each depending on the service or usage required.

1. Azure Storage Service Encryption helps to protect data at rest by automatically encrypting before persisting it to Azure-managed disks, Azure Blob Storage, Azure Files, or Azure Queue Storage, and decrypts the data before retrieval.
2. Azure Disk Encryption helps you encrypt Windows and Linux IaaS virtual machine disks. Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks.
3. Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Question 10

What is Azure Key Vault?

Answer 10

Azure Key Vault is a centralized cloud service for storing your application secrets. Key Vault helps you control your applications’ secrets by keeping them in a single, central location and by providing secure access, permissions control, and access logging capabilities. It’s useful for different kinds of scenarios:

1. Secrets management. You can use Key Vault to store securely and tightly control access to tokens, passwords, certificates, Application Programming Interface (API) keys, and other secrets.
2. Key management. You can use Key Vault as a key management solution. Key Vault makes it easier to create and control the encryption keys used to encrypt your data.
3. Certificate management. Key Vault lets you provision, manage, and deploy your public and private Secure Sockets Layer/ Transport Layer Security (SSL/ TLS) certificates for Azure, and internally connected, resources more easily.
4. Store secrets backed by hardware security modules (HSMs). The secrets and keys can be protected either by software or by FIPS 140-2 Level 2 validated HSMs.

Use the various ways in which Azure can encrypt your data to help you secure it whatever the location or state.

Question 11

Describe Cloud security posture management

Answer 11

Cloud security posture management (CSPM) is a relatively new class of tools designed to improve your cloud security management. It assesses your systems and automatically alerts security staff in your IT department when a vulnerability is found. CSPM uses tools and services in your cloud environment to monitor and prioritize security enhancements and features.

CSPM uses a combination of tools and services:

1. Zero Trust-based access control: Considers the active threat level during access control decisions.
2. Real-time risk scoring: To provide visibility into top risks.
3. Threat and vulnerability management (TVM): 4. Establishes a holistic view of the organization’s attack surface and risk and integrates it into operations and engineering decision-making.
4. Discover sharing risks: To understand the data exposure of enterprise intellectual property, on sanctioned and unsanctioned cloud services.
5. Technical policy: Apply guardrails to audit and enforce the organization’s standards and policies to technical systems.
6. Threat modeling systems and architectures: Used alongside other specific applications.

The main goal for a cloud security team working on posture management is to continuously report on and improve the organization’s security posture by focusing on disrupting a potential attacker’s return on investment (ROI).

Question 12

Describe the Azure Security center

Answer 12

Azure Security Center provides the tools you need to harden your network, secure services, and ensure you’re on top of your security posture.

1. Continuous assessment. Discovers and reports on whether new and existing resources and assets are configured according to security compliance requirements. You’ll get an ordered list of recommendations of what needs to be fixed to maintain maximum protection. Security Center groups the recommendations into security controls and adds a secure score value to each control.
2. Network map. Continuously monitoring of the security status of your network. Use the map to look at the topology of your workloads, so you can see if each node is properly configured. You’ll see how your nodes are connected, which helps you block unwanted connections that could potentially make it easier for an attacker to creep along your network.

Question 13

Describe Azure Secure score

Answer 13

Security Center continually assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score so you can quickly see your current security situation: the higher the score, the lower the identified risk level.

The secure score is shown in the Azure portal pages as a percentage value. To increase your security and raise your score, review Security Center’s recommendations page for the outstanding actions necessary. Each recommendation includes instructions to help you remediate the specific issue.

Question 14

Describe Azure Defender

Answer 14

Azure Defender is a built-in tool that provides threat protection for workloads running in Azure, on-premises, and other clouds. Azure Defender is the leading Microsoft extended detection and response (XDR) solution for threat protection.

Azure Defender comes with several different plans that can be enabled separately and will run simultaneously to provide a comprehensive defense for compute, data, and service layers in your environment. The Azure Defender plans you can select from are:

1. Azure Defender for servers adds threat detection and advanced defenses for your Windows and Linux machines.
2. Azure Defender for App Service uses the cloud scale to identify attacks targeting applications running over App Service.
3. Azure Defender for Storage detects potentially harmful activity on your Azure Storage accounts. Data can be protected, whether stored as blob containers, file shares, or data lakes.
4. Azure Defender for SQL extends Azure Security Center’s data security package to secure your databases and their data wherever they’re located.
5. Azure Defender for Kubernetes provides the best cloud-native Kubernetes security environment hardening, workload protection, and run-time protection.
6. Azure Defender for container registries protects all the Azure Resource Manager based registries in your subscription. Azure Defender scans all images pushed to the registry, or imported into the registry, or any images pulled within the last 30 days.
7. Azure Defender for Key Vault is Azure-native, advanced threat protection for Azure Key Vault, providing an extra layer of security intelligence.

Question 15

Describe the Azure Security Benchmark

Answer 15

The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. The ASB focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the CIS. Each recommendation includes the following information:

1. Azure ID: The Azure Security Benchmark ID that corresponds to the recommendation.
2. Recommendation: The recommendation provides a high-level description of the control.
3. Guidance: The rationale for the recommendation and links to guidance on how to implement it.
4. Responsibility: Who is responsible for implementing the control? Possible scenarios are customer responsibility, Microsoft responsibility, or shared responsibility.
5. Azure Security Center monitoring: Does Azure Security Center monitor the control?

All recommendations, including the ones that don’t apply to this specific service, appear in the baseline to provide a complete picture of how the Azure Security Benchmark relates to each service.

Security baselines are included for many Azure services, including Azure security baseline for Security Center.

Question 16

Describe security center pricing

Answer 16

Security Center is offered in two modes:

1. Azure Defender off
   Security Center without Azure Defender is enabled free of charge on all your Azure subscriptions when you visit the Azure Security Center dashboard in the Azure portal for the first time, or if enabled programmatically via API.
2. Azure Defender on
   Enabling Azure Defender extends the free mode capabilities to workloads running in private and other public clouds, providing unified security management and threat protection across your hybrid cloud workloads.

Question 17

What is security incident and event management (SIEM)?

Answer 17

A SIEM system is a tool that an organization uses to collect data from across the whole estate, including infrastructure, software, and resources. It does analysis, looks for correlations or anomalies, and generates alerts and incidents.

Question 18

What is security orchestration automated response (SOAR)?

Answer 18

A SOAR system takes alerts from many sources, such as a SIEM system. The SOAR system then triggers action-driven automated workflows and processes to run security tasks that mitigate the issue.

Question 19

What is extended detection and response (XDR)?

Answer 19

An XDR system is designed to deliver intelligent, automated, and integrated security across an organization’s domain. It helps prevent, detect, and respond to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms.

To provide a comprehensive security perimeter, an organization needs to use a solution that embraces or combines all of the above systems.

Question 20

Describe what is Microsoft Azure Sentinel

Answer 20

Microsoft Azure Sentinel is a scalable, cloud-native SIEM/SOAR solution that delivers intelligent security analytics and threat intelligence across the enterprise. It provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

1. Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
2. Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence.
3. Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft.
4. Respond to incidents rapidly with built-in orchestration and automation of common security tasks.

Question 21

What are Azure Monitor Workbooks?

Answer 21

After you connect data sources to Azure Sentinel, you can monitor the data using the Azure Sentinel integration with Azure Monitor Workbooks. You’ll see a canvas for data analysis and the creation of rich visual reports within the Azure portal. Through this integration, Azure Sentinel allows you to create custom workbooks across your data. It also comes with built-in workbook templates that allow quick insights across your data as soon as you connect a data source.

Question 22

What is a security playbook?

Answer 22

A security playbook is a collection of procedures that can help automate and orchestrate your response. It can be run manually or set to run automatically when specific alerts are triggered. Security playbooks in Azure Sentinel are based on Azure Logic Apps. You get all the power, customizability, and built-in templates of Logic Apps. Each playbook is created for the specific subscription you choose.

Question 23

Describe Azure Sentinel pricing

Answer 23

Azure Sentinel provides intelligent security analytics across your enterprise. The data for this analysis is stored in an Azure Monitor Log Analytics workspace. Billing is based on the volume of data ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log Analytics workspace. There are two ways to pay for the Azure Sentinel service: Capacity Reservations and Pay-As-You-Go.

Capacity Reservations: With Capacity Reservations, you’re billed a fixed fee based on the selected tier, enabling a predictable total cost for Azure Sentinel.
Pay-As-You-Go: With Pay-As-You-Go pricing, you’re billed per gigabyte (GB) for the volume of data ingested for analysis in Azure Sentinel and stored in the Azure Monitor Log Analytics workspace.

Question 24

Describe the four components of the Microsoft 365 Defender suite

Answer 24

Microsoft 365 Defender suite protects:

1. Endpoints with Microsoft Defender for Endpoint - Microsoft Defender for Endpoint is a unified endpoint platform for preventative protection, post-breach detection, automated investigation, and response.
2. Email and collaboration with Microsoft Defender for Office 365 - Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools.
3. Identities with Microsoft Defender for Identity and Azure AD Identity Protection - Microsoft Defender for Identity uses Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.
4. Applications with Microsoft Cloud App Security - Microsoft Cloud App Security is a comprehensive cross-SaaS solution that brings deep visibility, strong data controls, and enhanced threat protection to your cloud apps.

Question 25

What is the difference between the Microsoft Defender for Office 365 Plan 1 and Plan 2 options?

Answer 25

Microsoft Defender for Office 365 Plan 1
This plan offers configuration, protection, and detection tools for your Office 365 suite:

• Safe Attachments: Checks email attachments for malicious content.
• Safe Links: Links are scanned for each click. A safe link remains accessible, but malicious links are blocked.
• Protection for SharePoint, OneDrive, and Microsoft Teams: Protects your organization when users collaborate and share files by identifying and blocking malicious files in team sites and document libraries.
• Anti-phishing protection: Detects attempts to impersonate your users and internal or custom domains.
• Real-time detections: A real-time report that allows you to identify and analyze recent threats.

Microsoft Defender for Office 365 Plan 2
This plan includes all the core features of Plan 1, and provides automation, investigation, remediation, and simulation tools to help protect your Office 365 suite:

• Threat Trackers: Provide the latest intelligence on prevailing cybersecurity issues, and allow an organization to take countermeasures before there’s an actual threat.
• Threat Explorer: A real-time report that allows you to identify and analyze recent threats.
• Automated investigation and response (AIR): Includes a set of security playbooks that can be launched automatically, such as when an alert is triggered, or manually. A security playbook can start an automated investigation, provide detailed results, and recommend actions that the security team can approve or reject.
• Attack Simulator: Allows you to run realistic attack scenarios in your organization to identify vulnerabilities.

Microsoft Defender for Office 365 is included in certain subscriptions, such as Microsoft 365 E5, Office 365 E5, Office 365 A5, and Microsoft 365 Business Premium. If your subscription doesn’t include Defender for Office 365, you can purchase it as an add-on.

Question 26

What is Microsoft Cloud App Security (MCAS)?

Answer 26

Microsoft Cloud App Security (MCAS) is a Cloud Access Security Broker (CASB). It’s a comprehensive cross-SaaS solution that operates as an intermediary between a cloud user and the cloud provider. Microsoft Cloud App Security provides rich visibility to your cloud services, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services. Use this service to gain visibility into Shadow IT by discovering the cloud apps being used. You can control and protect data in the apps after you sanction them to the service.

Question 27

Describe the Microsoft The Cloud App Security framework

Answer 27

MCAS is built on a framework that provides the following capabilities:

1. Discover and control the use of Shadow IT: Identify the cloud apps, and IaaS and PaaS services used by your organization. Investigate usage patterns, assess the risk levels and business readiness of more than 16,000 SaaS apps against more than 80 risks.
2. Protect your sensitive information anywhere in the cloud: Understand, classify, and protect the exposure of sensitive information at rest. Use out-of-the-box policies and automated processes to apply controls in real time across all your cloud apps.
3. Protect against cyberthreats and anomalies: Detect unusual behavior across cloud apps to identify ransomware, compromised users, or rogue applications, analyze high-risk usage, and remediate automatically to limit risks.
4. Assess your cloud apps’ compliance: Assess if your cloud apps meet relevant compliance requirements, including regulatory compliance and industry standards. Prevent data leaks to non-compliant apps and limit access to regulated data.

Azure Active Directory Premium P1 includes Azure Active Directory Cloud App Discovery at no extra cost.

Question 28

Describe the Microsoft 365 security center

Answer 28

The Microsoft 365 security center is the new home for monitoring and managing security across your Microsoft identities, data, devices, and apps. Here you can view the security health of your organization, act to configure devices, users, and apps, and get alerts for suspicious activity. The Microsoft 365 security center helps security admins and security operations teams manage and protect their organization.

1. Home - security health
2. Incidents
3. Alerts
4. Action Center
5. Reports
6. Secure Score
7. Advanced hunting
8. Classification
9. Policies
10. Permissions

Question 29

Differences between the Azure and Microsoft Secure Score

Answer 29

There’s a Secure Score for both Microsoft 365 Defender and Azure Defender, but they’re subtly different. Secure Score in the Azure Security Center is a measure of the security posture of your Azure subscriptions. Secure Score in the Microsoft 365 security center is a measure of the security posture of the organization across your apps, devices, and identities.

Both the Azure and Microsoft Secure Score provide a list of steps you can take to improve your score. In Microsoft 365 Secure Score, these steps are called improvement actions. In the Azure Secure Score, scores are assessed for each subscription. The steps you can take to improve your score are called security recommendations and they’re grouped into security controls.

Use Microsoft Secure Score to understand and rapidly improve your organization’s security posture.

Question 30

Describe Microsoft security center security reports and dashboards

Answer 30

The Microsoft security center includes a Reports section that shows various cards covering different areas. Security analysts and administrators can track the cards as part of their day-to-day operations. On drill-down, cards provide detailed reports and, in some cases, management options.

By default, cards are grouped by the following categories:

1. Identities - user accounts and credentials.
2. Data - email and document contents.
3. Devices - computers, mobile phones, and other devices.
4. Apps - programs and attached online services.

You can group cards by topic, which will rearrange the cards and group them into the following areas:

1. Risk - cards that highlight entities, such as accounts and devices, that might be at risk. These cards also highlight possible sources of risk, such as new threat campaigns and privileged cloud apps.
2. Detection trends - cards that highlight new threat detections, anomalies, and policy violations.
3. Configuration and health - cards that cover the configuration and deployment of security controls, including device onboarding states to management services.
4. Other - all cards not categorized under other topics.

Question 31

Describe what is Intune

Answer 31

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). You control how your organization’s devices, including mobile phones, tablets, and laptops, are used. You can also configure specific policies to control applications. For example, you can prevent emails from being sent to people outside your organization.

Question 32

Describe Mobile device management (MDM)

Answer 32

For devices that are owned by the business, organizations can maintain full control. This includes settings, features, and security. When these devices are enrolled with Intune, they’ll receive rules and settings defined by Intune policies. For example, you can define password requirements.

When devices are enrolled and managed in Intune, administrators can:

See the devices enrolled, and get an inventory of the ones accessing organization resources.
Configure devices so they meet your security and health standards. For example, you probably want to block jailbroken devices.
Push certificates to devices so users can easily access your Wi-Fi network, or use a VPN to connect to it.
See reports on users and devices to determine if they’re compliant.
Remove organization data if a device is lost, stolen, or not used anymore.

Question 33

Describe Mobile application management (MAM)

Answer 33

Users with personal devices might not want their phone to be under full corporate control. Mobile application management (MAM) gives admins the ability to protect corporate data at the application level. Where users just want to access apps like email or Microsoft Teams, admins can use application protection policies, without requiring the device to be enrolled in Intune, supporting bring-your-own device (BYOD) scenarios.

MAM can be used with custom applications and store apps.

When apps are managed in Intune, administrators can:

Add and assign mobile apps to user groups and devices, including users and devices in specific groups, and more.
Configure apps to start or run with specific settings enabled and update existing apps already on the device.
See reports on which apps are used and track their usage.
Do a selective wipe by removing only organization data from apps.

Question 34

Describe endpoint security with Intune

Answer 34

When admins want to configure and manage security tasks for at-risk devices, they can go to the Endpoint security node in Intune.

1. Manage security baselines
2. Use policies to manage device security
3. Use device compliance policy
4. Configure conditional access
5. Integration with Microsoft Defender for Endpoint (mobile threat defender)
6. Role-based access control with Microsoft Intune