Microsoft 365 Security and Compliance for Administrators: A definitive guide to planning, implementing, and maintaining Microsoft 365 security posture

Microsoft 365 Security and Compliance for Administrators

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Prachi Sawant

Book Project Manager: Ashwin Dinesh Kharwa

Senior Editor: Sujata Tripathi

Technical Editor: Irfa Ansari

Copy Editor: Safis Editing

Indexer: Hemangini Bari

Production Designer: Ponraj Dhandapani

DevRel Marketing Coordinator: Marylou De Mello

First published: March 2024

Production reference: 1140324

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK

ISBN 978-1-83763-837-6

www.packtpub.com

To my loving family. None of this would be possible and nothing would make sense without your love and support. Love you all.

– Sasha Kranjac

To my beloved wife and cherished daughter, my deepest gratitude for your support on this incredible journey. Thank you for all your support and long live Rockabilly. HZ87 forever!

– Omar Kudović

Contributors

About the authors

Sasha Kranjac is the CEO of Kloudatech and the CEO of Kranjac Consulting and Training. As a Microsoft Partner, an AWS Partner, and a CompTIA Authorized Delivery Partner, his companies specialize in IT training and consulting, cloud security architecture and engineering, civil engineering, and CAD design.

Sasha is a Microsoft Regional Director, Microsoft MVP in two categories (Security and Azure), a Microsoft Certified Trainer, MCT Regional Lead, Certified EC-Council Instructor, CompTIA Instructor, a frequent speaker at various international conferences, user groups, and events, and book author.

I want to thank my loving family for riding the roller-coaster of life together. You are the ones who give the ride meaning; it is because of you that the ride makes sense, and it is because of you the ride is fun.

Omar Kudović is a senior system engineer at SYS Company d.o.o., Sarajevo. With over 15 years immersed in the dynamic field of IT, his expertise has been focused on cloud solutions (Microsoft 365 and Azure) and security and compliance. Over the past decade, he has dedicated efforts to seamlessly integrating cloud services and application solutions within the complex landscape of business enterprises, specifically emphasizing security and compliance, endpoint protection, audio, video, voice, and messaging. During the last 12 years, Omar has been awarded the Microsoft MVP award for the Office365 Apps and Services category. He is also a regular speaker at international IT conferences, user groups, and events. On a more personal note, he finds enjoyment in the world of Hi-Fi audiophiles, rockabilly music and culture, and fine wine.

About the reviewers

Rahul Singh is a seasoned IT professional and Chief Teaching Officer at SV9 Academy, which is a Microsoft Learning Partner. Rahul has 18 years of experience in the IT field, as of 2024, and holds numerous certifications in the Microsoft technological stack. In addition, Rahul has also been an MCT since 2020. He is deeply passionate about technology and demystifying complex technical architectures using various pedagogies and a systems-based learning mechanism, making learning an enjoyable and enriching experience.

With the ever-changing technical world, testing and reviewing technical content can be a very daunting task, requiring perseverance and patience. I would like to take this opportunity to thank my lovely parents, who I have been blessed with by the Divine, as, without their support, I would not have been able to be a part of this amazing project from Packt.

Mustafa Toroman is a technology professional and the Chief Technology Officer at run.events, a company that provides a platform for organizing and managing events. He has over 20 years of experience in the IT industry and has held various technical and leadership positions in companies around the world. He has a deep understanding of software development, cloud computing, and IT infrastructure management. Mustafa is a Microsoft MVP, a frequent speaker at technology conferences and events, and also a community leader organizing meetups and events. He is also a published author and has written several books on Microsoft technologies and cloud computing.

Steve Miles, aka SMiles, is CTO at Westcoast Cloud, part of a multi-billion turnover IT distributor based in the UK and Ireland. Steve holds 25+ Microsoft certifications, one of which is Microsoft 365 Certified: Administrator Expert, he is also a Microsoft MVP (Most Valuable Professional), MCT (Microsoft Certified Trainer), as well as an Alibaba Cloud MVP. With 25+ years of technology experience, and a previous military career in engineering, signals and communications. Amongst other books, Steve is the author of Windows 11 for Enterprise Administrators.

He is also a petrolhead and can also be found tinkering on cars when he is not writing.

This is my contribution to the worldwide technical learning community, and I would like to thank all of you who are investing your valuable time in committing to reading this book and learning these skills.

Rio Hindle is a Cloud Security Microsoft MVP with 5 years of experience in this field and 8 years of experience in information technology. He also has certifications for Microsoft services in Microsoft 365, Azure, and Cybersecurity. He has delivered training on various solution areas to many organizations, from beginner to advanced-level courses. He has worked in different areas of the industry, including end user, reseller channels, and vendor spaces, with global networks, data and app security vendors, and hardware distribution. He has held roles such as cloud practice lead, service desk manager, and head of technical services. He now works for a top muti-cloud distributor in the UK and Ireland in a cloud and hybrid technology leadership role.

Thanks to Steve Miles for your valuable guidance and support. Also, a big thanks to my current employer for giving me this opportunity.

Table of Contents

Preface

Part 1:Introduction to Microsoft 365

1

Getting Started with Microsoft 365 Security and Compliance

Technical requirements

Introduction to Microsoft 365 offers, plans, and licenses

Microsoft 365 plans and components

Microsoft 365 licensing

Introduction to Microsoft 365 security

Introduction to Microsoft 365 compliance

Summary

2

The Role of Microsoft Entra ID in Microsoft 365 Security

Technical requirements

Microsoft Entra ID plans and features

Microsoft Entra ID roles and groups

Azure roles, or Azure RBAC roles

Microsoft Entra ID roles

Classic roles

Microsoft 365 roles in Microsoft Entra ID

Best practices for roles

Microsoft 365 groups

Microsoft Entra ID Protection

Summary

Part 2: Microsoft 365 Security

3

Microsoft Defender for Office 365

Technical requirements

Getting started with Microsoft Defender for Office 365

Protecting assets with Microsoft Defender for Office 365

Quarantine policy

Anti-phishing

Anti-spam

Anti-malware

Safe Attachment

Safe Links

Rules

Attack simulation training

Responding to alerts and mitigating threats

Summary

4

Microsoft Defender for Endpoint

Introducing Microsoft Defender for Endpoint

Technical and license requirements

Configuring Microsoft Defender for Endpoint

Microsoft Defender Vulnerability Management dashboard

Microsoft Defender for Endpoint Device inventory

Windows devices

Configuring advanced features in Microsoft Defender for Endpoint

Security recommendations

The Microsoft Defender for Endpoint configuration management dashboard

Microsoft Defender for Endpoint Tutorials & simulations

Microsoft Defender for Endpoint Co-management Authority

Configuring a compliance policy for Windows devices

Configuring a configuration profile for Windows devices

Windows 365

Enrollment device platform restrictions

Enrollment device limit restrictions

Configuring quality updates for Windows 10 and later in Intune

How to create a profile for update policies for iOS/iPadOS in Intune

How to create a profile for update policies for macOS in the Intune portal

How to create app protection policies in the Microsoft Intune admin portal

How to create app configuration policies

How to create policies for Office apps in the Intune admin portal

Endpoint Security

Creating a profile for a security baseline for Windows 10 and later

Creating a Microsoft Defender for Endpoint baseline

Creating a Microsoft Edge baseline

Creating a Windows 365 security baseline

Managing and creating different policies under Endpoint Security

Configuring an antivirus policy in the Intune portal

Configuring disk encryption

Configuring a firewall policy

Setting up endpoint detection and response

Configuring attack surface reduction

Configuring account protection

Configuring device compliance

Configuring Conditional Access policies

Summary

5

Getting Started with Microsoft Purview

About Microsoft Purview

How it works…

Benefits

Technical and license requirements

Configuring Microsoft Purview

Compliance Score

Classifiers in Microsoft 365 Purview

Configuring sensitive info types

Configuring content explorer

Content search

Streamlining data discovery

Enhancing data governance and compliance

Independence and objectivity

Regulatory oversight and accountability

Risk mitigation and control

A comprehensive compliance oversight

Collaboration and cross-functional alignment

Data loss prevention

Endpoint DLP settings

Summary

6

Microsoft Defender for Cloud Apps

Introducing Microsoft Defender for Cloud Apps

Discovering shadow IT with Microsoft Defender for Cloud Apps

Discovering and managing shadow IT in Microsoft Defender for Cloud Apps

Technical and license requirements

Configuring Microsoft Defender for Cloud Apps

Managing OAuth applications with Microsoft Defender for Cloud Apps

Managing files in Microsoft Defender for Cloud Apps

Managing the activity log in Microsoft Defender for Cloud Apps

Governance log

Microsoft Defender for Cloud Apps policies

Summary

7

Microsoft Defender Vulnerability Management

Getting started with Microsoft Defender Vulnerability Management

Microsoft Defender Vulnerability Management licensing and technical requirements

Key features and capabilities

Benefits of using the Vulnerability Management dashboard

Permissions

Recommendations and remediation

Security recommendations

Remediation tasks in Microsoft Intune

Remediation

Inventories and weaknesses

Inventories

Weaknesses

Summary

8

Microsoft Defender for Identity

Introducing Microsoft Defender for Identity

Technical and license requirements

Configuring Microsoft Defender for Identity

Configuring sensors for Microsoft Defender for Identity

Entity tags

Working with detection rules

Configuring Microsoft Defender for Identity and Microsoft Sentinel

Summary

Part 3: Microsoft 365 Governance and Compliance

9

Microsoft Purview Insider Risk Management

Technical requirements

Insider Risk Management

Initial setup

Resolving insider risk cases

Information barriers and access management

Microsoft Purview IB requirements

Communication Compliance

Summary

Further readings

10

Microsoft Purview Information Protection

About Microsoft Purview Information Protection

Data classification

Configuring Information Protection

Information Protection

Publishing label policies

Information Protection scanner

Installing the Microsoft Purview Information Protection scanner

Summary

11

Understanding the Lifecycle of Auditing and Records

Getting started with the lifecycle of auditing and records

The lifecycle of audits and records in Microsoft 365

Microsoft Purview Records Management

Microsoft data lifecycle management

Creating retention policies

Creating and publishing labels

Records management

eDiscovery and data holds

Configuring eDiscovery Standard and Premium

Creating and configuring eDiscovery premium cases

Auditing and alerts

Summary

Index

Other Books You May Enjoy

Preface

Microsoft 365 is a complex, comprehensive, ever-evolving, and expanding suite, or collection of products, covering broad aspects of cloud computing, work, communication, and collaboration. In summary, it is huge, and it is always changing. You know what they say about cloud and cloud-related products – the only constant thing is change! Microsoft 365 and its related products and features are not an exception to this rule or saying. We wanted to include in the book everything that has anything to do with security and compliance in Microsoft 365, and we were very enthusiastic, motivated, and thrilled. However, it was easier to say and wish than to make it happen. There was – and still is – simply too much to include, too many features, products, capabilities, and so many things to mention, introduce and explain.

We tried to focus our time and energy on addressing all changes, ultimately deciding to bring you the most valuable and useful security and governance knowledge from our day-to-day, real-life, hands-on working experience with Microsoft 365. Compromises were made in what to include and what to leave out of the book, and we hope it will help you to sharpen your skills and become a better Microsoft 365 security and governance administrator, specialist, or user.

Who this book is for

This book is for security engineers, technical engineers, consultants, solution and cloud architects, systems administrators, security professionals, security analysts, IT professionals, system architects and SecOps teams working with Microsoft 365 security solutions, and Microsoft 365 security and compliance professionals, all looking to improve their security and compliance posture in Microsoft 365. Individuals, businesses, enterprises, and organizations of various sizes and industries face increasingly hostile cyber-threat environments and complex compliance landscapes.

What this book covers

Chapter 1

, Getting Started with Microsoft 365 Security and Compliance, introduces what Microsoft 365 is, what it can do, and what it offers. You will also learn about plans, licensing, and how Microsoft 365 helps you comply with various regulations and standards.

Chapter 2

, The Role of Microsoft Entra ID in Microsoft 365 Security, covers Microsoft Entra ID’s plans and features, roles and groups, and Entra ID protection.

Chapter 3

, Microsoft Defender for Office 365, discusses Microsoft Defender for Office 365 and how it protects email and collaboration content.

Chapter 4

, Microsoft Defender for Endpoint, presents vast endpoint protection capabilities, essential features, and configuration steps.

Chapter 5

, Getting Started with Microsoft Purview, familiarizes you with Microsoft Purview configuration, data classification, data search, and Data Loss Prevention features.

Chapter 6

, Microsoft Defender for Cloud Apps, presents cloud apps protection capabilities with Microsoft 365, configuration, Oauth apps and files management, governance, and policies in Defender for Cloud Apps.

Chapter 7

, Microsoft Defender Vulnerability Management, explains vulnerability management features in Microsoft and what to do when an inventory has weaknesses, analyzes recommendations, and looks at how to remediate vulnerabilities.

Chapter 8

, Microsoft Defender for Identity, introduces on-premises identity protection capabilities, and the configuration and management of Defender for Identity.

Chapter 9

, Microsoft Purview Insider Risk Management, discusses insider risk management, information barriers, and communication compliance.

Chapter 10

, Microsoft Purview Information Protection, explores information protection, labeling, classification capabilities, as well as configuration steps.

Chapter 11

, Understanding the Lifecycle of Auditing and Records, explains auditing and records life cycle management in Microsoft 365, including data retention, archiving, e-discovery, and data holds.

To get the most out of this book

To get started with the book, you should have access to a Microsoft 365 subscription and the products mentioned in the book. Any subscription will work, as long as you have access to the licensed products or features – a trial subscription or a commercial subscription.

You should have some basic, fundamental knowledge of Microsoft 365 generally, and fundamental knowledge of security and compliance principles. Additionally, some fundamental knowledge of relevant Microsoft 365 security and compliance services and products is desirable and beneficial, but not required.

Microsoft published a full comparison (PDF) document of Microsoft 365 plans and features on this page: https://www.microsoft.com/en/microsoft-365/enterprise/e5

. Consult the information available online and in the full comparison document to find out more about products and licenses. More information about products and licenses is available in Chapter 1

, Getting Started with Microsoft 365 Security and Compliance.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example:

IdentityLogonEvents

| where TimeGenerated >= ago (7d)

| where UserPrincipalName == user name@domain

Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: In the Microsoft 365 Defender portal, select Permissions, then Settings, followed by Microsoft 365 Defender. Select Permissions and roles to view the available options.

Tips or important notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected]

and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata

and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected]

with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com

.

Share Your Thoughts

Once you’ve read Microsoft 365 Security and Compliance for Administrators, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback

.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere?

Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

Scan the QR code or visit the link below

https://packt.link/free-ebook/9781837638376

Submit your proof of purchase

That’s it! We’ll send your free PDF and other benefits to your email directly

Part 1:Introduction to Microsoft 365

In this part, we introduce you to Microsoft 365, explaining what it can do, and what it offers. You will learn about currently available plans in Microsoft 365, licensing, and how Microsoft 365 helps you comply with various regulations and standards. Furthermore, we will cover Microsoft Entra ID plans and features, its roles and groups, as well as Entra ID protection.

This part includes the following chapters:

Chapter 1

, Getting Started with Microsoft 365 Security and Compliance

Chapter 2

, The Role of Microsoft Entra ID in Microsoft 365 Security

1

Getting Started with Microsoft 365 Security and Compliance

Microsoft 365 is a subscription-based service from Microsoft that provides users with a suite of applications and services for productivity, collaboration, and communication, helping businesses and individuals work more efficiently. It includes popular software such as Microsoft Word, Excel, PowerPoint, and Outlook, as well as cloud-based services such as OneDrive and SharePoint.

In this chapter, we are going to cover the following main topics:

Introduction to Microsoft 365 offers, plans, and licenses

Introduction to Microsoft 365 security

Introduction to Microsoft 365 compliance

In this chapter, readers will learn what Microsoft 365 is and its capabilities and products, plans, and offers. Additionally, you will learn about Microsoft 365 security, Microsoft 365 Defender, and related security products. Finally, we will conclude this chapter by introducing Microsoft 365’s comprehensive compliance features.

Technical requirements

Microsoft 365 is a subscription-based service and, to try and experience the functionality of each product and service, a user must have an appropriate license. It does not matter whether a user has a trial license, or they have a regular or paid license – as long as they have a license assigned, they can enjoy the proper product.

Introduction to Microsoft 365 offers, plans, and licenses

More than a decade ago, Microsoft introduced Office 365, a software as a service (SaaS) offering, as a natural evolution from the very popular business productivity suite. The suite, or the bundle, consisted of core productivity desktop-based applications such as Outlook, Word, Excel, PowerPoint, OneNote, and Access, including server-based services such as SharePoint, Exchange, and Skype for Business.

It became obvious that productivity encompasses and needs more than just productivity tools. That led to a logical move by Microsoft to include more essential products and services and bring together Windows and Enterprise Mobility + Security (EM+S) to form Microsoft 365.

Microsoft 365 is a name for Microsoft’s cloud-based service, that is, a collection of cloud-based services with common denominators including enhanced user productivity, efficient collaboration, and communication, while keeping data and devices secure wherever they are, whether that be in the office, at home, or on the go.

One of the main benefits of Microsoft 365 is that it allows users to access their files and applications from anywhere on any device. This is made possible through the integration of cloud-based services such as OneDrive, which allows users to store and share files online. This means that users can access their files from a desktop computer, laptop, tablet, or smartphone, as long as they have an internet connection.

Another benefit of Microsoft 365 is the ability to collaborate and communicate with others in real-time. Applications such as SharePoint and Teams allow users to share and co-author documents, as well as participate in virtual meetings and chat with their colleagues. This makes it easy for teams to work together, regardless of their physical location.

In addition to the productivity and collaboration features, Microsoft 365 also includes security and compliance tools to help protect users’ data and ensure compliance with regulatory requirements. For example, it uses machine learning and behavioral analysis to detect and block malicious emails, links, and files, and can also help to identify and respond to security threats in near real-time. Among many features that Microsoft 365 offers is Data Loss Prevention (DLP), which helps to prevent sensitive data from being shared or leaked. DLP is just one of the numerous Microsoft 365 security features; we will take a closer look and learn more about them later in the book.

In terms of compliance, Microsoft 365 includes several features to help organizations meet regulatory requirements. For example, it includes eDiscovery, which allows administrators to search for and export data from email, SharePoint, and Teams to comply with legal and regulatory requests. Additionally, it also includes retention and archiving capabilities, which allow organizations to retain and archive data for compliance purposes.

In general, Microsoft 365 is a comprehensive solution for businesses and individuals looking to increase their productivity, collaboration, and communication while also ensuring the security of their data. With its range of applications and services, it provides users with everything they need to work effectively, whether they are in the office or working remotely.

As a subscription-based service, Microsoft 365 offers subscription plans and bundles tailored for personal use, small businesses, enterprises, schools, educational and governmental users, and more.

While classic Office applications such as Word, Excel, Outlook, and PowerPoint are available as a one-time purchase via Office Home & Business 2021 or Office Home & Student 2021, these do not include some popular capabilities and products such as cloud storage or Microsoft Teams.

Microsoft 365 plans and components

There are four fundamental Microsoft 365 plans groups, each containing two or more Microsoft 365 plans:

Microsoft 365 For Home plans: These include the following plans:

Microsoft 365 Family

Microsoft 365 Personal

Office Home & Business 2021

Office Home & Home 2021

Microsoft 365 For Small and Medium Businesses plans: These include the following plans:

Microsoft 365 Business Basic

Microsoft 365 Business Standard

Microsoft 365 Business Premium

Microsoft 365 Apps for Business

Microsoft 365 For Enterprise plans: These include the following plans:

Microsoft 365 E3

Microsoft 365 E5

Microsoft 365 Apps for Enterprise

Microsoft 365 For Frontline Workers plans: These include the following plans:

Microsoft 365 F1

Microsoft 365 F3

Microsoft 365 F5

Other Microsoft 365 and Office 365 offers include plans specifically suited for governments, education (academic institutions), nonprofit organizations, the US government, and 21Vianet-operated areas (China).

Microsoft 365 is comprised of three components, and each component has its own tier, such as E3, F3, or A3, with different capabilities included:

Office 365: This includes a cloud-based suite of productivity applications and services, information protection capabilities such as message encryption, rights management, and data loss prevention for files and email messages; compliance capabilities such as mailbox litigation hold and eDiscovery; and data analytics with powerful visualization

Windows Enterprise: This includes advanced features aimed and designed specifically for larger organizations and enterprises, such as operating system deployment and update control, device and application management capabilities, universal print, Microsoft Defender for Endpoint, and advanced protection against security threats

EM+S: This is a mobility management and security platform that includes advanced identity and access management, endpoint management, information protection capabilities, and advanced identity-related security enhancements

Microsoft 365 comprises many products and features, such as the web, mobile, and desktop versions of Word, Excel, PowerPoint, and Outlook, advanced security, tools to create personalized documents, cyber threat protection, and access and data control features. Depending on organizational size, Microsoft has gathered and included a variety of products in different product packages, or plans, and we will introduce the most important and most prevalent ones.

Products and features

While products included in Microsoft 365 plans have many features, we have put an emphasis on security and compliance capabilities. That means we deliberately have not included tables and descriptions of all features, with the intention of preserving readability, decluttering the book content, and focusing on security and compliance-related products.

Microsoft 365 for small and medium-sized businesses

Microsoft 365 Business plans are specifically adapted to the needs of small and medium businesses, for up to 300 users. If your organization has a need to license more than 300 users, you need to consider using Microsoft 365 Enterprise licenses.

The following table shows you the security and compliance capabilities and features of Microsoft 365 user subscription suites for small and medium-sized businesses: