Index
A
AADRM (AIPService PowerShell module), 106
access control
conditional access policies
RBAC (role-based access control)
auditing, 20
action items in Compliance Manager, 188-189
AD FS (federation), 2
administrator roles in collaboration workloads, 101
Advanced Hunting dashboard in Microsoft Defender ATP, 47
Advanced Threat Protection. See Azure ATP; Office 365 ATP
AIP (Azure Information Protection)
configuring
deploying
AIP clients, 110
RMS connector, 109
integrating with Office 365, 110-111
managing tenant keys, 109
AIPService PowerShell module, 106
alerts
in Azure AD Identity Protection, 24
CAS (Cloud App Security), monitoring, 124
in Microsoft Defender ATP, 46
Alerts section (Security and Compliance Center), 139
emails and, 143
managing advanced alerts, 143
anti-phishing policies
actions against impersonation, 74-75
defining users and domains, 72-73
anti-spam policies, configuring, 75-78
application data security
MAM (mobile application management) with Microsoft Intune, 63-64
WIP (Windows Information Protection), 64-68
apps in CAS (Cloud App Security), managing, 119
archive data
assessments in Compliance Manager, 148, 188-189
assigned groups in Azure AD, 5-6
assigning roles, 145
ATP (Advanced Threat Protection). See Azure ATP; Office 385 ATP
Attack Simulator in Office 365 ATP, 87
brute-force password attacks, 90
password spray attacks, 91
audit logs, 144
configuring
auditing and reporting, 146
delay in, 145
planning auditing and reporting, 144-146
searching, 147
types of events included, 147
auditing RBAC (role-based access control), 20
authentication
device authentication with Windows Hello for Business, 10-12
planning, 2
sign-in security
with MFA (multifactor authentication), 10
planning, 9
Automated Investigations dashboard in Microsoft Defender ATP, 46-47
Azure AD (Active Directory)
authentication, planning, 2
B2B sharing for external users, configuring, 103-104
conditional access policies, planning, 13-14
groups
configuring identity governance, 6-8
Identity Protection
alerts, 24
risk event reports, 24
password management, 6
PIM (Privileged Identity Management)
managing roles, 22
planning, 21
sign-in security
with MFA (multifactor authentication), 10
planning, 9
synchronization, planning, 2-3
Azure AD Connect
customizing settings, 3
monitoring and troubleshooting events, 3-4
Azure AD Connect Sync, 2
Azure AD Connect Sync Service, 2
Azure ATP (Advanced Threat Protection)
installing and configuring, 36-37
integrating with Microsoft Defender ATP, 39-40
managing Workspace Health, 37-38
monitoring suspicious activities, 40-41
planning, 34
Azure ATP Sizing tool, 34
Azure ATP Standalone
advantages and disadvantages, 35
capacity planning, 34
prerequisites, 35
Azure Information Protection (AIP)
configuring
deploying
AIP clients, 110
RMS connector, 109
integrating with Office 365, 110-111
managing tenant keys, 109
Azure RMS (Rights Management Service), deploying connectors, 109
Azure Sentinel, 92
planning and implementation, 92-94
Playbooks
configuring, 94
managing and monitoring, 94-95
running, 95
B
B2B (business-to-business) sharing, configuring, 103, 104
Baseline Protection tier, 101
blocked URLs, configuring in Safe Links, 81
brute-force password attacks, 90
BYOD (Bring Your Own Device) strategy, 63
C
capabilities in Azure ATP (Advanced Threat Protection), 36
capacity planning in Azure ATP (Advanced Threat Protection), 34-35
CAS (Cloud App Security)
connectors and OAuth apps, 120-121
policies and templates, 121-124
managing
advanced alerts, 143
apps, 119
cloud app catalog, 119
cloud app discovery, 118
policies, 120
monitoring
alerts, 124
reports, 125
planning, 117
cases (eDiscovery), managing, 182-183
classification
applying labels to personal data, 156
monitoring leaks of personal data, 157
purpose of, 152
searching for personal data, 153-156
clients (AIP), deploying, 110
cloud app catalog, managing, 119
cloud app discovery, managing, 118
Cloud App Security. See CAS (Cloud App Security)
collaboration workloads (Office 365), configuring data access, 101-103
compliance, data privacy and, 184
assessments and action items in Compliance Manager, 188-189
DSRs (data subject requests), 186-187
planning, 184
reviewing Compliance Manager reports, 187-188
Compliance Manager, 148-150, 184
assessments and action items, 188-189
compliance policies
conditional access policies
Security Defaults versus, 9
configuring
AIP (Azure Information Protection) policies, 108-109
audit logs, 145
auditing and reporting, 146
Azure AD groups for identity governance, 6-8
Azure ATP (Advanced Threat Protection), 36-37
B2B sharing for external users, 103-104
blocked URLs in Safe Links, 81
CAS (Cloud App Security), 117-124
conditional access policies, 17-18
data access for collaboration workloads (Office 365), 101-103
Identity Protection alerts, 24
impersonation, actions against, 74-75
information holds in eDiscovery, 168-169
Microsoft Office Telemetry, 133
passwordless authentication, 12-13
PIM (Privileged Identity Management) roles, 21-22
Playbooks (in Azure Sentinel), 94
RBAC (role-based access control), 19-20
Safe Attachments policies, 78-79
sign-in security options, 12-13
WIP (Windows Information Protection) policies, 65-68
connectors (CAS), configuring, 120-121
content search, 176
roles for, 177
continuous reports (cloud app discovery), creating, 119
core isolation, 56
custom apps, adding to cloud app catalog, 119
customizing Azure AD Connect settings, 3
D
dashboards
Alerts section (Security and Compliance Center), 139-140
for data governance, reviewing, 161-162
data privacy compliance, 185-186
in Microsoft Defender ATP, 44
data access in Office 365
B2B sharing for external users, 103-104
configuring in collaboration workloads, 101-103
with Customer Lockbox, 100-101
data governance. See governance
Data Loss Prevention (DLP)
creating and managing
sensitive information types, 114-115
managing notifications, 116
planning, 112
policies in SharePoint, 102
data privacy compliance, 184
assessments and action items in Compliance Manager, 188-189
DSRs (data subject requests), 186-187
planning, 184
reviewing Compliance Manager reports, 187-188
data protection. See information protection
data subject requests (DSRs), 186-187
default alerts, 142
deleting
alerts (Azure ATP), 41
inactive mailboxes, 176
device authentication with Windows Hello for Business, 10-12
device compliance. See compliance policies
Device Health, 132
Device Security dashboard, 55-58
device threat protection
Microsoft Defender ATP
monitoring, 55
planning and implementing, 42-43
Secure Boot, 61
Windows 10 device encryption, 62
Windows Defender Application Control (WDAC), 59-60
Windows Defender Application Guard (WDAG), 58-59
Windows Defender Exploit Guard (WDEG), 60-61
dictionary attacks, 90
DLP (Data Loss Prevention)
creating and managing
sensitive information types, 114-115
managing notifications, 116
planning, 112
policies in SharePoint, 102
domain controllers, memory allocation for, 34
domains, defining in anti-phishing policies, 72-73
drive shipping, network uploads versus, 170
E
eDiscovery
inactive mailboxes and, 173
information holds, configuring, 168-169
roles for, 177
eDiscovery Export Tool, 180-181
emails, alerts and, 143
encryption for Windows 10 devices, 62
endpoints. See also device threat protection
for Azure ATP (Advanced Threat Protection), 36
defined, 41
enterprise hybrid threat protection, 33
Azure ATP
installing and configuring, 36-37
integrating with Microsoft Defender ATP, 39-40
managing Workspace Health, 37-38
monitoring suspicious activities, 40-41
Office 365 ATP, 69
creating and reviewing incidents, 85-86
reports, 87
reviewing quarantined items, 86
Safe Attachments policies, 78-79
Threat Explorer and Threat Tracker, 84-85
Threat Management, 83
EOP (Exchange Online Protection), 77
events
in Azure AD Connect, monitoring and troubleshooting, 3-4
logging, 145
event types, defining for retention policies, 164-165
Event Viewer, monitoring and troubleshooting Azure AD Connect events, 4
exporting content search results, 180-181
F
federation (AD FS), 2
filtering alerts (Azure ATP), 41
G
GDPR (General Data Privacy Regulation), 154
DSRs (data subject requests) and, 186-187
governance
archive data
classification and labeling
applying labels to personal data, 156
monitoring leaks of personal data, 157
purpose of, 152
searching for personal data, 153-156
identity governance, configuring, 6-8
inactive mailboxes, managing, 172-176
information holds, configuring, 168-169
retention policies
purpose of, 159
reviewing reports and dashboards, 161-162
supervision policies, defining, 165-168
groups in Azure AD
H
Highly Confidential Protection tier, 101
HIPAA, DLP policies and, 114
I
identities
Azure AD groups
configuring identity governance, 6-8
Azure AD Identity Protection
alerts, 24
risk event reports, 24
Azure AD password management, 6
Azure AD PIM
managing roles, 22
planning, 21
Identity Protection
alerts, configuring, 24
risk event reports, reviewing, 24
sign-in risk policies, configuring, 23-24
user risk policies, configuring, 22-23
impersonation, configuring actions against, 74-75
impersonation settings in anti-phishing policies, 71
inactive mailboxes, managing, 172-176
incidents
in Microsoft Defender ATP, 44-45
Information Governance dashboard, 161-162
information holds, configuring, 168-169
information protection
AIP (Azure Information Protection)
configuring Sensitivity Labels, 106-108
deploying AIP clients, 110
deploying RMS connector, 109
integrating with Office 365, 110-111
managing tenant keys, 109
CAS (Cloud App Security)
configuring connectors and OAuth apps, 120-121
configuring policies and templates, 121-124
managing apps, 119
managing cloud app catalog, 119
managing cloud app discovery, 118
managing policies, 120
monitoring alerts, 124
monitoring reports, 125
planning, 117
DLP (Data Loss Prevention)
creating and managing policies, 112-114
creating and managing sensitive information types, 114-115
managing notifications, 116
planning, 112
Office 365 data access
B2B sharing for external users, 103-104
configuring in collaboration workloads, 101-103
with Customer Lockbox, 100-101
installing Azure ATP (Advanced Threat Protection), 36-37
integrating AIP and Office 365, 110-111
Intelligent Security Graph, 135-136
Intune
conditional access policies, planning, 13-14
J–K–L
JMF (Junkmail Folder), quarantining versus, 77
labeling. See also retention policies
applying to personal data, 156
monitoring leaks of personal data, 157
purpose of, 152
searching for personal data, 153-156
licensing Microsoft Defender ATP, 42
litigation holds
changing duration, 175
logs (CAS), monitoring, 125-126. See also audit logs
M
Machine Configuration Management dashboard in Microsoft Defender ATP, 52-53
Machines list in Microsoft Defender ATP, 45
mailboxes
MAM (mobile application management), 63-64
memory allocation for virtualized domain controllers, 34
MFA (multifactor authentication), 10
for Attack Simulator, 88
Secure Score and, 138
Microsoft 365 hybrid environments
Azure AD authentication, planning, 2
Azure AD Connect events, monitoring and troubleshooting, 3-4
Azure AD synchronization, planning, 2-3
Microsoft Cloud App Security. See CAS (Cloud App Security)
Microsoft Compliance Score, 184
Microsoft Defender ATP
integrating
Office 365 Threat Intelligence, 82-83
Advanced Hunting dashboard, 47
alerts, 46
Automated Investigations dashboard, 46-47
dashboards, 44
Machine Configuration Management dashboard, 52-53
Machines list, 45
Partners & APIs section, 49-50
Service Health dashboard, 52
Simulations & Tutorials section, 51
Threat & Vulnerability Management Dashboard (TVM), 50-51
monitoring, 55
planning and implementing, 42-43
Microsoft Endpoint Manager
compliance policies, configuring, 15-16
conditional access policies, configuring, 17-18
Microsoft Intune
conditional access policies, planning, 13-14
mobile application management (MAM), 63-64
for non-Windows devices, 68-69
Microsoft Office Telemetry, configuring options, 133
mobile application management (MAM), 63-64
monitoring
in Microsoft Defender ATP, 55
multifactor authentication (MFA), 10
for Attack Simulator, 88
Secure Score and, 138
N
network uploads, drive shipping versus, 170
New-AzRoleAssignment cmdlet, 20
non-Windows devices, application data security, 68-69
notifications (DLP), managing, 116
O
OAuth apps, configuring, 120-121
Office 365
connecting to CAS (Cloud App Security), 121
data access security
B2B sharing for external users, 103-104
configuring in collaboration workloads, 101-103
with Customer Lockbox, 100-101
Office 365 ATP (Advanced Threat Protection), 69
anti-phishing policies
actions against impersonation, 74-75
defining users and domains, 72-73
anti-spam policies, configuring, 75-78
Attack Simulator, 87
brute-force password attacks, 90
password spray attacks, 91
incidents, creating and reviewing, 85-86
quarantined items, reviewing, 86
reports, 87
Safe Attachments policies
enabling, 78
Safe Links policies, configuring, 79-81
Threat Explorer and Threat Tracker, reviewing threats and malware trends, 84-85
Threat Intelligence
integrating with Microsoft Defender ATP, 82-83
Threat Management, reviewing threats and malware trends, 83
Office 365 CAS (Cloud App Security), 117
Office 365 Secure Score. See Secure Score
Office 365 Security and Compliance Center. See Security and Compliance Center
Office Telemetry, configuring options, 133
operating systems supported by Microsoft Defender ATP, 42
P
Partners & APIs section in Microsoft Defender ATP, 49-50
pass-through authentication (PTA), 2
password hash synchronization (PHS), 2
password spray attacks, 91
passwordless authentication, configuring options, 12-13
passwords in Azure AD, managing, 6
permissions. See roles
personal data
labeling, 156
monitoring
leaks of, 157
PHS (password hash synchronization), 2
PIM (Privileged Identity Management)
managing roles, 22
planning, 21
planning
AIP (Azure Information Protection), 105-106
application data security, 62-63
auditing and reporting, 144-146
Azure AD authentication, 2
Azure ATP (Advanced Threat Protection), 34
Azure Sentinel implementation, 92-94
CAS (Cloud App Security), 117
classification and labeling, 153, 160
conditional access policies, 13-14
content search and eDiscovery, 176-177
data privacy compliance, 184
device threat protection, 55-58
DLP (Data Loss Prevention), 112
Microsoft Defender ATP implementation, 42-43
PIM (Privileged Identity Management), 21
RBAC (role-based access control), 18-19
sign-in security, 9
Playbooks (in Azure Sentinel)
configuring, 94
running, 95
policies (AIP), configuring, 108-109
policies (CAS)
managing, 120
policies (DLP), creating and managing, 112-114
policies (WIP), configuring, 65-68
policy tips (DLP), 116
Power Apps, DLP (Data Loss Prevention) and, 112
PowerShell, configuring roles with, 20
prerequisites
Azure ATP (Advanced Threat Protection), 35-36
Azure Sentinel, 92
pricing, Azure Sentinel, 94-95
privacy. See data privacy compliance
Privileged Identity Management (PIM)
managing roles, 22
planning, 21
PTA (pass-through authentication), 2
publishing
Q
quarantined items in Office 365 ATP, reviewing, 86
quarantining, Junkmail Folder (JMF) versus, 77
R
RBAC (role-based access control)
auditing, 20
recovering
inactive mailboxes, 175
restoring versus, 176
regulatory compliance. See compliance
Remove-AzRoleAssignment cmdlet, 20
removing. See deleting
reports
CAS (Cloud App Security), monitoring, 125
cloud app discovery, creating, 118
Compliance Manager, 148-150, 187-188
configuring auditing and reporting, 146
for data governance, reviewing, 161-162
data privacy compliance, 185-186
DLP (Data Loss Prevention), monitoring, 115-116
in Office 365 ATP, 87
planning auditing and reporting, 144-146
security reports
Intelligent Security Graph, 135-136
Office Telemetry, configuring options, 133
Security and Compliance Center, Alerts section, 139-143
Windows Analytics, interpreting data from, 132
Windows Telemetry, configuring options, 132-133
Reports dashboard in Microsoft Defender ATP, 48-49
restoring
recovering versus, 176
restricting VPN connectivity, 17
retention labels in SharePoint, 102
retention policies
inactive mailboxes and, 173
purpose of, 159
reviewing reports and dashboards, 161-162
risk event reports, reviewing, 24
RMS connectors, deploying, 109
role-based access control (RBAC)
auditing, 20
roles
accessing Secure Score, 137
assigning, 145
in Azure ATP (Advanced Threat Protection), 36
in Compliance Manager, 148
configuring and searching audit logs, 145
for content search and eDiscovery, 177
in Microsoft Defender ATP, 44
S
Safe Attachments policies
enabling, 78
Safe Links policies, configuring, 79-81
searching
audit logs, 147
for content, 176
roles for, 177
Security and Compliance Center
Alerts section, 139
emails and, 143
managing advanced alerts, 143
auditing and reporting
configuring, 146
configuring audit alerts, 151-152
searching audit logs, 147
Information Governance dashboard, 161-162
Security Defaults, 9
Security Processor, 56
security reporting
Intelligent Security Graph, 135-136
Office Telemetry, configuring options, 133
Security and Compliance Center, Alerts section, 139-143
Windows Analytics, interpreting data from, 132
Windows Telemetry, configuring options, 132-133
self-service password reset (SSPR), 6
sensitive information types
creating and managing, 114-115
list of, 154
Sensitive Protection tier, 101
purpose of, 105
service endpoints for Azure ATP (Advanced Threat Protection), 36
Service Health dashboard in Microsoft Defender ATP, 52
Settings section in Microsoft Defender ATP, 53-54
SharePoint, data access protection, 102-103
shipping drives, uploading data versus, 170
sign-in risk policies, configuring, 23-24
sign-in security
with MFA (multifactor authentication), 10
planning, 9
Simulations & Tutorials section in Microsoft Defender ATP, 51
snapshot reports (cloud app discovery), creating, 118
spoofing settings in anti-phishing policies, 72
SSPR (self-service password reset), 6
supervision policies, defining, 165-168
suspicious activities, monitoring, 40-41
sync errors in Azure AD Connect Health, 4
T
Teams, data access protection, 103
templates (CAS), configuring, 121-124
tenant keys, managing, 109
Threat Intelligence (TI)
integrating with Microsoft Defender ATP, 82-83
Threat Management dashboard, 83
Threat & Vulnerability Management Dashboard (TVM) in Microsoft Defender ATP, 50-51
TPM (Trusted Platform Module), 56
U
Upgrade Readiness, 132
uploading data, shipping drives versus, 170
V
viewing
View-Only Audit Logs role, 145-146
virtualized domain controllers, memory allocation for, 34
VPN connectivity, restricting, 17
W
Windows 10
device encryption, 62
Device Security dashboard, 55-58
Windows Analytics, interpreting data from, 132
Windows Defender Antivirus, Microsoft Defender ATP onboarding and, 43
Windows Defender Application Control (WDAC), 59-60
Windows Defender Application Guard (WDAG), 58-59
Windows Defender ATP. See Microsoft Defender ATP
Windows Defender Exploit Guard (WDEG), 60-61
Windows Hello for Business, 10-12
Windows Telemetry, configuring options, 132-133
X–Y–Z
Yammer
data access protection, 103
DLP (Data Loss Prevention) and, 112