The Microsoft Security Fundamentals exam is an opportunity to familiarize yourself with the core security, compliance, and identity (SCI) concepts across Microsoft cloud-based services.

Use this exam cram guide to familiarise yourself with Microsoft’s holistic approach and end-to-end solution. Each testing domain is listed along with the key review points that you will need to be familiar with in order to be successful.

Video Content

Cloud Security Fundamentals

Identity and Authentication

Security and Compliance

Azure Network Security

Section 1: Describe security methodologies

1.1 – Describe the Zero-Trust methodology

Zero Trust assumes everything is on an open and untrusted network, even resources behind the firewalls of the corporate network. The Zero Trust model operates on the principle of “trust no one, verify everything.”

Attackers’ ability to bypass conventional access controls is ending any illusion that traditional security strategies are sufficient. By no longer trusting the integrity of the corporate network, security is strengthened.

In practice, this means that we no longer assume that a password is sufficient to validate a user but add multi-factor authentication to provide additional checks. Instead of granting access to all devices on the corporate network, users are allowed access only to the specific applications or data that they need.

The Zero Trust model has three principles which guide and underpin how security is implemented. These are: verify explicitly, least privilege access, and assume breach.

  • Verify explicitly. Always authenticate and authorize based on the available data points, including user identity, location, device, service or workload, data classification, and anomalies.
  • Least privileged access. Limit user access with just-in-time and just-enough access (JIT/JEA), risk-based adaptive policies, and data protection to protect both data and productivity.
  • Assume breach. Segment access by network, user, devices, and application. Use encryption to protect data, and use analytics to get visibility, detect threats, and improve your security.

1.2 – Describe the shared responsibility model

The shared responsibility model identifies which security tasks are handled by the cloud provider, and which security tasks are handled by you, the customer.

In organizations running only on-premises hardware and software, the organization is 100 percent responsible for implementing security and compliance. With cloud-based services, that responsibility is shared between the customer and the cloud provider.

The responsibilities vary depending on where the workload is hosted:

  • Software as a Service (SaaS)
  • Platform as a Service (PaaS)
  • Infrastructure as a Service (IaaS)
  • On-premises datacenter (On-prem)

The shared responsibility model makes responsibilities clear. When organizations move data to the cloud, some responsibilities transfer to the cloud provider and some to the customer organization.

The following diagram illustrates the areas of responsibility between the customer and the cloud provider, according to where data is held.

1.3 – Define defense in depth

Defense in depth uses a layered approach to security, rather than relying on a single perimeter. A defense in-depth strategy uses a series of mechanisms to slow the advance of an attack. Each layer provides protection so that, if one layer is breached, a subsequent layer will prevent an attacker getting unauthorized access to data.

Example layers of security might include:

  • Physical security such as limiting access to a datacenter to only authorized personnel.
  • Identity and access security controls, such as multi-factor authentication or condition-based access, to control access to infrastructure and change control.
  • Perimeter security including distributed denial of service (DDoS) protection to filter large-scale attacks before they can cause a denial of service for users.
  • Network security, such as network segmentation and network access controls, to limit communication between resources.
  • Compute layer security such as securing access to virtual machines either on-premises or in the cloud by closing certain ports.
  • Application layer security to ensure applications are secure and free of security vulnerabilities.
  • Data layer security including controls to manage access to business and customer data and encryption to protect data.

Section 2: Describe security concepts

2.1 – Describe common threats

There are different types of security threats. Some aim to steal data, some aim to extort money, and others to disrupt normal operations, such as a denial of service attack.

Data breach: A data breach is when data is stolen, and this includes personal data. Personal data means any information related to an individual that can be used to identify them directly or indirectly.

Common security threats that can result in a breach of personal data include phishing, spear phishing, tech support scams, SQL injection, and malware designed to steal passwords or bank details.

Dictionary attack: A dictionary attack is a type of identity attack where a hacker attempts to steal an identity by trying a large number of known passwords. Each password is automatically tested against a known username. Dictionary attacks are also known as brute force attacks.

Ransomware: Malware is the term used to describe malicious applications and code that can cause damage and disrupt normal use of devices. Malware can give attackers unauthorized access, which allows them to use system resources, lock you out of your computer, and ask for ransom.

Ransomware is a type of malware that encrypts files and folders, preventing access to important files. Ransomware attempts to extort money from victims, usually in the form of cryptocurrencies, in exchange for the decryption key.

Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims.

Disruptive attacks:A Distributed Denial of Service (DDoS) attack attempts to exhaust an application’s resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.

Other common threats include coin miners, rootkits, trojans, worms, and exploits and exploit kits. Rootkits intercept and change standard operating system processes. After a rootkit infects a device, you can’t trust any information that the device reports about itself.

Trojans are a common type of malware which can’t spread on their own. This means they either have to be downloaded manually or another malware needs to download and install them. Trojans often use the same file names as real and legitimate apps so it’s easy to accidentally download a trojan thinking that it is legitimate.

A worm is a type of malware that can copy itself and often spreads through a network by exploiting security vulnerabilities. It can spread through email attachments, text messages, file-sharing programs, social networking sites, network shares, removable drives, and software vulnerabilities.

Exploits take advantage of vulnerabilities in software. A vulnerability is a weakness in your software that malware uses to get onto your device. Malware exploits these vulnerabilities to bypass your computer’s security safeguards and infect your device.

These examples are just a few of the threats commonly seen. This is a continually evolving area and new threats emerge all the time.

2.2 – Describe encryption

There are two top-level types of encryption: symmetric and asymmetric. Symmetric encryption uses the same key to encrypt and decrypt the data. Asymmetric encryption uses a public key and private key pair. Either key can encrypt data, but a single key can’t be used to decrypt encrypted data. To decrypt, you need a paired key.

Section 3: Describe Microsoft Security and compliance principles

3.1 – Describe Microsoft’s privacy principles

Microsoft’s products and services run on trust. Microsoft focuses on six key privacy principles when making decisions about data.

The six privacy principles are:

  • Control: Putting you, the customer, in control of your privacy with easy-to-use tools and clear choices.
  • Transparency: Being transparent about data collection and use so that everyone can make informed decisions.
  • Security: Protecting the data that’s entrusted to Microsoft by using strong security and encryption.
  • Strong legal protections: Respecting local privacy laws and fighting for legal protection of privacy as a fundamental human right.
  • No content-based targeting: Not using email, chat, files, or other personal content to target advertising.
  • Benefits to you: When Microsoft does collect data, it’s used to benefit you, the customer, and to make your experiences better.

3.2 – Describe the service trust portal

The Service Trust Portal provides information, tools, and other resources about Microsoft security, privacy, and compliance practices.

From the main menu, you access:

  • Service Trust Portal – home page.
  • Compliance Manager – measures your progress in completing actions that help reduce risks around data protection and regulatory standards.
  • Trust Documents – links to a security implementation and design information.
  • Industries & Regions – contains compliance information about Microsoft Cloud services organized by industry and region.
  • Trust Center – links to the Microsoft Trust Center, which provides more information about security, compliance, and privacy in the Microsoft Cloud.
  • Resources – links to resources including information about the features and tools available for data governance and protection in Office 365, the Microsoft Global Datacenters, and Frequently Asked Questions.
  • My Library – allows you to add documents and resources that are relevant to your organization. Everything is in one place. You can also opt to have email notifications sent when a document is updated, and set the frequency you receive notifications.

Section 4: Define identity principles/concepts

4.1 – Define identity as the primary security perimeter

Identity is a concept that spans an entire environment, so organizations need to think about it broadly. There are four fundamental pillars of identity that organizations should consider when creating an identity infrastructure.

Administration. Administration is about the creation and management of identities for users, devices, and services. As an administrator, you manage how and under what circumstances the characteristics of identities can change (be created, updated, deleted).

Authentication. The authentication pillar tells the story of how much assurance for a particular identity is enough. In other words, how much does an IT system need to know about an identity to have sufficient proof that they really are who they say they are? It involves the act of challenging a party for legitimate credentials.

Authorization. The authorization pillar is about processing the incoming identity data to determine the level of access an authenticated person or service has within the application or service that it wants to access.

Auditing. The auditing pillar is about tracking who does what, when, where, and how. Auditing includes having in-depth reporting, alerts, and governance of identities.

Addressing each of these four pillars is key to a comprehensive and robust identity and access control solution.

4.2 – Define modern authentication

Modern authentication is an umbrella term for authentication and authorization methods between a client, such as your laptop or phone, and a server, like a website or application. At the center of modern authentication is the role of the identity provider. An identity provider creates, maintains, and manages identity information while offering authentication, authorization, and auditing services.

With modern authentication, all services, including all authentication services, are supplied by a central identity provider. Information that’s used to authenticate the user with the server is stored and managed centrally by the identity provider.

With a central identity provider, organizations can establish authentication and authorization policies, monitor user behavior, identify suspicious activities, and reduce malicious attacks.

4.3 – Define authorization

Authorization is the act of granting an authenticated party permission to do something. It specifies what data you’re allowed to access and what you can do with that data. Authorization is sometimes shortened to AuthZ

4.4 – Describe identity providers

Modern authentication is an umbrella term for authentication and authorization methods between a client, such as your laptop or phone, and a server, like a website or application. At the center of modern authentication is the role of the identity provider. An identity provider creates, maintains, and manages identity information while offering authentication, authorization, and auditing services.

With modern authentication, all services, including all authentication services, are supplied by a central identity provider. Information that’s used to authenticate the user with the server is stored and managed centrally by the identity provider.

With a central identity provider, organizations can establish authentication and authorization policies, monitor user behavior, identify suspicious activities, and reduce malicious attacks.

4.5 – Describe Active Directory

Active Directory (AD) is a set of directory services developed by Microsoft as part of Windows 2000 for on-premises domain-based networks. The best-known service of this kind is Active Directory Domain Services (AD DS). It stores information about members of the domain, including devices and users, verifies their credentials, and defines their access rights. A server running AD DS is a domain controller (DC).

AD DS is a central component in organizations with on-premises IT infrastructure. AD DS gives organizations the ability to manage multiple on-premises infrastructure components and systems using a single identity per user. AD DS doesn’t, however, natively support mobile devices, SaaS applications, or line of business apps that require modern authentication methods.

4.6 – Describe the concept of Federated services

Federation enables the access of services across organizational or domain boundaries by establishing trust relationships between the respective domain’s identity provider. With federation, there’s no need for a user to maintain a different username and password when accessing resources in other domains.

A common example of federation in practice is when a user logs in to a third-party site with their social media account, such as Twitter. In this scenario, Twitter is an identity provider, and the third-party site might be using a different identity provider, such as Azure AD. There’s a trust relationship between Azure AD and Twitter.

4.7 – Define common Identity Attacks

Password-based attacks : Password-based attacks include password spray attacks and brute force attacks. A password spray attack attempts to match a username against a list of weak passwords.

Brute force attacks try many passwords against one or more accounts, sometimes using dictionaries of commonly used passwords. When a user has assigned a weak password to their account, the hacker will find a match, and access that account.

Phishing: A phishing attack is when a hacker sends an email that appears to come from a reputable source. The email contains a credible story, such as a security breach, instructing the user to sign in and change their password. Instead of going to a legitimate website, the user is directed to the scammer’s website where they enter their username and password. The hacker has now captured the user’s identity, and their password.

Spear phishing: A spear phishing scam is a variant on phishing. Hackers build databases of information about users, which can be used to create highly credible emails. The email may appear to come from someone in your organization who is requesting information. Although careful scrutiny might uncover the fraud, users may not read it carefully enough and send the requested information or login to the website before they realize the fraud. This practice is called spear phishing because it’s highly targeted.

Section 5: Describe the basic identity services and identity types of Azure AD

5.1 – Describe Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service. Organizations use Azure AD to enable their employees, guests, and others to sign in and access the resources they need, including:

  • Internal resources, such as apps on your corporate network and intranet, and cloud apps developed by your own organization.
  • External services, such as Microsoft Office 365, the Azure portal, and any SaaS applications used by your organization.

Azure AD simplifies the way organizations manage authorization and access by providing a single identity system for their cloud and on-premises applications. Azure AD can be synchronized with your existing on-premises Active Directory, synchronized with other directory services, or used as a standalone service.

Azure AD also allows organizations to securely enable the use of personal devices, such as mobiles and tablets, and enable collaboration with business partners and customers.

5.2 – Describe Azure AD identities (users, devices, groups, service principals/applications)

Azure AD manages different types of identities: users, service principals, managed identities, and devices.

A user identity is a representation of something that’s managed by Azure AD. Employees and guests are represented as users in Azure AD. If you have several users with the same access needs, you can create a group. You use groups to give access permissions to all members of the group, instead of having to assign access rights individually.

Azure AD business-to-business (B2B) collaboration, a feature within External Identities, includes the capability to add guest users. With B2B collaboration, an organization can securely share applications and services with guest users from another organization.

A service principal is a security identity used by applications or services to access specific Azure resources. You can think of it as an identity for an application.

For an application to delegate its identity and access functions to Azure AD, the application must first be registered with Azure AD. The process of registering creates a globally unique app object that’s stored in your home tenant or directory. A service principal is created in each tenant where the application is used and references the globally unique app object. The service principal defines what the app does in the tenant, such as who accesses the app, and what resources the app can access.

A managed identity is automatically managed in Azure AD. Managed identities are typically used to manage the credentials for authenticating a cloud application with an Azure service.

There are two types of managed identities: system-assigned and user-assigned.

System-assigned. Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, an identity is created in Azure AD that’s tied to the lifecycle of that service instance. When the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.

User-assigned. You may also create a managed identity as a standalone Azure resource. A user-assigned managed identity is assigned to one or more instances of an Azure service. You can create a user-assigned managed identity and assign it to one or more instances of an Azure service. With user-assigned managed identities, the identity is managed separately from the resources that use it.

Device identities can be set up in different ways in Azure AD, to determine properties such as who owns the device. Managing devices in Azure AD allows an organization to protect its assets by using tools such as Microsoft Intune to ensure standards for security and compliance. Azure AD also enables single sign-on to devices, apps, and services from anywhere through these devices.

5.3 – Describe hybrid identity

Organizations may use the hybrid identity model, or the cloud-only identity model. In the hybrid model, identities are created in Windows Active Directory or another identity provider, and then synchronized to Azure AD. In the cloud-only model, identities are created and wholly managed in Azure AD. Whether identities are created on-premises or in the cloud, users can access both cloud and on-premises resources.

With the hybrid model, users accessing both on-premises and cloud apps are hybrid users managed in the on-premises Active Directory. When you make an update in your on-premises AD DS, all updates to user accounts, groups, and contacts are synchronized to your Azure AD. The synchronization is managed with Azure AD Connect.

5.4 – Describe the different external identity types (Guest Users)

Azure AD External Identities is a set of capabilities that enable organizations to allow access to external users, such as customers or partners. Your customers, partners, and other guest users can “bring their own identities” to sign in.

This ability for external users is enabled through Azure AD support of external identity providers like other Azure AD tenants, Facebook, Google, or enterprise identity providers. Admins can set up federation with identity providers so your external users can sign in with their existing social or enterprise accounts instead of creating a new account just for your application.

There are two different Azure AD External Identities: B2B and B2C.

  • B2B collaboration allows you to share your apps and resources with external users.
  • B2C is an identity management solution for consumer and customer facing apps.

Section 6: Describe the authentication capabilities of Azure AD

6.1 – Describe the different authentication methods

Legacy applications have relied on a single form of authentication, most often a password. However, passwords are problematic for users, and easily compromised. Multifactor authentication requires more than one form of verification, such as a trusted device or a fingerprint scan, to prove that an identity is legitimate. It means that, even when an identity’s password has been compromised, a hacker can’t access a resource.

Multifactor authentication dramatically improves the security of an identity, while still being simple for users. The extra authentication factor must be something that’s difficult for an attacker to obtain or duplicate.

6.2 – Describe self-service password reset

Self-service password reset (SSPR) is a feature of Azure AD that allows users to change or reset their password, without administrator or help desk involvement.

If a user’s account is locked or they forget the password, they can follow a prompt to reset it and get back to work.

When a user resets their password using self-service password reset, it can also be written back to an on-premises Active Directory. Password write-back allows users to use their updated credentials with on-premises devices and applications without a delay.

To keep users informed about account activity, admins can configure email notifications to be sent when an SSPR event happens. These notifications can cover both regular user accounts and admin accounts. For admin accounts, this notification provides an extra layer of awareness when a privileged administrator account password is reset using SSPR. All global admins would be notified when SSPR is used on an admin account.

6.3 – Describe password protection and management capabilities

Password Protection is a feature of Azure AD that reduces the risk of users setting weak passwords. Azure AD Password Protection detects and blocks known weak passwords and their variants, and can also block other weak terms that are specific to your organization.

With Azure AD Password Protection, default global banned password lists are automatically applied to all users in an Azure AD tenant. To support your own business and security needs, you can define entries in a custom banned password list. When users change or reset their passwords, these lists are checked to enforce the use of strong passwords.

You should use extra features like Azure Active Directory multifactor authentication, not just rely on strong passwords enforced by Azure AD Password Protection.

6.4 – Describe Multi-factor Authentication

Azure Active Directory multifactor authentication works by requiring: Something you know – typically a password or PIN and Something you have – such as a trusted device that’s not easily duplicated, like a phone or hardware key or Something you are – biometrics like a fingerprint or face scan.

Multifactor authentication verification prompts are configured to be part of the Azure AD sign-in event. Azure AD automatically requests and processes multifactor authentication, without you making any changes to your applications or services. When a user signs in, they receive a multifactor authentication prompt, and can choose from one of the additional verification forms that they’ve registered.

6.5 – Describe Windows Hello for Business

Windows Hello, an authentication feature built into Windows 10, replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that’s tied to a device and uses a biometric or PIN.

Windows Hello lets users authenticate to:

  • A Microsoft account.
  • An Active Directory account.
  • An Azure Active Directory (Azure AD) account.
  • Identity Provider Services or Relying Party Services that support Fast ID Online (FIDO) v2.0 authentication

After initial verification of the user during enrolment, Windows Hello is set up on their device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate them.

Windows stores PIN and biometric data securely on the local device; it’s never sent to external devices or servers. That means there’s no single collection point that an attacker might compromise.

Section 7: Describe access management capabilities of Azure AD

7.1 – Describe conditional access

Conditional Access is a feature of Azure AD that provides an extra layer of security before allowing authenticated users to access data or other assets. Conditional Access is implemented through policies that are created and managed in Azure AD. A Conditional Access policy analyses signals including user, location, device, application, and risk to automate decisions for authorizing access to resources (apps and data).

A Conditional Access policy might state that if a user belongs to a certain group, then they’re required to provide multifactor authentication to sign in to an application.

7.2 – Describe the benefits of Azure AD roles

Azure AD roles control permissions to manage Azure AD resources. For example, allowing user accounts to be created, or billing information to be viewed. Azure AD supports built-in and custom roles.

A few of the most common built-in roles are:

  • Global administrator: users with this role have access to all administrative features in Azure Active Directory. The person who signs up for the Azure Active Directory tenant automatically becomes a global administrator.
  • User administrator: users with this role can create and manage all aspects of users and groups. This role also includes the ability to manage support tickets and monitor service health.
  • Billing administrator: users with this role make purchases, manage subscriptions and support tickets, and monitor service health.

There are many built-in roles for different areas of responsibility. All built-in roles are preconfigured bundles of permissions designed for specific tasks.

Granting permission using custom Azure AD roles is a two-step process that involves creating a custom role definition, consisting of a collection of permissions that you add from a preset list. These permissions are the same ones used in the built-in roles. When you’ve created your role definition, you can assign it to a user by creating a role assignment.

A role assignment grants the user the permissions in a role definition, at a specified scope. A custom role can be assigned at organization-wide scope, meaning the role member has the role permissions over all resources. A custom role can also be assigned at an object scope. An example of an object scope would be a single application.

Unlike built-in roles, which are assigned at a tenant level and are preconfigured bundles of permissions designed for specific tasks, custom roles can be assigned at the resource level (such as a single application) and allow permissions to be added to a custom role definition.

Custom roles require an Azure AD Premium P1 or P2 license.

Section 8: Describe the identity protection & governance capabilities of Azure AD

8.1 – Describe Identity Governance

Azure AD identity governance gives organizations the ability to do the following tasks:

  • Govern the identity lifecycle.
  • Govern access lifecycle.
  • Secure privileged access for administration.

These actions can be completed for employees, business partners and vendors, and across services and applications, both on-premises and in the cloud.

It’s intended to help organizations address these four key questions:

  • Which users should have access to which resources?
  • What are those users doing with that access?
  • Are there effective organizational controls for managing access?
  • Can auditors verify that the controls are working?

8.2 – Describe entitlement management and access reviews

Entitlement management is an identity governance feature that enables organizations to manage identity and access lifecycle at scale. Entitlement management automates access request workflows, access assignments, reviews, and expiration.

Azure Active Directory (AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignment. Regular access reviews ensure that only the right people have access to resources. Excessive access rights are a known security risk. However, when people move between teams, or take on or relinquish responsibilities, access rights can be difficult to control.

8.3 – Describe the capabilities of PIM

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. These include resources in Azure AD, Azure, and other Microsoft online services such as Microsoft 365 or Microsoft Intune. PIM mitigates the risks of excessive, unnecessary, or misused access permissions. It requires justification to understand why users want permissions, and enforces multifactor authentication to activate any role.

PIM reduces the chance of a malicious actor getting access by minimizing the number of people who have access to secure information or resources. By time-limiting authorized users, it reduces the risk of an authorized user inadvertently affecting sensitive resources. PIM also provides oversight for what users are doing with their administrator privileges.

8.4 – Describe Azure AD Identity Protection

Microsoft analyses 6.5 trillion signals per day to identify potential threats. These signals come from learnings Microsoft has acquired from their position in organizations with Azure AD, the consumer space with Microsoft Accounts, and in gaming with Xbox.

The signals generated by these services are fed to Identity Protection. These signals can then be used by tools such as Conditional Access, which uses them to make access decisions. Signals are also fed to security information and event management (SIEM) tools, such as Sentinel, for further investigation.

Identity Protection categorizes risk into three tiers: low, medium, and high. It can also calculate the sign-in risk, and user identity risk.

Section 9: Describe basic security capabilities in Azure

9.1 – Describe Network Security Groups

Network security groups (NSGs) let you allow or deny network traffic to and from Azure resources that exist in your Azure virtual network; for example, a virtual machine. When you create an NSG, it can be associated with multiple subnets or network interfaces in your VNet. An NSG consists of rules that define how the traffic is filtered.

NSG security rules are evaluated by priority using five information points: source, source port, destination, destination port, and protocol to either allow or deny the traffic.

9.2 – Describe Azure DDoS Protection

The Azure DDoS Protection service is designed to help protect your applications and servers by analyzing network traffic and discarding anything that looks like a DDoS attack.

In the diagram above, Azure DDoS Protection identifies an attacker’s attempt to overwhelm the network. It blocks traffic from the attacker, ensuring that it doesn’t reach Azure resources. Legitimate traffic from customers still flows into Azure without any interruption of service.

Azure DDoS Protection uses the scale and elasticity of Microsoft’s global network to bring DDoS mitigation capacity to every Azure region. During a DDoS attack, Azure can scale your computing needs to meet demand. DDoS Protection manages cloud consumption by ensuring that your network load only reflects actual customer usage.

9.3 – Describe Azure Firewall

Azure Firewall is a managed, cloud-based network security service that protects your Azure virtual network (VNet) resources from attackers. You can deploy Azure Firewall on any virtual network but the best approach is to use it on a centralized virtual network. All your other virtual and on-premises networks will then route through it. The advantage of this model is the ability to centrally exert control of network traffic for all your VNets across different subscriptions.

With Azure Firewall, you can scale up the usage to accommodate changing network traffic flows, so you don’t need to budget for peak traffic. Network traffic is subjected to the configured firewall rules when you route it to the firewall as the subnet default gateway.

9.4 – Describe Azure Bastion

Azure Bastion provides secure and seamless RDP/SSH connectivity to your virtual machines directly from the Azure portal using Transport Layer Security (TLS). When you connect via Azure Bastion, your virtual machines don’t need a public IP address, agent, or special client software.

Azure Bastion deployment is per virtual network, not per subscription/account or virtual machine. When you provision an Azure Bastion service in your virtual network, the RDP/SSH experience is available to all your VMs in the same virtual network.

9.5 – Describe Web Application Firewall

Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities. A centralized WAF helps make security management simpler, improves the response time to a security threat, and allows patching a known vulnerability in one place, instead of securing each web application. A WAF also gives application administrators better assurance of protection against threats and intrusions.

WAF can be deployed with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) services from Microsoft.

9.6 – Describe ways Azure encrypts data

Microsoft Azure provides many different ways to secure your data, each depending on the service or usage required.

Azure Storage Service Encryption helps to protect data at rest by automatically encrypting before persisting it to Azure-managed disks, Azure Blob Storage, Azure Files, or Azure Queue Storage, and decrypts the data before retrieval.

Azure Disk Encryption helps you encrypt Windows and Linux IaaS virtual machine disks. Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and data disks.

Transparent data encryption (TDE) helps protect Azure SQL Database and Azure Data Warehouse against the threat of malicious activity. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.

Section 10: Describe security management capabilities of Azure

10.1 – Describe the Azure Security center

Network security is an ever-changing and shifting battleground where a moment’s hesitation can allow cybercriminals to compromise your security perimeter, and steal valuable assets and resources. Using Azure Security Center gives you infrastructure level security management to protect your data. It also provides advanced threat protection for on-premises, cloud, and hybrid workloads in the cloud, whether they’re in Azure or not, as well as on-premises.

You can improve your security posture using Azure Security Center to identify and perform hardening tasks across your machines, data services, and applications. With Azure Security Center, you can manage and enforce security policies to ensure compliance across your virtual machines, non-Azure servers, and Azure PaaS services.

Security Center brings continuous assessment of your entire estate, discovering and reporting whether new and existing resources and assets are configured according to security compliance requirements. You’ll get an ordered list of recommendations of what needs to be fixed to maintain maximum protection. Security Center groups the recommendations into security controls and adds a secure score value to each control. This process is crucial in enabling you to prioritize security work.

10.2 – Describe Azure Secure score

Security Center continually assesses your resources, subscriptions, and organization for security issues. It then aggregates all the findings into a single score so you can quickly see your current security situation: the higher the score, the lower the identified risk level.

Every control in the recommendations list shows the potential secure score increase if you address the underlying problem. To get every possible security control point, all your resources must follow each security recommendation within the security control.

To improve your secure score, remediate security recommendations from your recommendations list. You can manually remediate each recommendation for every resource or, by using the Quick Fix! option when available, apply remediation for a recommendation to a group of resources.

10.3 – Describe the benefit and use cases of Azure Defender

Azure Defender is a built-in tool that provides threat protection for workloads running in Azure, on-premises, and other clouds. Azure Defender is the leading Microsoft extended detection and response (XDR) solution for threat protection. Integrated with Azure Security Center, Azure Defender protects your hybrid data, cloud-native services and servers, and integrates with your existing security workflows.

Azure Defender comes with several different plans that can be enabled separately and will run simultaneously to provide a comprehensive defense for compute, data, and service layers in your environment. The Azure Defender plans you can select from are:

  • Azure Defender for servers adds threat detection and advanced defenses for your Windows and Linux machines.
  • Azure Defender for App Service uses the cloud scale to identify attacks targeting applications running over App Service.
  • Azure Defender for Storage detects potentially harmful activity on your Azure Storage accounts. Data can be protected, whether stored as blob containers, file shares, or data lakes.
  • Azure Defender for SQL extends Azure Security Center’s data security package to secure your databases and their data wherever they’re located.
  • Azure Defender for Kubernetes provides the best cloud-native Kubernetes security environment hardening, workload protection, and run-time protection.
  • Azure Defender for container registries protects all the Azure Resource Manager based registries in your subscription. Azure Defender scans all images pushed to the registry, or imported into the registry, or any images pulled within the last 30 days.
  • Azure Defender for Key Vault is Azure-native, advanced threat protection for Azure Key Vault, providing an extra layer of security intelligence.

10.4 – Describe security baselines for Azure

Microsoft’s cybersecurity group and the Center for Internet Security (CIS), have developed best practices to help establish security baselines for the Azure platform. A baseline is the implementation of the benchmark on the individual Azure service.

CIS benchmarks have been used with Azure security services and tools to make security and compliance easier for customer applications running on Azure services. Every service comes with a baseline that’s already designed to help provide security for most common-use cases. These baselines also provide a consistent experience when securing your environment.

Section 11: Describe security capabilities of Azure Sentinel

11.1 – Define the concepts of SIEM, SOAR, XDR

Security Incident and Event Management (SIEM)
is a tool that an organization uses to collect data from across the whole estate, including infrastructure, software, and resources. It does analysis, looks for correlations or anomalies, and generates alerts and incidents.

Security Orchestration Automated Response (SOAR)takes alerts from many sources, such as a SIEM system. The SOAR system then triggers action-driven automated workflows and processes to run security tasks that mitigate the issue.

Extended Detection and Response (XDR)is designed to deliver intelligent, automated, and integrated security across an organization’s domain. It helps prevent, detect, and respond to threats across identities, endpoints, applications, email, IoT, infrastructure, and cloud platforms.

To provide a comprehensive security perimeter, an organization needs to use a solution that embraces or combines all of the above systems.

11.2 – Describe the role and value of Azure Sentinel to provide integrated threat protection

Effective management of an organization’s network security perimeter requires the right combination of tools and systems. Microsoft Azure Sentinel is a scalable, cloud-native SIEM/SOAR solution that delivers intelligent security analytics and threat intelligence across the enterprise. It provides a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Section 12: Describe threat protection with Microsoft 365 Defender (formerly Microsoft Threat Protection)

12.1 – Describe Microsoft 365 Defender services

Microsoft 365 Defender is an enterprise defense suite that protects against sophisticated cyberattacks.

Microsoft 365 Defender allows admins to assess threat signals from applications, email, and identity to determine an attack’s scope and impact. It gives greater insight into how the threat occurred, and what systems have been affected. Microsoft 365 Defender can then take automated action to prevent or stop the attack.

12.2 – Describe Microsoft Defender for Identity (formerly Azure ATP)

Microsoft Defender for Identity, formerly Azure Advanced Threat Protection (Azure ATP), is a cloud-based security solution. It uses your on-premises Active Directory data (called signals) to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization. Microsoft Defender for Identity covers these key areas:

Monitor and profile user behavior and activities:Defender for Identity monitors and analyzes user activities and information across your network, including permissions and group membership, creating a behavioral baseline for each user. Defender for Identity then identifies anomalies with adaptive built-in intelligence. It gives insights into suspicious activities and events, revealing the advanced threats, compromised users, and insider threats facing your organization.

Protect user identities and reduce the attack surface:Defender for Identity gives invaluable insights on identity configurations and suggested security best practices. Through security reports and user profile analytics, Defender for Identity helps reduce your organizational attack surface, making it harder to compromise user credentials and advance an attack.

Defender for Identity security reports, help identify users and devices that authenticate using clear-text passwords. It also provides extra insights into how to improve security posture and policies.

Identify suspicious activities and advanced attacks across the cyberattack kill-chain:Typically, attacks are launched against any accessible entity, such as a low-privileged user. Attacks then quickly move laterally until the attacker accesses valuable assets. These assets might include sensitive accounts, domain administrators, and highly sensitive data. Defender for Identity identifies these advanced threats at the source throughout the entire cyberattack kill chain:

12.3 – Describe Microsoft Defender for Office 365 (formerly Office 365 ATP)

Microsoft Defender for Office 365, formerly Office 365 Advanced Threat Protection, safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools, including Microsoft Teams, SharePoint Online, OneDrive for Business, and other Office clients.

Microsoft Defender for Office 365 covers these key areas:

Threat protection policies: Define threat protection policies to set the appropriate level of protection for your organization.

Reports: View real-time reports to monitor Microsoft Defender for Office 365 performance in your organization.

Threat investigation and response capabilities: Use leading-edge tools to investigate, understand, simulate, and prevent threats.

Automated investigation and response capabilities: Save time and effort investigating and mitigating threats.

12.4 – Describe Microsoft Defender for Endpoint (formerly Microsoft Defender ATP)

Microsoft Defender for Endpoint, formerly Microsoft Defender Advanced Threat Protection, is a platform designed to help enterprise networks protect endpoints. It does so by preventing, detecting, investigating, and responding to advanced threats. Microsoft Defender for Endpoint embeds technology built into Windows 10 and MSFT cloud services.

This technology includes endpoint behavioural sensors that collect and process signals from the operating system, cloud security analytics that turn signals into insights, detections and recommendations, and threat intelligence to identify attacker tools, techniques, generate alerts.

12.5 – Describe Microsoft Cloud App Security

Microsoft Cloud App Security (MCAS) is a Cloud Access Security Broker (CASB). It’s a comprehensive cross-SaaS solution that operates as an intermediary between a cloud user and the cloud provider. Microsoft Cloud App Security provides rich visibility to your cloud services, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services. Use this service to gain visibility into Shadow IT by discovering the cloud apps being used. You can control and protect data in the apps after you sanction them to the service.

A CASB acts as a gatekeeper to broker real-time access between your enterprise users and the cloud resources they use, wherever they’re located, and whatever device they’re using.

CASBs address security gaps in an organization’s use of cloud services. Protection is provided by many capabilities across these areas: visibility to detect all cloud services, data security, threat protection, and compliance.

Section 13: Describe security management capabilities of Microsoft 365

13.1 – Describe the Microsoft 365 Defender Portal

The Microsoft 365 Defender portal (previously Microsoft 365 security center) combines protection, detection, investigation, and response to email, collaboration, identity, and device threats, in a central portal.

Here you can view the security health of your organization, act to configure devices, users, and apps, and get alerts for suspicious activity. The Microsoft 365 Defender portal helps security admins and security operations teams manage and protect their organization.

The Microsoft 365 Defender portal home page shows many of the common cards that security teams need. The composition of cards and data depends on the user role. Because the Microsoft 365 Defender portal uses role-based access control, different roles will see cards that are more meaningful to their day-to-day jobs.

The Microsoft 365 Defender portal allows admins to tailor the navigation pane to meet daily operational needs. Admins can customize the navigation pane to show or hide functions and services based on their specific preferences. Customization is specific to the individual admin, so other admins won’t see these changes.

13.2 – Describe how to use Microsoft Secure Score

Microsoft Secure Score, one of the tools in the Microsoft 365 Defender portal, is a representation of a company’s security posture. The higher the score, the better your protection.

Some improvement actions only give points when fully completed. Others give partial points if they’re completed for some devices or users. If you can’t, or don’t want to, enact one of the improvement actions, you can choose to accept the risk or remaining risk.

If you have a license for one of the supported Microsoft products, you’ll see related recommendations. Secure Score will show all possible improvements for the product, whatever the license edition, subscription, or plan. You’ll then see all the security best practices and improvements that can be made to your score.

Your absolute security posture, represented by Secure Score, stays the same whatever licenses your organization owns for a specific product. Keep in mind that security should be balanced with usability, and not every recommendation can work for your environment.

Currently Microsoft Secure Score supports recommendations for Microsoft 365 (including Exchange Online), Azure Active Directory, Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Cloud App Security. New recommendations are being added to Secure Score all the time.

The image below shows an organization’s Secure Score, a breakdown of the score by points, and the improvement actions that can boost the organization’s score. Finally, it provides an indication of how well the organization’s Secure Score compares to other similar organizations.

There’s a Secure Score for both Microsoft 365 Defender and Azure Defender, but they’re subtly different. Secure Score in the Azure Security Center is a measure of the security posture of your Azure subscriptions. Secure Score in the Microsoft 365 Defender portal is a measure of the security posture of the organization across your apps, devices, and identities.

Both the Azure and Microsoft Secure Score provide a list of steps you can take to improve your score. In Microsoft 365 Secure Score, these steps are called improvement actions. In the Azure Secure Score, scores are assessed for each subscription. The steps you can take to improve your score are called security recommendations and they’re grouped into security controls.

Use Microsoft Secure Score to understand and rapidly improve your organization’s security posture.

13.3 – Describe security reports and dashboards

The Microsoft 365 Defender portal includes a Reports section that includes a general security report, reports related to endpoints, and reports related to email and collaboration.

The general security report enables admins to view information about security trends and track the protection status of your identities, data, devices, apps, and infrastructure.

The threat protection report provides high-level information about alerts generated in your organization. The report includes trending information showing the detection sources, categories, severities, statuses, classifications, and determinations of alerts across time.

The device health and compliance report enables admins to monitor the health state, antivirus status, operating system platforms, and Windows 10 versions for devices in your organization.

The email and collaboration reports enable admins to review Microsoft recommended actions to help improve email and collaboration security.

13.4 – Describe incidents and incident management capabilities

Incidents are a collection of correlated alerts created when a suspicious event is found. Alerts are generated from a different device, user, and mailbox entities, and can come from many different domains. These alerts are automatically aggregated by Microsoft 365 Defender. It’s the grouping of these related alerts that form an incident. The incident provides a comprehensive view and context of an attack.

Security personnel can use an incident to determine where an attack started, what methods were used, and to what extent the attack has progressed within the network. They can also determine the scope of the attack, and how many users, devices, and mailboxes were affected. The severity of the attack can also be determined.

Managing incidents is critical in ensuring that threats are contained and addressed. In Microsoft 365 Defender, you can manage incidents on devices, users accounts, and mailboxes.

Section 14: Describe endpoint security with Microsoft Intune

14.1 – Describe Intune

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). You control how your organization’s devices, including mobile phones, tablets, and laptops, are used. You can also configure specific policies to control applications. For example, you can prevent emails from being sent to people outside your organization.

Intune also allows people in your organization to use their personal devices for school or work. On personal devices, Intune helps make sure your organization data stays protected, and can isolate it from personal data.

14.2 – Describe endpoint security with Intune

The Endpoint security node includes the All devices view, where you’ll see a list of all devices from your Azure AD that are available in Microsoft Endpoint Manager.

From this view, you can select devices to drill in for more information, such as which policies a device isn’t compliant with. You can also use access from this view to remediate issues for a device, including restarting, start a scan for malware, or rotate BitLocker keys on a Windows 10 device.

Intune includes security baselines for Windows devices and a growing list of applications, including Microsoft Edge, Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection), and more. Security baselines are preconfigured groups of Windows settings that help admins apply recommended security.

As an example, the MDM Security Baseline automatically enables BitLocker for removable drives, automatically requires a password to unlock a device, and automatically disables basic authentication. Admins can also customize the baselines to enforce only those settings and values that are required.

Use device compliance policy to establish the conditions by which devices and users are allowed to access the corporate network and company resources. With compliance policies, admins can set the rules that devices and users must meet to be considered compliant. Rules can include OS versions, password requirements, device threat levels, and more.

Intune can be integrated with Azure AD conditional access policies to enforce compliance policies. Intune passes the results of your device compliance policies to Azure AD, which then uses conditional access policies to enforce which devices and apps can access your corporate resources.

Intune can integrate with Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) for a Mobile Threat Defense solution. Integration can help prevent security breaches and limit the impact of breaches within an organization.

Role-based access control (RBAC) helps manage who has access to the organization’s resources and what they do with them. By assigning roles to Intune users, admins limit what they’ll see and change. Each role has a set of permissions that determine what users with that role can access and change within your organization.

Section 15: Describe the compliance management capabilities in Microsoft

15.1 – Describe the compliance center

The Microsoft 365 compliance center brings together all of the tools and data that are needed to help understand and manage an organization’s compliance needs.

When an admin signs in to the Microsoft 365 compliance center portal, they’ll get a bird’s-eye view of how the organization is meeting its compliance requirements, along with which solutions can be used to help with compliance, information about any active alerts, and more.

15.2 – Describe compliance manager

Microsoft Compliance Manager is a feature in the Microsoft 365 compliance center that helps admins to manage an organization’s compliance requirements with greater ease and convenience. Compliance Manager can help organizations throughout their compliance journey, from taking inventory of data protection risks, to managing the complexities of implementing controls, staying current with regulations and certifications, and reporting to auditors.

The Compliance Manager dashboard shows the current compliance score, helps admins to see what needs attention, and guides them to key improvement actions.

15.3 – Describe use and benefits of compliance score

Compliance score measures progress in completing recommended improvement actions within controls. The score can help an organization to understand its current compliance posture. It also helps organizations to prioritize actions based on their potential to reduce risk.

Admins can get a breakdown of the compliance score in the Compliance Manager overview pane:

Compliance Manager is an end-to-end solution in Microsoft 365 compliance center to enable admins to manage and track compliance activities. Compliance score is a calculation of the overall compliance posture across the organization. The compliance score is available through Compliance Manager.

Compliance Manager gives admins the capabilities to understand and increase their compliance score, so they can ultimately improve the organization’s compliance posture and help it to stay in line with compliance requirements.

Section 16: Describe information protection and governance capabilities of Microsoft 365

16.1 – Describe data classification capabilities

With Microsoft 365 compliance center, admins can identify and protect sensitive information types. Sensitive information types have set patterns that can be used to identify them. For example, an identification number in a region/country may be based on a specific pattern, like this:


Microsoft 365 includes many built-in sensitive information types based on patterns that are defined by a regular expression (regex) or a function.

Examples include:

  • Credit card numbers
  • Passport or identification numbers
  • Bank account numbers
  • Health service numbers

Refer to Sensitive information type entity definitions for a listing of available built-in sensitive information types.

Data classification in Microsoft 365 also supports the ability to create custom sensitive information types to address organization-specific requirements. For example, an organization may need to create sensitive information types to represent employee IDs or project numbers.

16.2 – Describe the value of content and activity explorer

The content explorer is available as a tab in the data classification pane of compliance center. It enables administrators to gain visibility into the content that has been summarized in the overview pane. Access to content explorer is highly restricted because it makes it possible to read the contents of scanned files.

With content explorer, administrators get a current snapshot of individual items that have been classified across the organization. It enables administrators to further drill down into items by allowing them to access and review the scanned source content that’s stored in different kinds of locations, such as Exchange, SharePoint, and OneDrive.

Activity explorer provides visibility into what content has been discovered and labelled, and where that content is. It makes it possible to monitor what’s being done with labelled content across the organization. Admins gain visibility into document-level activities like label changes and label downgrades (such as when someone changes a label from confidential to public).

Admins use the filters to see all the details for a specific label, including file types, users, and activities. Activity explorer helps you understand what’s being done with labelled content over time. Admins use activity explorer to evaluate if controls already in place are effective.

The value of understanding what actions are being taken with sensitive content is that admins can see if the controls that they’ve already put in place, such as data loss prevention policies, are effective or not. For example, if it’s discovered that a large number of items labeled Highly Confidential have suddenly been downgraded to Public, admins can update policies and act to restrict undesired behavior as a response.

16.3 – Describe sensitivity labels

Sensitivity labels, available as part of information protection in the Microsoft 365 compliance center, enable the labeling and protection of content, without affecting productivity and collaboration. With sensitivity labels, organizations can decide on labels to apply to content such as emails and documents, much like different stamps are applied to physical documents.

16.4 – Describe Retention Polices and Retention Labels

After sensitivity labels are created, they need to be published to make them available to people and services in the organization. Sensitivity labels are published to users or groups through label policies. Sensitivity labels will then appear in Office apps for those users and groups. The sensitivity labels can be applied to documents and emails.

Once a sensitivity label is applied to an email or document, any configured protection settings for that label are enforced on the content.

Retention labels and policies help organizations to manage and govern information by ensuring content is kept only for a required time, and then permanently deleted.

Applying retention labels and assigning retention policies helps organizations:

  • Comply proactively with industry regulations and internal policies that require content to be kept for a minimum time.
  • Reduce risk when there’s litigation or a security breach by permanently deleting old content that the organization is no longer required to keep.
  • Ensure users work only with content that’s current and relevant to them. When content has retention settings assigned to it, that content remains in its original location.

16.5 – Describe Records Management

Records management in Microsoft 365 helps an organization look after their legal obligations. It also helps to demonstrate compliance with regulations, and increases efficiency with regular disposition of items that are no longer required to be kept, no longer of value, or no longer required for business purposes.

Microsoft 365’s records management capabilities are flexible. There are different ways in which records management can be used across an organization, including:

  • Enabling administrators and users to manually apply retention and deletion actions for documents and emails.
  • Automatically applying retention and deletion actions to documents and emails.
  • Enabling site admins to set default retain and delete actions for all content in a SharePoint library, folder, or document set.
  • Enabling users to automatically apply retain and delete actions to emails by using Outlook rules.

Section 17: Describe insider risk capabilities in Microsoft 365

17.1 – Describe Insider risk management solution

Insider risk management is a solution in Microsoft 365 that helps minimize internal risks by enabling an organization to detect, investigate, and act on risky and malicious activities. Insider risk management is available in Microsoft 365 compliance center.

Managing and minimizing risk in an organization starts with understanding the types of risks found in the modern workplace. Some risks are driven by external events and factors, and are outside an organization’s direct control. Other risks are driven by internal events and employee activities that can be eliminated and avoided. Some examples are risks from illegal, inappropriate, unauthorized, or unethical behavior and actions by employees and managers. These behaviours can lead to a broad range of internal risks from employees.

Insider risk management helps organizations to identify, investigate, and address internal risks. With focused policy templates, comprehensive activity signaling across Microsoft 365, and a flexible workflow, organizations can take advantage of actionable insights to help identify and resolve risky behavior quickly.

17.2 – Describe communication compliance

Communication compliance in Microsoft 365 compliance center helps minimize communication risks by enabling organizations to detect, capture, and take remediation actions for inappropriate messages. Predefined and custom policies in communication compliance make it possible to scan internal and external communications for policy matches so they can be examined by chosen reviewers.

Communication compliance enables reviewers to investigate scanned emails, and messages across Microsoft Teams, Exchange Online, Yammer, or third-party communications in an organization, taking appropriate remediation actions to make sure they’re compliant with the organization’s message standards.

17.3 – Describe information barriers

Microsoft 365 provides organizations with powerful communication and collaboration capabilities. However, an organization might want to restrict communications between some groups to avoid a conflict of interest from occurring in the organization, or to restrict communications between certain people to safeguard internal information. With information barriers, the organization can restrict communications among specific groups of users.

It’s important to note that information barriers only support two-way restrictions. One-way restrictions, such as marketing, can communicate with day traders but day traders who can’t communicate with marketing are not supported.

Information barriers are policies that admins can configure to prevent individuals or groups from communicating with each other. When information barrier policies are in place, people who shouldn’t communicate with other specific users can’t find, select, chat, or call those users. With information barriers, checks are in place to prevent unauthorized communication.

17.4 – Describe privileged access management

Privileged access management allows granular access control over privileged admin tasks in Microsoft 365. It can help protect organizations from breaches that use existing privileged admin accounts with standing access to sensitive data, or access to critical configuration settings.

Enabling privileged access management in Microsoft 365 allows organizations to operate with zero standing access. This means that any user who needs privileged access must request permissions for access, and will receive only the level of access they need just when they need it, and with just-enough access to do the job at hand. Zero standing access provides a layer of protection against standing administrative access vulnerabilities.

17.5 – Describe customer lockbox

Occasionally, an organization might need Microsoft engineers help to help troubleshoot and fix reported issues. Usually, issues are fixed through extensive telemetry and debugging tools Microsoft has in place for its services. However, some cases require a Microsoft engineer to access the organization’s content to determine the root cause and fix the issue.

Customer Lockbox ensures that Microsoft can’t access the content to perform a service operation without explicit approval. Customer Lockbox brings the organization into the approval workflow for requests to access their content.

Customer Lockbox supports requests to access data in Exchange Online, OneDrive for Business, and SharePoint Online. Here’s what the process looks like:

Section 18: Describe the eDiscovery capabilities of Microsoft 365

18.1 – Describe the purpose of eDiscovery

Sometimes a company may become involved in litigation and need to find electronic information to be used as evidence.

Electronic discovery or eDiscovery tools, can be used to search for content in Exchange Online mailboxes, Microsoft 365 Groups, Microsoft Teams, SharePoint Online and OneDrive for Business sites, Skype for Business conversations, and Yammer teams. You can search across mailboxes and sites in a single eDiscovery search by using the Content Search tool. And you can use Core eDiscovery cases to identify, hold, and export content found in mailboxes and sites.

If your organization has an Office 365 E5 or Microsoft 365 E5 subscription (or related E5 add-on subscriptions), you can further manage custodians and analyse content by using the Advanced eDiscovery solution in Microsoft 365.

18.2 – Describe the capabilities of the content search tool

The Content Search eDiscovery tool, accessible from the compliance center in Office 365 or Microsoft 365, enables search for in-place items such as email, documents, and instant messaging conversations in your organization.

To have access to the content search page to run searches and preview and export results, an administrator, compliance officer, or eDiscovery manager must be a member of the eDiscovery Manager role group in the Security and Compliance Center.

To start using the Content Search tool, you must choose content locations to search and configure a keyword query to find specific items. Or the user can just leave the query blank and return all items in the target locations.

After you run a search and refine it as necessary, the next step is to do something with the results returned by the search. You can export and download the results to your local computer or, if there is an email-based attack, you can delete the results of a search from user mailboxes.

18.3 – Describe the core eDiscovery workflow

Core eDiscovery in Microsoft 365 provides a basic tool that organizations can use to search and export content in Microsoft 365.

To access Core eDiscovery or be added as a member of a Core eDiscovery case, a user must be assigned the appropriate permissions. Specifically, a user must be added as a member of the eDiscovery Manager role group in the Office 365 Security and Compliance Center.

You start by creating an eDiscovery case, which starts from within Microsoft 365 compliance center. When you create a case, you must specify a name for it and optionally define a case number. You can assign members to the case. From that point, the case will be displayed in the eDiscovery page and the user can step through the workflow.

The workflow consists of creating holds, searching for content, and exporting and downloading search results.

You can use an eDiscovery case to create a hold to preserve content that might be relevant to the case. You can place a hold on the Exchange mailboxes and OneDrive for Business accounts of people you’re investigating in the case. You can also place a hold on the mailboxes and sites that are associated with Microsoft Teams, Office 365 Groups, and Yammer Groups. When you place content locations on hold, it’s preserved until you remove the hold from the content location, or until you delete the hold.

When you’ve placed a hold, you can create and run searches for content that relates to the case. You start the search from within the home page for that specific case. Searches associated with a case can only be accessed by members assigned to it.

You can specify keywords, message properties such as sent and received dates, or document properties such as file names, or the date a document was last changed. You can use Boolean operators such as AND, OR, NOT, or NEAR. You can also search for sensitive information (for example, social security numbers) in documents, or search for documents that have been shared externally. If you don’t specify keywords, all content located in the specified content locations will be included in the search results.

You can export search results. Mailbox items are downloaded in a PST file or as individual messages. Content from SharePoint, OneDrive for Business sites, copies of native Office documents, and other documents are exported. A Results.csv file that contains information about every item that’s exported and a manifest file (in XML format) that contains information about every search result is also exported.

18.4 – Describe the advanced eDisovery workflow

The Advanced eDiscovery solution in Microsoft 365 builds on the existing core eDiscovery. This new solution provides an end-to-end workflow to preserve, collect, review, analyze, and export content that’s relevant to your organization’s internal and external investigations. It also lets legal teams manage the entire legal hold notification workflow to communicate with custodians involved in a case.

The built-in workflow of Advanced eDiscovery described below aligns with the Electronic Discovery Reference Model (EDRM), a framework that outlines standards for recovery and discovery of digital data.

Section 19: Describe the audit capabilities in Microsoft 365

19.1 – Describe the core audit capabilities of M365

The audit functionality in the Microsoft 365 compliance center allows organizations to view user and administrator activity through a unified audit log. For example, did an administrator reset a password? Did a user change a setting for a team in Microsoft Teams? A unified audit log supports the search of many users and/or admin activities across Microsoft 365 services, Dynamics 365, Microsoft Power Apps, Microsoft Power Automate, Power BI, Azure Active Directory, and more.

When an audited activity is performed by a user or admin, an audit record is generated and stored in the audit log for the organization. The length of time that an audit record is kept (and searchable in the audit log) depends on the Office 365 or Microsoft 365 Enterprise subscription, and specifically the type of the license that’s assigned to specific users. For core audit capability, the audit record is kept and searchable for 90 days.

19.2 – Describe purpose and value of Advanced Auditing

Advanced Audit helps organizations to conduct forensic and compliance investigations by increasing audit log retention that’s required to conduct an investigation. Audit log retention provides access to crucial events that help determine the scope of compromise, and faster access to Office 365 Management Activity API.

These capabilities differentiate Advanced Audit from the core audit functionality.

Advanced Audit keeps all Exchange, SharePoint, and Azure Active Directory audit records for one year. Keeping audit records for longer periods can help with ongoing forensic or compliance investigations. Microsoft now has the capability to keep audit logs for 10 years. The 10-year retention of audit logs helps support long-running investigations and respond to regulatory, legal, and internal obligations.

Advanced Auditing helps organizations to conduct forensic and compliance investigations by providing access to crucial events, such as when mail items were accessed, when mail items were replied to and forwarded, and when and what a user searched for in Exchange Online and SharePoint Online. These crucial events can help admins and users investigate possible breaches and determine the scope of compromise.

Section 20: Describe resource governance capabilities in Azure

20.1 – Describe the use of Azure Resource locks

Resource locks are used to prevent resources from being accidentally deleted or changed. Even with role-based access control policies in place, there’s still a risk that people with the correct level of access could delete a critical resource. Azure resource locks prevent users from accidentally deleting or modifying a critical resource, and can be applied to a subscription, a resource group, or a resource.

For example, there may be times when an administrator needs to lock a subscription, a resources group, or a resource. In these situations, a lock would be applied to prevent users from accidentally deleting or modifying a critical resource.

A lock level can be set to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only respectively.

A resource can have more than one lock. For example, a resource may have a ReadOnly lock and a CanNotDelete lock. When you apply a lock at a parent scope, all resources within that scope inherit that lock. Even resources you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.

20.2 – Describe Azure Blueprints

Azure Blueprints provide a way to define a repeatable set of Azure resources. Azure Blueprints enable development teams to rapidly provision and run new environments, with the knowledge that they’re in line with the organization’s compliance requirements. Teams can also provision Azure resources across several subscriptions simultaneously, meaning they can achieve shorter development times and quicker delivery.

Azure Blueprints are a declarative way to orchestrate the deployment of various resource templates and other artifacts such as:

  • Role Assignments
  • Policy Assignments
  • Azure Resource Manager templates (ARM templates)
  • Resource Groups

Blueprint objects are replicated to multiple Azure regions. This replication provides low latency, high availability, and consistent access to your blueprint objects, whatever region Azure Blueprints deploys your resources to.

With Azure Blueprints, the relationship between the blueprint definition (what should be deployed) and the blueprint assignment (what was deployed) is preserved. This connection supports improved tracking and auditing of deployments.

20.3 – Define Azure Policy and describe its use cases

Azure Policy is designed to help enforce standards and assess compliance across your organization. Through its compliance dashboard, you can access an aggregated view to help evaluate the overall state of the environment. You can drill down to a per-resource, or per-policy level granularity. You can also use capabilities like bulk remediation for existing resources and automatic remediation for new resources, to resolve issues rapidly and effectively. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management.

Azure Policy evaluates all resources in Azure and Arc enabled resources (specific resource types hosted outside of Azure).

Azure Policy evaluates whether the properties of resources match with business rules. These business rules are described using JSON format, and referred to as policy definitions. For simplified management, you can group together multiple business rules to form a single policy initiative. After business rules have been formed, you can assign the policy definition, or policy initiative, to any scope of resources that are supported, such as management groups, subscriptions, resource groups, or individual resources.

It’s important not to confuse Azure Policy and Azure RBAC. You use Azure Policy to ensure that the resource state is compliant to your organization’s business rules, no matter who made the change or who has permission to make changes. Azure Policy will evaluate the state of a resource, and act to ensure the resource stays compliant.

Azure RBAC focuses instead on managing user actions at different scopes. Azure RBAC manages who has access to Azure resources, what they can do with those resources, and what areas they can access. If actions need to be controlled, then you would use Azure RBAC. If an individual has access to complete an action, but the result is a non-compliant resource, Azure Policy still blocks the action.

Azure RBAC and Azure Policy should be used together to achieve full scope control in Azure.

20.4 – Describe cloud adoption framework

Microsoft Cloud Adoption Framework for Azure consists of documentation, implementation guidance, best practices, and tools designed to help businesses to implement strategies necessary to succeed in the cloud. The Cloud Adoption Framework has been carefully designed based on cloud adoption best practices from Microsoft employees, customers, and partners. It provides a proven and consistent methodology for implementing cloud technologies.

Each of the following steps is part of the cloud adoption lifecycle.

  • Strategy: define business justification and expected outcomes of adoption.
  • Plan: align actionable adoption plans to business outcomes.
  • Ready: Prepare the cloud environment for the planned changes.
  • Adopt A)Migrate and modernize existing workloads. B) Develop new cloud-native or hybrid solutions.
  • Govern: Govern the environment and workloads.
  • Manage: Operations management for cloud and hybrid solutions.

When your enterprise’s digital transformation involves the cloud, understanding these fundamental concepts will help you during each step of the process.