AB900 — Microsoft 365 Security Foundations

Pillar — Endpoints. What tool and what does it do?

Microsoft Intune — enforces compliance policies (encryption, antivirus, OS version); blocks noncompliant devices; endpoint Analytics for device health visibility.

Pillar — Applications. What tools?

Defender for Cloud Apps — discovers shadow IT, blocks risky apps, session controls.

Entra App Proxy — secure remote access to on-prem apps without exposing them to the internet.

Pillar — Data. What tools?

Microsoft Purview Information Protection — classify, label, and encrypt data.

DLP (Data Loss Prevention) — prevents unauthorized sharing across Exchange, SharePoint, OneDrive, Teams.

Pillar — Infrastructure. What tools?

Defender for Cloud — assesses security posture across Azure, AWS, GCP. Azure Policy — enforces rules (encryption, VM sizes, tags), blocks noncompliant deployments.

Pillar — Network. What tools?

Azure Firewall (restricts outbound traffic), VPN Gateway (secure remote access), Defender for Identity (monitors for lateral movement and credential theft)

What is Phase 1 of Zero Trust implementation?

Assess current security posture — use Microsoft Secure Score (finds gaps like missing MFA) and Purview Compliance Manager (maps config to HIPAA, ISO 27001)

What is Phase 2?

Enable identity protection — configure Conditional Access, risk-based authentication, identity governance (access reviews, entitlement management)

What is Phase 3?

Enforce endpoint compliance — Intune compliance policies (BitLocker, patches), app protection policies (BYOD: PIN, encryption, no copy-paste), Endpoint Analytics

What is Phase 4?

Classify and protect data — sensitivity labels, DLP policies, policy tuning

What is Phase 5?

Monitor and respond to threats — Defender for Endpoint (behavioral analytics, auto-isolation), Sentinel (SIEM/SOAR, correlates multi-source alerts, runs automated playbooks), Defender for Identity (detects lateral movement)

What is Phase 6?

Educate users — attack simulation training (phishing simulations in Defender for Office 365), security awareness campaigns (Viva Learning, Teams), role-specific training

What is Microsoft Defender XDR?

A unified threat protection suite that coordinates detection, prevention, investigation, and response across email, endpoints, identities, and cloud apps.

What does Defender for Office 365 protect against?

Phishing, business email compromise (BEC), malware, and other email/collaboration threats

What does Defender for Endpoint do?

Advanced endpoint detection & response (EDR); detects suspicious behavior; can auto-isolate a compromised device from the network to stop spread.

What does Defender for Identity do?

Monitors on-premises Active Directory traffic; detects Pass-the-Hash, Golden Ticket attacks, lateral movement, domain enumeration

What does Defender for Cloud Apps do?

Discovers shadow IT, blocks risky/unsanctioned apps, prevents data exfiltration (e.g., blocks upload to personal Dropbox), applies session controls

What is Safe Links?

A Defender for Office 365 feature that rewrites URLs in emails and scans them at click time — blocks access if the link has become malicious since delivery.

What is Zero-hour Auto Purge (ZAP)?

Retroactively removes malicious emails from user mailboxes after a threat is identified, even if the message was already delivered.

What are transport rules (mail flow rules)?

Custom logic applied to email flow — e.g., block emails with 'wire transfer' in subject, encrypt messages with sensitive content, quarantine specific attachments.

What is MSTIC?

Microsoft Threat Intelligence Center — monitors 65+ trillion signals daily, tracks nation-state actors, monitors dark web, feeds intelligence into all M365 Defender products.

What is Threat Explorer?

Real-time email threat investigation tool in Defender for Office 365 Plan 2. Lets you pivot by sender, subject, URL, or file hash; see delivery status; delete malicious emails from inboxes.

What is Threat Analytics?

Curated threat intelligence reports from Microsoft security researchers. Includes MITRE ATT&CK mappings and remediation recommendations. Found in the Defender XDR portal.

What framework do Threat Analytics reports map to?

MITRE ATT&CK

What is SSPR?

Self-Service Password Reset — lets users reset their own passwords without IT help. Requires 1-2 verification methods (email, phone, authenticator app, security questions).

What is Entra Identity Protection?

Automates detection and remediation of identity-based risks. Generates sign-in risk and user risk signals that can trigger Conditional Access.

What is the difference between sign-in risk and user risk?

Sign-in risk = this specific login looks suspicious. User risk = the account itself appears compromised (e.g., leaked credentials on dark web).

What is SSO and how does Entra ID enable it?

Single Sign-On — one login grants access to multiple apps. Entra ID uses federation protocols (SAML, OIDC, OAuth 2.0) and acts as the identity provider.

What is TOTP and what apps use it?

Time-based One-Time Password — generates a 6-digit code every 30 seconds. Used by Microsoft Authenticator, Google Authenticator.

What is RBAC?

Role-Based Access Control — assigns permissions based on job role, not individual. Uses built-in roles (Global Admin, Security Reader) or custom roles. Principle of least privilege.

What is PIM (Privileged Identity Management)?

Allows just-in-time (JIT) elevation of privileged roles — user requests a role, provides justification, gets time-limited access. Requires MFA and approval workflows.

What does 'privileged role activation' mean in PIM?

A user assigned an eligible role must actively request/activate it before using it — prevents standing admin access.

What are the 5 groups of Zero Trust pillars?

Identity

Endpoints

Applications

Data

Infrastructure/Network

What does a Microsoft Secure Score measure?

Organization's security posture — higher score = better security. Provides actionable recommendations.

What is a Dynamic Group?

A group in Entra ID where membership is automatically assigned based on user attributes (department, location, job title) — no manual management needed.

What are Access Packages?

Bundles of permissions across multiple resources, assigned through approval workflows. Useful for onboarding employees or external collaborators for a limited time.

What is the Identity Secure Score?

A dashboard metric in Entra ID that measures identity security posture, provides prioritized recommendations, tracks improvement actions, and benchmarks against similar orgs.

What are the 4 action status options in Identity Secure Score?

Completed / Planned / Resolved via Third Party / Risk Accepted

What signals does Conditional Access evaluate?

User and sign-in risk level, device state (Intune compliance), application sensitivity, location/IP address, session context/behavior

What is the 'What If' tool in Conditional Access?

Simulates which Conditional Access policies would apply for a given user/device/app combo — lets admins test policies without a real sign-in to avoid accidental lockouts.

What are PIM's 5 core capabilities?

1) Time-bound role activation (auto-revokes) 2) MFA + justification required 3) Approval workflow 4) Access reviews + expiration policies 5) Audit logging + alerting

What is Entra Permissions Management?

Provides visibility into over-permissioned accounts across Azure, AWS, and GCP. Helps enforce least privilege in multicloud environments.

User is blocked due to MFA issues — what are your steps?

1) Check sign-in logs for failure reason

2) Verify user's MFA methods match policy

3) Delete old credentials and re-enroll in Authenticator or FIDO2

4) Check device clock sync (TOTP issue)

User is blocked by Conditional Access — what do you check?

1) Use What If tool to simulate sign-in

2) Check Intune for device compliance status

3) Check Defender for Endpoint for security alerts on the device

What is 'impossible travel' and what does it trigger?

When a user signs in from two geographically distant locations in an impossibly short time. Flagged by Entra Identity Protection as a risky sign-in — may trigger MFA or block.

Why is legacy authentication (POP3, IMAP, SMTP) blocked?

Legacy auth uses basic username/password with no MFA support, making it easy to attack with password spray and brute force. Modern auth (OAuth 2.0) is token-based and far more secure.

Where are audit logs accessed and what permissions do you need?

Microsoft Purview portal and PowerShell (Search-UnifiedAuditLog). Requires Audit Logs role or View-Only Audit Logs role.

What audit log events detect SharePoint data exfiltration?

FileDownloaded and FileAccessed events in the audit logs

Difference between an App Registration and an Enterprise App in Entra?

App Registration = the identity/config metadata defining how an app connects and what it can access. Enterprise App = the actual service principal in the tenant that users interact with.

Q1 (Assessment): What is the main purpose of Conditional Access policies in Microsoft 365?

To enforce granular access controls based on context

Q2 (Assessment): Which Microsoft 365 tool provides just-in-time privileged access to sensitive roles?

Privileged Identity Management (PIM)

Q3 (Assessment): What does the least privilege access principle mean?

Giving users only the access needed for their tasks

Q4 (Assessment): What is the role of Microsoft Defender for Endpoint?

Detecting and responding to endpoint threats

Q5 (Assessment): Which authentication method is considered phishing-resistant in Microsoft 365?

FIDO2 security keys

Q6 (Assessment): What does Data Loss Prevention (DLP) do in Microsoft 365?

Prevents unauthorized sharing of sensitive information

Q7 (Assessment): Which Microsoft 365 feature enables single sign-on (SSO) for users?

Microsoft Entra ID

Q8 (Assessment): What is the purpose of sensitivity labels in Microsoft Purview Information Protection?

To classify and encrypt sensitive data

Q9 (Assessment): What does Microsoft Intune primarily manage?

Endpoint compliance and device health

Q10 (Assessment): What is the benefit of using Dynamic Groups in Microsoft 365?

Automatic group membership based on user attributes

What are the 5 layers of M365 architecture?

Identity (Entra ID) > Service (Exchange/Teams/SharePoint/OneDrive/Copilot) > Data (Microsoft Graph) > Intelligence (Copilot & AI agents) > Security & Compliance (Purview/Defender)

What is Microsoft Graph?

RESTful API (Data Layer) connecting data across M365 - enables insights, automation, and Copilot responses. Respects RBAC, sensitivity labels, Conditional Access

What is Exchange Online and its 3 mailbox types?

Cloud email/calendaring. User Mailboxes (individual), Shared Mailboxes (team email - no license unless mobile), Resource Mailboxes (rooms/equipment)

What are Transport Rules in Exchange?

Mail flow rules that inspect email content/headers to enforce policies - can block, encrypt, redirect or append disclaimers

What are the 2 main SharePoint Online site types?

Team Sites (collaborative, tied to M365 Groups) and Communication Sites (broadcast info to wide audience)

What is Known Folder Move (KFM) in OneDrive?

Redirects Windows folders (Desktop, Documents, Pictures) to OneDrive for automatic cloud backup and sync

What 3 channel types does Microsoft Teams support?

Standard (all members), Private (selected members), Shared (across multiple teams)

What is the M365 admin center URL and what does it provide?

admin.microsoft.com - Role-aware portal for managing users, licenses, services, and health across M365 tenant

What are the 4 specialized M365 admin centers?

Exchange Admin Center (EAC), Teams Admin Center, SharePoint Admin Center (includes OneDrive), Entra Admin Center

What does the Service Health Dashboard do?

Real-time visibility into M365 service status - incidents, advisories, planned maintenance. Supports email alert subscriptions

What PowerShell modules manage M365 services?

Exchange Online PowerShell, Teams PowerShell Module, SharePoint Online Management Shell, Microsoft Graph PowerShell SDK

What 3 tools are primary for M365 security/compliance baselines?

Microsoft Entra (identity/Conditional Access),

Microsoft Purview (DLP/sensitivity labels),

Microsoft Intune (device compliance)

What are Device Compliance Policies in Intune?

Define minimum security standards (encryption, antivirus, firewall, OS version, password). Compliant status used by Conditional Access

What are App Protection Policies (MAM)?

App-level policies for BYOD - no full enrollment needed. Prevent copy/paste to personal apps, block jailbroken/rooted devices

What is the difference between rooted vs jailbroken devices?

Rooted = Android bypassing manufacturer restrictions. Jailbroken = iOS removing manufacturer restrictions. Both disable built-in security

What are Sensitivity Labels in Microsoft Purview?

Classify/protect data - apply encryption, restrict access, add watermarks/headers/footers. Applied manually or automatically via content inspection

What are DLP policies in M365?

Data Loss Prevention - monitors/controls sensitive info sharing. Detects credit cards/SSNs/health records and blocks, notifies, or alerts admins

What is a Retention Policy in M365?

Manages data lifecycle - preserves or deletes content based on requirements. Can retain for set period then auto-delete or hold indefinitely

What is RBAC and its core principle?

Role-Based Access Control restricts access by org role. Built on Least Privilege - only minimum needed access granted. Prevents privilege creep

Predefined vs custom admin roles in M365?

Predefined = built-in roles (Exchange Admin, Teams Admin, SharePoint Admin, Global Admin).

Custom = specific permissions scoped to groups/resources

What are 3 RBAC best practices for secure delegation?

1) Use groups for role assignment

2) Regularly review role assignments

3) Document role definitions and rationale

What 3 tools monitor/audit admin roles in M365?

Microsoft Purview portal (audit logs), Entra Admin Center (role assignments), Automated alerts for critical changes (Global Admin/Compliance Admin)

What is Litigation Hold in Exchange Online?

Preserves ALL mailbox content including deleted items for legal discovery. Prevents permanent deletion during investigations

What does Copilot do in M365's Intelligence Layer?

AI orchestrator using Microsoft Graph - contextual intelligence, cross-service automation, personalized recommendations, conversational interaction

What is Microsoft Entra ID?

Identity/access management platform (formerly Azure AD) - authentication, Conditional Access, identity protection for all M365 services

What is SharePoint's Permission Inheritance model?

Objects inherit permissions from parent container by default. Admins can break inheritance to apply unique permissions at any level

What is the Message Center in M365?

Provides updates on new features, deprecations, and configuration recommendations from Microsoft. Complements Service Health Dashboard

What are the 3 SharePoint user permission levels?

Visitor (read-only), Member (edit access), Owner (full control over the site)