Skip to content

Get Security Done (GSD) - Microsoft Security & M365 Defender

Quick wins to improve Security using existing M365 E5 entitlements

Disclaimer (you know the drill :-) )

  • Essentially this is "Notes from the Field" - not necessarily Best Practices
  • Please use this information wisely, at your own risk
  • Ideally this page will be highlighting how to get the best out of both your M365 E5 security and compliance entitlements. What is the best way to step lightly thru this and gain maximum benefit for the least effort?
  • While most of the focus here is more on the M365 SaaS Security platform elements, not necessarily on Sentinel or Azure, there will be plenty of crossover.

Core reference material

A new end-to-end Total Economic Impact study by Forrester across Microsoft's threat protection security portfolio has been released.

👉 “The best example of doing more with less is our #SOC. We have a 24/7 operation with only four people and a $250,000 managed services contract. Without Microsoft’s #XDR solution and everything working in #Sentinel, I would need 12 to 16 people working in the SOC.”

✅ #ROI 231% ✅ #Payback in < 6 months ✅ #Reduced likelihood of a #breach 72% ✅ #Reduced security license #costs 25%

👉 Get the report:

Latest CISO Workshop Training

The Chief Information Security Officer (CISO) Workshop Training

Incident Response

M365 Defender Console

Defender Admin Guides - Step by Step

Purview Admin Guides - Step by Step

1. MDI (Microsoft Defender for Identity)

Ways of working

First decision point - do you have ANY Domain Controllers within your environment? If so then you should install MDI NOW and make it the very top of your Security ToDo list.

Examples of WHY you do this first:

  • Small Customer in 2018, back when this was called "Azure ATP", installed only as a PoC and in under 48 hours it had identified a mis-configured Server that was exposed to the internet and was being brute-forced via RDP from Eastern Europe.
  • Larger environment 2020, client not sure but was wanting to lock down Legacy Auth, suggested that as they had E5 strong recommendation to deploy MDI ASAP across DC's. After getting CAB Approval to deploy, and with less than 10% coverage of DC's in just over a week it popped up with "NTDIS Exfil via SMB"
  • Security Value = Priceless

Enable Telemetry

Start here - 1. Capacity planning - 2. Download the Sizing tool - 3. Download the Sensor - 4. Install the Sensor on DC's - 5. Basic Settings that you should review NOW -

This will do for now, especially if you are in a crisis mode, check the console for the DC's being online - now move on to validation below. Please follow up with all other Configuration steps as soon as practible, especially if you also have ADFS in play. For ADFS please also check -

Defender for Identity (MDI) Architecture

Validate and Test

Be conscious that if you are testing that MDI is working correctly that this may trigger high impact Alerts to your Blue Team or existing SecOps IF it's already installed and being monitored - or for that matter if another tooling is in place to monitor the same behaviour - so if doing some major testing it's worthwhile letting them know before hand? And on that, make sure you schedule some time to review afterwards about what testing/alerting was created & what was visible from a SecOps perspective?

This would be valuable lessons on effectiveness - even more so if there is missing alerts?? :(

Enable Reporting

Once enabled you should now have a lot more visibility into the Security Posture of the onPrem environment - including the following:

  • Domain controllers with Print Spooler service available
  • Dormant entities in sensitive groups
  • Entities exposing credentials in clear text
  • Microsoft LAPS usage
  • Legacy protocols usage
  • Riskiest lateral movement paths (LMP)
  • Unmonitored domain controllers
  • Unsecure account attributes
  • Unsecure domain configurations
  • Unsecure Kerberos delegation
  • Unsecure SID History attributes
  • Weak cipher usage

More details can be found here & example below -

Review and Improve as needed


2. Conditional Access

Ways of working

First decision point - how are we going to do this? Questions to help you determine this are:

  1. Is it small or a large Tenancy?
  2. Do we want to avoid CAB approval process for a PoC?
  3. Need it done right now to address a strategic problem?
  4. Do we want to go fast, or take our time?
  5. If you are a Partner or MSSP please choose the "As-Code" method


  • Fast and quick - start with telemetry below and do it on the fly using Policies in Reporting Mode, iterate from there...
  • Larger implmentations - please take the time to review the process below to enable via "CA-as-Code" as the ROI is well worth it - especially if doing it for more than one customer or tenant 😉

Enable Telemetry

NOTE: please be aware there is no inherent "BLOCK" by default

You need to make sure you are BLOCKING by default unless explicitly allowing access - walk thru the 14 default Policies to better understand this. To make sure that you are fully covered please use this PowerBI based tool Confirm your maturity based on this Tool ^^

The Microsoft content

Automation of "CA-as-Code"


He also points out the others that have done great work in this space:

  • Fortigi/ConditionalAccess: (
  • AlexFilipin/ConditionalAccess: (
  • DanielChronlund/DCToolbox: Tools for Microsoft cloud fans (


One other important point -- don't get caught up trying to manage GUID's:

Validate and Test

Enable Reporting

Review and Improve as needed

Rerun check with AzureAD Assessment Tool


Check for common misconfigurations -

3. Microsoft Defender for Cloud Apps (MDCA), was MCAS)

Ways of working

First decision point - Simple or Complex, i.e. do you need to be concerned about RBAC for instance becuase of the scale of the installation or the number of different parties that may need access to part or some parts of the console?

Enable Telemetry

The best practices discussed in the link above include:

  • Discover and assess cloud apps
  • Apply cloud governance policies
  • Limit exposure of shared data and enforce collaboration policies
  • Discover, classify, label, and protect regulated and sensitive data stored in the cloud
  • Enforce DLP and compliance policies for data stored in the cloud
  • Block and protect download of sensitive data to unmanaged or risky devices
  • Secure collaboration with external users by enforcing real-time session controls
  • Detect cloud threats, compromised accounts, malicious insiders, and ransomware
  • Use the audit trail of activities for forensic investigations
  • Secure IaaS services and custom apps


  • For best protection, we recommend selecting all Office 365 components.
  • The Office 365 files component, requires the Office 365 activities component and Defender for Cloud Apps file monitoring (Settings > Files > Enable file monitoring).
  • Make sure the last checkbox (Office 365 Files) in the image below is "checked" link to more details

Validate and Test


  • It takes up to two hours after you enable the integration for the data to show up in Defender for Cloud Apps.
  • List of supported Firewalls and Proxies
  • Follow link above for Integration steps with ZScaler, iboss, Menlo, etc...

Enable Reporting

Review and Improve as needed

There is a lot more to be covered, but this will do for now, if you have questions please let us know?


4. MDE (Microsoft Defender for Endpoint)

Ways of working

Defender for Endpoint is for Endpoints, Servers actually belong in "Defender for Cloud":

Enable Telemetry

Validate and Test


Enable Reporting

Consider consolidating All reporting below into Workbooks in Sentinel, this can typically be provided by a Partner, part of an MSSP process, or you can roll your own?

Review and Improve as needed



Released late Dec 2022

MDE using ASR stand-alone (E3)

Handy tips and shortcuts for those that might still be trying to improve based on M365 E3 Licensing - apologies but this is not my focus, but when I do come across useful tips and links I'll add here:

MDE (from MVP's)

### Migration

5. MDO (Microsoft Defender for Office)

Recent BEC activity (Business Email Compromise)

Ways of working

Enable Telemetry

Validate and Test

Enable Reporting

Review and Improve as needed


6. MDC (Microsoft Defender for Cloud)

MDC (Microsoft Defender for Cloud)

Ways of working

Enable Telemetry

Validate and Test

Enable Reporting

Review and Improve as needed


7. Sentinel Tips from the Field

Sentinel Tips from the Field

Microsoft Sentinel

You want SOAR?

  • Most folks skip Defender in preference for Sentinel...
  • Start from the desired outcome and work your way back from there
  • What is it that SecOps need? - more automation, less manual work ;-)
  • What does that look like? Showcase an example from Contoso Hotels
  • Enable Automated Investigation & Remediation (AIR) at MDI, MDO, MDE and M365 Defender console levels - don't skip this! - as this enables SOAR "at source"
  • Now that we have the first level triage in place, let's now move on to Sentinel...

Ways of working

  • Raw logs by their very nature have a significant cost related to "data gravity" - the more Customers move/copy the logs the more complex the environment as well as more expensive the solution becomes - the design principle that should be recommend is to adhere to the MS Best Practices as much as possible.
  • Should there be any business justification or requirement for "raw logs" please consider a much more efficient method is the ability to stream "advanced hunting" events
  • Please make sure that any request from SecOps for anything more than Alerts/Incidents (like request for raw data) is balanced against cost via Business Case Justification
  • Why ingest or duplicate massive data sets across multiple systems based on a "just in case" scenario
  • A much more efficient system would be to define the "advanced hunting" event that is being searched for and as and when matches are discovered the event is forwarded
  • This process will respect data gravity and reduce costs significantly
  • More information can be found here: Advanced hunting event collection

Reducing TTR

Enable Telemetry

Validate and Test

Enable Reporting

Review and Improve as needed

Filtering Logs

Can be used to reduce data noise, reduce ingestion and retention/storage costs with the goal being to focus on the logs and events that are relevant - This is typically performed by one of the methods for the following scenarios:

Cost Optimization

Sentinel Free Data ingestion: always remember "data collection" is NOT detection!!

This recent addition below looks adventerous - but you might at least want to review the logic and have an alert sent to the team when you should be prompted to review or change the pricing tier? Don't forget to make sure the LAW is changed as well at the same time :)

The following table shows how Microsoft Sentinel and Log Analytics costs appear in the Service name and Meter columns of your Azure bill for free data services. For more information, see View Data Allocation Benefits.

Sentinel - Recommendation to enable M365 Defender Connector


Azure Log Management

8. Microsoft Information Protection (MIP/AIP)

This page will also cover Data Loss Prevention (DLP), but we'll probably build out a whole new section on Purview as this site matures, thank you for your patience - please feel free to provide feedback via raising an issue in Github.

First up - to a certain degree, you will find a lot of what you need here in the OSS page for "Purview Customer Experience Engineering" page - please start here: Microsoft Purview One-Stop-Shop (OSS) <-- Start Here

This site is very comprehensive, and should have most answers, and will add more later - but for now it saves reinventing the wheel

9. ASD Essential 8 (now ACSC)

ASD Essential 8 (now ACSC)

Local Australian E8 Guides - Microsoft Service Trust Portal has the local Essential 8 guides here you will find the PDF's covering the following specifics - the guides below can be accessed easy enough, but you will need to sign in using your own Tenant ID to access the IRAP docs ;)

  • Microsoft General - Essential Eight - Config Macros
  • Microsoft General - Essential Eight - User Application Hardening
  • Microsoft General - Essential Eight - Restricting Admin Priv
  • Microsoft General - Essential Eight - Patch OS
  • Microsoft General - Essential Eight - Backup
  • Microsoft General - Essential Eight - Patch Applications
  • Microsoft General - Essential Eight - MFA

Hardening Guidance from ACSC

Hardening Azure AD

AD onPrem

A list of resources from DART perspective on Active Directory - courtesy of Matt Zorich (Twitter @reprise99)


Exchange Permissions check

These two are subtly different, the first is on mailboxes, the second is more focused on the Outlook Folders

10. Windows Defender Application Control (WDAC)

Work in Progress, please review all content before starting, and be cautious in deployment

  • From Eric Mannon:
  • Read the above article first
  • 1st- Install WDACme on all W10 workstations
  • 2nd- Enable "Smart Application Control" in Evaluation mode on W11 endpoints that support it
  • 3rd- Lock down Tier 0 (DC's, ADFS & AD Connect servers) with WDAC Microsoft-only mode in block mode. (No 3rd party software should ever be installed on the Tier 0 server type)
  • 4th- Deploy a supplemental policy to block the Microsoft recommended block list
  • 🔑Golden rule: "Audit is better than nothing"
  • 🎯Desired state: "Zero Trust for unapproved code"


Additional Resources

Defender for Business

Updated Guides:  - Exchange Online to Business Premium - Business Standard to Business Premium - Business Basic to Business Premium

Updated Microsoft 365 Business Premium Customer Pitch Decks: - Business Decision Maker Pitch Deck - IT Decision Maker Pitch Deck  - Updated Webinar: Having a customer conversation on security for Business Premium upsell 

Ninja Security Training

Interactive Guides

(Still working on Tables)

Product Trials


Microsoft Private Security Communities (NDA)

If you want to keep up to date with the latest + connect with your peers from Microsoft, Partners and Customers this is an invaluable resource

Both of the Team Channels above are covered by your NDA with Microsoft from either a Partner or Customer perspective.

+--------------------------------------------+--------------------------------+ | Microsoft Cloud Security Private | Microsoft 365 Defender | | Community | Customer Connection Program | +============================================+================================+ | | | | | g) | | | | |   |   | | | | | | | | | | | | | | |   | +-------------------------------------+--------------------------------+

---This form is currently only used for Compliance & Privacy Community requests--- - To join the Windows CCP visit - To join the M365 Defender CCP visit - To join the MEM CCP visit - To join the Compliance & Privacy CCP visit


All content listed will require Microsoft Partner login: i.e. use your work creds & password this is already federated for you

Build Intent Workshops

  • Workshops Available: Partners can nominate Customers and receive USD $5K funding upon successful PoE submission
  • Make sure you review the content below, it's typically very recent (within 6 months), and laid out very well in a structured manner with plenty of content in slide decks along with example SoW's & estimate effort
  • Full list of workshops below with direct links below the table
Sales Usage
Defend Against Threats with SIEM Plus XDR Defend Against Threats with SIEM Plus XDR
Executive Order 14028 (Zero Trust) Secure Identities and Access
Mitigate Compliance and Privacy Risks Mitigate Compliance and Privacy Risks
Protect and Govern Sensitive Data Protect and Govern Sensitive Data
Secure Multi-Cloud Environments Secure Multi-Cloud Environments



Partner Incentives Overview: