MS-900.

1
Microsoft 365
Fundamentals
Subtitle or speaker name
Module 03: Security, compliance, privacy,
and trust in Microsoft 365
Module agenda
 Organizational security fundamentals
 Security features in Microsoft 365
 Identity and Access Management
 Device and data protection in Microsoft 365
 Compliance in Microsoft 365
Lesson 1: Organizational security fundamentals
Lesson introduction
 Key pillars of security
 Identify the most common security threats
Pillars of computer security
The key pillars of any computer security system are:
 Identity and access management
 Local, domain, Azure Active Directory (Azure AD) and Microsoft accounts, as well as other account types
 Information protection
 Data at rest
 Data in transit
 Threat protection
 Firewall settings
 Antivirus/antimalware protection
 Software fixes and updates
 Lax security settings
 Poor physical security
 Security management
Identity and access management concepts
Your users might have a number of user accounts within your organization,
such as:
 Local accounts
 Domain accounts
 Azure AD accounts
 Microsoft accounts
 Other accounts
Information protection concepts
When considering how best to secure your organizational data, it’s important
to consider two situations:
 Data at rest
 Data in transit
Threat protection concepts
Threats to your organization’s data and infrastructure can originate from both
devices and the network.

Device security
 Firewall settings
 Antivirus / antimalware protection
 Software fixes and updates
 Lax security settings
 Poor physical security

Network security
Common security threats
 Network security threats
 An eavesdropping attack
 A denial of service (DoS) attack
 Port scanning attacks
 Man-in-the-middle attacks (MITMs)

 Data security threats

 Unauthorized users accessing information on a server
 Unauthorized users accessing data from a lost or stolen removable drive
 Data leakage arising from a lost or stolen laptop
 Data leakage arising from user emails with sensitive content inadvertently being sent to
unintended recipient(s)
Security management concepts
Security management brings the first three concepts together; you must be
able to manage your security settings to address the key pillars of security.
Security management can be proactive and reactive.
Lesson 2: Security features in Microsoft 365
Lesson introduction
 Describe how Microsoft 365 helps protect identity and access.
 Describe how Microsoft 365 helps you against threats and protects your
information.
 Describe how Microsoft 365 classifies information to protect it from data
loss.
 Describe the Microsoft 365 Security Center.
Identity and access in Microsoft 365
Threat protection in Microsoft 365
Information protection in Microsoft 365
Discover and classify sensitive information
Microsoft 365 Security Center
Microsoft Secure Score
Lesson 3: Identity and Access Management
Lesson introduction
 Describe the basic features of Azure AD.
 Explain Azure AD identity protection.
Overview of Azure AD
In its Premium tier (P1 or P2), Azure AD provides the following
technologies for identity protection:
 Self-service group management
 Advanced security reports and alerts
 MFA
 Microsoft Identity Manager (MIM) licensing
 Password reset with writeback
 Conditional Access based on device, group, or location
 Azure AD Connect Health
 Azure AD Identity Protection (P2 license only)
 Azure AD Privileged Identity Management (P2 license only)
Identity protection basics
 Each computer user today has typically at least five identities (or accounts)
for accessing different local or internet-based resources. Synchronized
identities.
 A typical employee usually has one or more business accounts that they use
on information systems in the organization where they work.

Identity protection is a set of technologies that you implement to help

proactively monitor user behavior, especially during authentication, and to
take actions if risk or vulnerability is detected.
Azure AD Identity Protection
Azure AD Identity Protection provides you with the ability to
 Proactively recognize potential security risks and identify vulnerabilities in your organization.
 Automatically apply responses and actions when suspicious activity on one or more identities is detected.
 Properly investigate incidents and take actions to resolve them.
Lesson 4: Device and information protection
Lesson introduction
 Explain the need for device management.
 Describe how Intune provides device protection.
 Identify Microsoft 365 services that protect data in your organization.
 Describe Information Rights Management (IRM).
Why business environments need to protect devices
and data
How Microsoft 365 device management provides
device protection
 Microsoft 365 device management uses Intune to provide device and data protection
 Intune is a cloud service that helps to manage computers, laptops, tablets, and other
mobile devices, including iOS, Android, and Mac OS X devices
 Intune offers both MDM and MAM
 With Intune you can manage all phases of device lifecycle:
 Enroll
 Configure
 Protect
 Retire
How Microsoft 365 helps protect data in an
organization
 Compliance is an important part in data
protection strategy
 You can use Intune to create, manage and
enforce compliance policies
 You can control access to email,
documents, and other cloud apps by
using Conditional Access policies
 For devices protected by Intune, you can
also manage:
 Device restrictions
 Endpoint protection
 Identity protection
Windows Information Protection?
WIP helps you to overcome several common challenges by providing:
 Separation between personal and corporate data.
 Additional protection to LOB apps.
 Ability to perform a selective wipe.
 Audit reporting.
 Management system integration.
Azure Information Protection?
 Azure Information Protection is a set of cloud-
based technologies that provide classification,
labeling, and data protection
 You can use Azure Information Protection to
classify, label, and protect data such as email
and documents
 Azure Information Protection uses the
Microsoft Azure Rights Management service
 To use Azure Information Protection in its full
capacity, you should configure rules and
policies for classification, labeling, and
protection
Lesson 5: Compliance in Microsoft 365
Lesson introduction
 Describe the three pillars of compliance.
 Explain the benefits of the Compliance Manager tool.
 Describe the Microsoft Compliance Center.
Common compliance needs in today’s business
environments

 To help protect individuals, governments and the agencies they appoint have introduced
regulations about data storage and use
 These regulations include:
 Granting people the right to access, and possibly correct, data stored about them
 Defining a data retention period
 Granting governments and their appointed regulatory bodies the rights to access stored records for
investigative purposes
 Defining exactly how stored data can and cannot be used. In other words, defining the purpose for the
collated data
 Defining privacy controls so that private data can remain private
 Most common government regulations include: HIPAA, FISMA, EU Model Clauses,
Safe Harbor Framework and others
Service Trust Portal and Compliance Manager
 Service Trust Portal provides a variety of content, tools, and other
resources about Microsoft security, privacy, and compliance practices
 The portal consists of several components:
 Service Trust Portal
 Compliance Manager
 Trust documents
 Regional Compliance
 Privacy
 Resources
 Admin
Service Trust Portal and Compliance Manager (cont.)
 The Compliance Manager portal helps you
stay compliant with both internal
requirements and well-known security
standards, such as:
 GDPR
 ISO 27001
 ISO 27018
 NIST 800-53
 HIPAA
 Compliance Manager performs the
following key activities:
 Real-time risk assessment
 Actionable insights
 Simplified compliance
Data governance in Microsoft 365
Retention labels allow you to:
 Enable people in your organization to apply a retention label manually.
 Apply retention labels to content automatically.
 Apply a default retention label to a document library.
 Implement records management across Office 365.
Encryption in Microsoft 365
Microsoft 365 uses some of the strongest encryption protocols available:
 data is encrypted by default, at rest and in transit.
 For data at rest, data is encrypted at the physical disk with BitLocker and in
applications with service encryption.
 Data in transit is encrypted with TLS (Transport Layer Security) as it
moves across the network.
Zero standing access
Customer Lockbox for Office 365:
Respond to data discovery requests
Microsoft Compliance Center
Module Review
 Complete the module review in the course handbook.
Lab: Implement security and compliance in
Microsoft 365
© Copyright Microsoft Corporation. All rights reserved.