Microsoft Threat Protection
Start course

In this course, we take an introductory look at the security tools within Microsoft 365.

Learning Objectives

  • Explain what a Zero Trust Policy is and what value it can have.
  • Explain identity and access management concepts.
  • Explain threat and information protection in Microsoft 365.
  • Understand the different tools and portals available to you in Microsoft 365 security offerings.

Intended Audience

  • Users who are new to Microsoft 365.
  • Users looking to learn about the security offerings Microsoft 365 has to offer.


An understanding of general technical concepts.


As technology advances, so does the security threats for organizations. IT must be able to deal with all kinds of external risks and threats. These threats can range from something as simplistic as phishing attempts and go as far as an all out infrastructure attack with advanced DoS attacks. Being able to properly respond to each of these threats is imperative to ensuring that your organization's data is secure. Microsoft continually improves upon threat protection capabilities and provides a multitude of different tools tailor made to deal with each type of potential security threat. Microsoft 365 provide these tools through something called Microsoft Defender. 

It's important to note that Microsoft Defender used to be known as the Microsoft Threat Protection and is different from Windows Defender. Microsoft Defender is essentially a suite of tools meant to help organizations protect against attacks with four specific areas of vulnerability. The areas protected by Microsoft Defender are: one, identities, with Microsoft Defender for Identity or MSDI. Two, Endpoint, with Microsoft Defender for Endpoint or MSDE. Three, email and collaboration with Microsoft Defender for Office or MSDO. And four, applications with Microsoft Cloud App Security or MCAS. Each of these provides different protections for your organization. Let's start off with Microsoft Defender for Identities. 

First off, this used to be known as Azure Advanced Threat Protection or Azure ATP. So, if you hear this verbiage just know it's referring to Microsoft Defender for Identity. MSDI monitors and analyzes user activity and standard behaviors through your Active Directory. The strength of MSDI is that it sets a standard for that user's usual behavior and activities. Once it has a baseline for each user, it can detect and Alert IT to suspicious behaviors and provide insight into those activities. Suspicious behaviors can be something like multiple failed authentication attempts or even a user opening multiple documents that aren't frequently accessed. 

MSDI is meant to reduce overall security noise, ensuring that you only see what is relevant and needed rather than redundant information. Next would be Microsoft Defender for Endpoint. Again, like MSDI, Microsoft Defender for Endpoint used to be known as Microsoft Defender Advanced threat protection or Microsoft Defender ATP. So, take note as if you hear this verbiage, they're referring to Microsoft Defender for Endpoint. Now, MSDE was created to protect Endpoints in your org and has seven pillars. Threat and vulnerability management which provides real time information on vulnerabilities. Attack surface reduction which minimizes area of risk by only allowing certain applications. 

Next generation protection which includes Windows Defender Antivirus to protect devices. Endpoint detection and response, which detects and alerts potential breaches. Automated investigation and protection which allows you to examine potential alerts and take immediate action to resolve breaches. Microsoft threat experts, which is Microsoft threat support with monitoring and consultation. And management and APIs, which is MSDE providing a centralized configuration and APIs to integrate with other solutions. Each of these pillars provides another protection platform to keep your organizations endpoints secure. Next up, we have Microsoft Defender for Office or MSDO. Much like the rest of these, MSDO used to be known as Office 365 Advanced Threat Protection. 

So, if you hear that verbiage, just know it is referring to Microsoft Defender for Office. MSDO specifically focuses on protecting the office suite from security risks. It protects against malicious emails, links, and throughout Microsoft Teams, SharePoint, OneDrive, and more. You can view real time monitoring and reporting for your organization threats with an Office and provides automated responses  you can then use to mitigate threats. And finally we have Microsoft Defender for Cloud Apps. However, I'm going to break it off into its own lecture as it has the most information and we need to spend a little bit more time on it. For now, let's just talk about Microsoft Secure Score. 

Through Microsoft 365 Defender, you are provided something called a Microsoft Secure Score, which is effectively a numerical rating of your organization's overall security structure. It breaks things down into different categories, being: identity, data, devices, apps, and infrastructure; and each of those provides points that affects the score. By providing a centralized dashboard where you can view any and all security information for your organization, it enables IT to improve upon potential risks before they become a problem. The Microsoft Secure Score also provides actions that it suggests to improve your overall security posture. From those suggestions and actions, you can then address them and classify them based on how you respond. 

For example, one of the suggestions maybe to enable self service password resets. However, you might not want to enable it for your workforce, instead opting for a manual reset by IT. You can then enable or disable it and classify it with Microsoft 365 Defender so it is no longer under suggestions but rather labeled in such a way that your IT team is aware of the policy. Everything you do to improve your organization's security posture is tracked and kept within the Microsoft 365 Defender portal. It keeps history of all activities and tracks metrics to keep your organization on track to meet their security goals. But with that out of the way, it's time now to talk about Microsoft Defender for Cloud Apps and Cloud Apps Security. So, let's go ahead and jump into that. 

Microsoft Defender for Cloud Apps previously known as Microsoft Cloud App Security is a cloud access security broker that provides information of potential threats across the organization's cloud services. One of the most unique challenges for organizations can be balancing availability of data and IT for employees while restricting access for security purposes. This is where the cloud access security brokers and Microsoft Defender for Cloud Apps comes into play. 

Think of Microsoft Defender for Cloud Apps like a box that has four sides. Each of these sides protects a specific area of your Cloud Apps and makes up the frame of the box which can be thought of as the framework for Microsoft Cloud App security. The four sides are: discover and control shadow IT, information protection in the cloud, cyber threat and anomalous threat protection, and cloud compliance. It's important to understand each of these. So, let's go over them one by one. Starting off we have Shadow IT. Shadow IT is the term used for a piece of technology that is used within an organization that is not managed or approved by IT. These can be things like other productivity apps, cloud drives, and more that are not managed by your organization. 

For example, if you are with the company utilizing Microsoft 365, an example of Shadow IT would be if you were using Google Drive instead of OneDrive or using Slack instead of Teams. While they're similar, they are not managed by the organization which can pose potential security risks. Microsoft Defender for Cloud Apps allows you to record types of Shadow IT being used by your workforce, identify the risk levels for each, evaluate those applications compliance, analyze the usage of those apps, and manage them by either allowing or blocking them from your networks. It allows for continuous monitoring to make sure that you are alerted of risky behavior within those Cloud Apps used by your workforce. 

Depending upon the organization, different cloud applications can be necessary, which is where the Shadow IT really comes into play in order to ensure security across your different and varied cloud applications. Next up is information protection in the Cloud. This is part of Microsoft Defender for Cloud Apps that protects your information and allows you to rollout settings and controls access to all Cloud Apps. An example of this would be data classification and data loss prevention policies. We'll cover these a bit later in the information protection lecture. The next side of the square is cyber threat and anomalous threat protection. This section essentially detects unusual behavior across cloud applications and automatically addresses the vulnerability. Similar to MSDI, it creates a standard user behavior within Cloud Apps. 

It then utilizes the standard to compare against current activities in order to protect against malware and external threats. And finally, we have cloud compliance. Microsoft Defender for Cloud Apps analyzes and assesses if your Cloud Apps are compliant on both regulatory and industrial compliancy regulations. It provides information on potential data leaks, non-compliant applications, and allows you to limit access to data within organizations to ensure that it falls within required compliance regulations. Each of these sides provides a different protection that Microsoft Defender for Cloud Apps provides organizations data within Cloud applications. But now that we have a good understanding of Microsoft threat protection, let's take a deeper look into information protection to see how organization and users can help keep data secure regardless of its location.


About the Author
Learning Paths

Lee has spent most of his professional career learning as much as he could about PC hardware and software while working as a PC technician with Microsoft. Once covid hit, he moved into a customer training role with the goal to get as many people prepared for remote work as possible using Microsoft 365. Being both Microsoft 365 certified and a self-proclaimed Microsoft Teams expert, Lee continues to expand his knowledge by working through the wide range of Microsoft certifications.