Microsoft 365 Security Architecture

“I configured M365 security but I can’t explain why I chose those settings.” You deployed Conditional Access policies, enabled MFA, turned on Defender features. If the auditor asks why you chose those specific settings over the alternatives, you don’t have a documented answer. This course builds the ADR for every decision — context, options, trade-offs, and rationale.

“My CISO asked for our security architecture and I don’t have one.” You have portal configurations. You don’t have an architecture document that explains how identity, endpoint, data protection, and detection work together as a system. This course produces the 30+ ADRs, decision matrices, risk register, and executive summary that constitute an actual architecture.

“We’re going through an ISO 27001 audit and I need documented decisions.” The auditor wants evidence that each control was selected deliberately, that alternatives were considered, and that the trade-offs were accepted with awareness. An ADR is that evidence. This course builds the ADR library mapped to ISO 27001, NIST CSF, and CIS controls.

“The previous architect left and nobody knows why anything is configured this way.” Undocumented architecture is untransferable architecture. When the person who built it leaves, the knowledge leaves. This course teaches you to document every decision so your successor understands the rationale without asking you.

“I want to move into security architecture from engineering.” The difference between engineering and architecture is documentation and justification. Engineers configure controls. Architects design systems, document decisions, and defend them to stakeholders. The portfolio you build in this course — ADRs, risk register, executive summary — is what you bring to architecture interviews.

“We’re on E3 and I need to justify the E5 upgrade to the CFO.” Every module includes the E3 vs E5 trade-off analysis — what you get, what you lose, and where the licensing boundary creates security gaps. The executive summary at the end makes the business case for the security investment in terms the CFO can evaluate.

Architecture thinking methodology, Entra ID design, authentication strategy, Conditional Access policy framework with persona model, privileged access with PIM and break-glass governance.

Purview data protection architecture, Intune endpoint security baselines, Defender for Office 365 email defense, collaboration security. E3 vs E5 trade-off analysis in every module.

Sentinel workspace architecture, log connector strategy, detection rule framework, incident response integration, Defender XDR operations design. Every detection validated with attack simulation.

Identity governance and lifecycle, compliance mapping (ISO 27001, NIST CSF, CIS), and the capstone: assemble the complete architecture package with executive summary, risk register, and 30+ ADRs.

Architecture Decision Record — From Module 3: Conditional Access Design

ADR-007: Session timeout for unmanaged devices

Status: Accepted

Context: Users access M365 from personal devices (BYOD). Compliant device CA policies cannot apply. Stolen session tokens from unmanaged devices have no device-binding protection. Average AiTM token replay window is 4–6 hours.

Options considered: (A) 1-hour timeout — strong security, high user friction. (B) 4-hour timeout — closes the AiTM replay window, moderate friction. (C) 8-hour timeout — low friction, leaves a 2–4 hour replay window. (D) No timeout — maximum usability, maximum risk.

Decision: Option B — 4-hour sign-in frequency for unmanaged devices accessing Exchange Online, SharePoint, and Teams.

Trade-offs: Users on personal devices re-authenticate twice per workday. Acceptable given the token replay risk. VIP exception group uses 8-hour timeout with compensating monitoring control (ADR-008).

Review trigger: Revisit if token protection becomes GA for unmanaged devices, or if user complaints exceed 10/week sustained over 30 days.