Course Introduction

0.1 What Microsoft 365 security operations is

Security operations in an M365 environment is not portal administration with alerts turned on. It is the discipline of detecting threats, investigating incidents, and improving your security posture across a stack of interconnected products — Defender XDR, Defender for Endpoint, Defender for Office 365, Defender for Cloud Apps, Purview, and Sentinel — that share telemetry, correlate signals, and enforce controls at every layer of the environment.

The five attack types that dominate M365 environments in 2026 define what the course teaches you to investigate and detect. AiTM credential phishing captures session tokens after MFA completes — the attack that renders push-notification MFA ineffective. BEC financial fraud redirects wire transfers through compromised executive mailboxes. Token replay hijacks authenticated sessions from compromised devices. Consent phishing grants persistent access through OAuth application permissions. Insider threat exfiltrates data through channels that legitimate users access every day. Each of these attacks traverses multiple Defender products, generates telemetry across multiple log sources, and requires investigation methodology that connects signals across the full stack.

This course takes you from responding to alerts someone else configured to owning the investigation and detection program. Seventeen modules across four phases. You build 29 analytics rules, five investigation playbooks, and five operational checklists — all deployed into your own M365 tenant. The deliverables are yours to keep. The SC-200 exam objectives are fully covered, but the certification is the side effect of operational competence, not the goal.

This module establishes the operational philosophy, maps the course to SC-200 exam domains, walks the lab environment setup, and gets your M365 developer tenant ready for the hands-on work that starts in Module 1.

0.2 What you will learn

Six sections covering course orientation, exam strategy, and lab environment setup.

Section 0.1 — Mission, Course Structure, and Who This Is For. The operational philosophy that defines how every module teaches — investigation methodology over portal screenshots, deployable artifacts over study notes, the BYOT model that makes every configuration yours. Course structure across four phases. Who the course serves and how different backgrounds navigate the material.

Section 0.2 — SC-200 Exam Overview and Study Strategy. The January 2026 SC-200 exam update mapped to course modules. Which exam domains each module covers. How to use the course for certification alongside operational competence. What the exam tests versus what production operations requires.

Section 0.3 — How to Learn from This Course. The text-based format as a feature — why security operators read documentation, not watch videos, and how the course matches the operational reality of the job. Study cadence recommendations. How to navigate the course non-linearly once Phase 1 is complete.

Section 0.4 — Lab Setup: M365 E5 Developer Tenant. Step-by-step setup of the free M365 developer tenant — 25 E5 licenses, full Entra ID, Exchange Online, SharePoint, Teams, Defender XDR, and Purview audit. The BYOT model: everything you build deploys into your tenant and stays after the course.

Section 0.5 — Lab Setup: Azure Subscription and Sentinel Workspace. Linking an Azure free-tier subscription to your developer tenant. Deploying a Sentinel workspace with the free data connectors — Entra ID sign-ins, Office 365 audit, Defender XDR incidents. The 5 GB/day free ingestion tier.

Section 0.6 — Lab Setup: Sample Data and Validation. Loading the Microsoft sample data packs to populate sign-in logs, mailbox activity, and device events. Validation queries that confirm your data is ready for Module 1.

0.3 Why the Microsoft stack is ideal for security operations training

The Microsoft security stack is the only platform where a single query workspace — Advanced Hunting or Sentinel — gives you correlated visibility across email, endpoint, identity, and cloud application telemetry in the same schema. An AiTM phishing campaign that starts with an email, compromises a credential, and triggers suspicious mailbox activity appears as connected events in the same query interface. No other vendor provides this level of cross-product correlation in a single hunting workspace.

Defender XDR's correlation engine connects alerts across products into unified incidents automatically. You investigate one incident, not four separate alerts in four separate consoles. The SOC workflow you build in this course operates against that unified view — the same view you operate against in production.

KQL provides the analytical layer. Every detection rule, investigation query, and verification command in this course is a KQL query you run in your own workspace. The queries are copy-pasteable, immediately executable, and produce real results from your tenant's telemetry. When Microsoft changes a portal layout, the KQL still works.

The M365 E5 developer tenant is free and provides the complete security stack — every Defender product, Sentinel, Purview, Entra ID with Identity Protection, Conditional Access, and PIM. You build your detection rules, investigation playbooks, and hardening baselines in a tenant you control. No shared lab environments, no scheduled lab windows, no artificial time limits.

0.4 How to get the best from this module

Work through the sections in order. Sections 0.1 through 0.3 cover course orientation and learning methodology — read these before touching the portal. Sections 0.4 through 0.6 walk the lab environment setup step by step. Complete the lab setup before starting Module 1 — every hands-on exercise from M1 onward requires your tenant to be active.

If you already have an M365 E5 tenant and Sentinel workspace, skim Sections 0.4 through 0.5 and focus on Section 0.6 (sample data validation) to confirm your environment is ready.

Section 0.2 (SC-200 mapping) is valuable even if you are not pursuing the certification — the exam domain structure maps cleanly to the operational skills the course teaches, and knowing which modules cover which domains helps you prioritize if you are working non-linearly.

Estimated total time: 2 to 3 hours. Lab setup in Sections 0.4 through 0.6 takes 30 to 45 minutes if you follow the steps without detours.

0.5 Module structure

• Section 0.1 — Mission, Course Structure, and Who This Is For
• Section 0.2 — SC-200 Exam Overview and Study Strategy
• Section 0.3 — How to Learn from This Course
• Section 0.4 — Lab Setup: M365 E5 Developer Tenant
• Section 0.5 — Lab Setup: Azure Subscription and Sentinel Workspace
• Section 0.6 — Lab Setup: Sample Data and Validation

No prerequisites. This is the first module of the course. Basic familiarity with M365 administration is helpful but not required — every concept is explained at first use.

Go to Section 0.1 — Mission, Course Structure, and Who This Is For to begin.