AD0 — The M365 Security Landscape

What this course is

This is a free, practical security course for IT administrators who manage Microsoft 365 tenants and have been given security responsibility. Eight modules take you from understanding the M365 security landscape through identity protection, email security, device management, data protection, monitoring, incident response, and security governance — all within the environment you already administer.

Someone decided you're responsible for security. Maybe it was your manager, maybe it was the CEO after reading a news article about a breach, maybe it was nobody — the responsibility just drifted to you because you're the person who manages the M365 tenant. Either way, you're now expected to secure an environment you've been administering, and the gap between "managing M365" and "securing M365" is wider than anyone who made that decision understands.

This course closes that gap. Not by teaching you generic cybersecurity theory — there are hundreds of courses that spend weeks on firewalls, network segmentation, and the OSI model before you touch anything relevant to your M365 tenant. This course starts where you already are: the M365 Admin Center, Exchange Online, Entra ID, Intune. It teaches you to use the security tools already included in your license — most of which are sitting unused with default configurations — and moves you toward the Defender portal, Conditional Access, email protection, incident response, and security reporting.

The entire course is free. No account required. No paywall. No "free trial for 7 days." This is the on-ramp. If you complete it and want to go deeper into any specific area — detection engineering, threat hunting, incident response, endpoint security — the paid courses on this platform are the next step.

What this course teaches

Eight modules across three phases. All free — no account required.

Phase 1 — Foundations (AD0, AD1). You are here now. AD0 maps the M365 security landscape — what attackers target (identity, email, data), what security tools are in your license and which are configured by default, the difference between Security Defaults and Conditional Access, how to navigate the five admin portals for security work, how to read security alerts without panicking, and the improvement sequence that closes gaps without breaking production. AD1 covers securing identities in Entra ID — the #1 attack surface in every M365 tenant: MFA enforcement, Conditional Access policy design, sign-in risk, legacy authentication blocking, and the identity hardening that stops 99% of credential attacks.

Phase 2 — Protection (AD2–AD4). Three modules covering the core protection stack. Protecting email with Defender for Office 365 — anti-phishing policies, Safe Links, Safe Attachments, DMARC/DKIM/SPF configuration, and understanding what email security actually blocks vs. what it misses (AD2). Managing devices and endpoints — Intune compliance policies, Defender for Endpoint basics, device encryption enforcement, and the minimum viable endpoint protection configuration (AD3). Data protection fundamentals — sensitivity labels, DLP policies for email and SharePoint, and the basic data classification that prevents accidental exposure (AD4).

Phase 3 — Operations (AD5–AD7). Three modules building the operational capability. Security monitoring and alert triage — navigating the Defender incident queue, understanding alert severity, basic triage methodology, and the daily monitoring routine that catches problems early (AD5). Basic incident response — what to do when something goes wrong: the first 60 minutes, evidence preservation, containment actions you can take as an admin, and when to escalate to external help (AD6). Security governance and program documentation — Secure Score action plans, security policies your organization needs, compliance evidence, and the quarterly report that demonstrates progress to leadership (AD7).

Study the course linearly. Each module builds on the previous — identity (AD1) before email (AD2) because email protection depends on identity configuration; protection (AD2–AD4) before operations (AD5–AD7) because you need to understand the controls before you can monitor and respond to them.

Who this course is for

IT administrators and helpdesk professionals who manage M365 tenants. This course is specifically designed for people who already know M365 administration but are new to the security side.

IT administrator who inherited security. You manage Exchange Online, Entra ID, Intune, and SharePoint. You've been told security is now your responsibility too. You know how to create users and assign licenses — you don't know how to investigate a compromised account or configure Conditional Access beyond Security Defaults. This course bridges that gap.

Helpdesk professional moving into administration. You handle password resets, account creation, and basic troubleshooting. You want to understand the security implications of the administrative work you're already doing — and prepare for the security responsibilities that come with admin-level access.

Small business IT generalist. You're the entire IT department. There is no SOC, no security team, no CISO. You need the security configurations that provide maximum protection with minimum complexity — the 20% of settings that address 80% of the risk.

Anyone preparing for a security-focused role. You want to transition into security operations, detection engineering, or incident response. This course provides the M365 security foundation that the paid courses on this platform assume as baseline knowledge.

Prerequisites

One prerequisite. This course is designed as an entry point — the lowest barrier of any course on the platform.

M365 administration experience. You should be able to navigate the M365 Admin Center, create user accounts, assign licenses, and manage Exchange Online mailboxes. You do not need security experience, KQL knowledge, or PowerShell skills. If you've administered an M365 tenant for three months, you have the context you need.

Nothing else is required. No security certifications, no programming, no prior security training.

Lab setup

Your own M365 tenant — production or developer. The configurations taught in this course are designed for production deployment.

Production tenant (preferred). If you have admin access to your organization's M365 tenant, the course teaches you to configure security settings that improve your actual environment. Every configuration includes blast radius assessment and rollback instructions — you won't break production if you follow the guidance.

M365 Developer Tenant (alternative). If you don't have admin access to a production tenant, sign up for a free developer tenant at developer.microsoft.com/microsoft-365/dev-program. 25 E5 user licenses, full portal access, renewable. Setup takes 30 minutes.

What you can skip: you don't need to configure anything before starting AD0. The first module teaches you to assess what you already have. Portal configurations start in AD1.

How the course is structured

Every module follows the same pattern, designed for administrators who learn by doing.

Objective header. The security problem the subsection solves, the configuration it produces, and the time estimate.

Diagram. Every subsection has an SVG diagram — the security architecture, the attack flow, the configuration decision tree, or the before/after comparison.

Step-by-step configuration. Portal walkthroughs with screenshots, click paths, and verification commands. Every configuration includes a "confirm it worked" step so you know the setting is active.

Decision Point. Configuration trade-offs you'll face — Security Defaults vs. Conditional Access, block vs. warn, enforce immediately vs. deploy in phases.

Try-it. Configure the setting yourself. Four components: Setup, Task, Expected Result, and Debugging Branch.

Compliance Myth. Security misconceptions common among IT administrators — "MFA is optional for admins," "Microsoft handles email security by default," "Secure Score of 80% means we're secure."

Artifact footer. The operational artifact — a configuration checklist, a policy template, a monitoring query.

Module completion pattern. Each module has content subsections (eight to thirteen), an interactive lab, a module summary, and a Check My Knowledge subsection.

Time per phase

The course is self-paced. No cohorts, no deadlines, no streaks.

Phase 1 (AD0, AD1): Two to three evenings. AD0 is the security landscape and assessment (4–5 hours). AD1 is identity security — the most critical module in the course (4–5 hours).

Phase 2 (AD2–AD4): Two to three weeks at four to six hours per week. Three modules covering email, device, and data protection.

Phase 3 (AD5–AD7): Two weeks at the same pace. Three modules covering monitoring, incident response, and governance.

Full course at four to six hours per week: six to eight weeks. This is designed to fit alongside a full-time admin role. Apply each module's configurations to your own tenant as you learn them — the security improvements are immediate, not theoretical.

Start here

Go to AD0.1 — You're the Security Team Now next. It names the reality: you've been given security responsibility without security training, and the gap between what you know and what the job requires is specific and closeable. This module maps that gap and builds the assessment that tells you exactly where your tenant stands.

After AD0.1, the remaining AD0 subsections cover what attackers target in M365 (AD0.2), the security stack already in your license (AD0.3), Security Defaults vs. Conditional Access (AD0.4), the admin centers that matter for security (AD0.5), reading security alerts for the first time (AD0.6), Secure Score reality (AD0.7), the Northgate Engineering starting point (AD0.8), the improvement sequence (AD0.9), course scope (AD0.10), an interactive posture assessment lab (AD0.11), a module summary (AD0.12), and a knowledge check (AD0.13).

Work through AD0 in order. The improvement sequence in AD0.9 — identity first, email second, devices third, monitoring fourth — is the roadmap every subsequent module follows.