Security Foundations for M365 Administrators

“My manager told me to handle security and I don’t know where to start.” You manage users, licenses, and Exchange Online. Now you’re also responsible for MFA, phishing protection, and incident response — with no security training and no dedicated security team. This course starts from the admin tools you already know and adds the security layer on top.

“We have MFA turned on but I’m not sure it’s configured correctly.” Security Defaults is on. Maybe. Or Conditional Access is half-deployed with a break-glass account you’ve never tested. This course walks through the exact policies to create, the exceptions to handle (the CEO, shared mailboxes, service accounts), and how to verify they work.

“A user clicked a phishing link and I had no idea what to do next.” You revoked their sessions. Maybe reset the password. But did you check for inbox forwarding rules? OAuth app consent? Lateral movement? This course gives you the step-by-step response procedure so you stop guessing when incidents happen.

“I manage multiple M365 tenants and need a repeatable security baseline.” You’re an MSP technician configuring five or ten customer tenants. You need the same Conditional Access policies, the same email authentication records, the same device compliance rules deployed consistently. This course builds that repeatable baseline.

“I want to move from helpdesk into security but I don’t have certifications.” You reset passwords, manage devices, handle escalations. You already work inside M365 every day. Security operations is the natural next step — and M365 security is the most direct path from helpdesk to SOC for anyone in a Microsoft environment.

“I need to report our security posture to leadership and I don’t know how.” Secure Score is a number. Your finance director needs context: what risks exist, what controls are in place, what improvements cost, and what happens if you don’t act. This course builds the quarterly report that gets budget approved.

The M365 security landscape, navigating the five admin portals, Secure Score, and the 10-week improvement sequence. Then identity security: MFA, Conditional Access, sign-in log investigation, and the compromised account procedure.

Email protection with Defender for Office 365 and SPF/DKIM/DMARC. Device management with Intune compliance policies. Data protection with sensitivity labels, DLP, and SharePoint sharing controls.

Security monitoring and alert triage, the 15-minute Monday security review, basic incident response procedures, and security governance: policies, quarterly reporting, and making the case for budget.

Incident Response Procedure — From Module 6: Compromised Account Response

Step 1 — Revoke: Revoke-MgUserSignInSession. All active tokens invalidated. User loses access to all M365 services immediately.

Step 2 — Reset: Reset password. Force change on next sign-in. If SSPR is enabled, disable it temporarily for this account to prevent the attacker resetting first.

Step 3 — Review inbox rules: Get-InboxRule. Look for ForwardTo, RedirectTo, DeleteMessage. Attackers create forwarding rules within minutes of compromise. Delete any rule you didn’t create.

Step 4 — Review OAuth consents: Entra Admin Center → Enterprise applications → filter by user. Revoke any application the user didn’t explicitly request. “DocuSign Verify” with Mail.ReadWrite is not DocuSign.

Step 5 — Check MFA: Were new authentication methods registered after the compromise timestamp? Attacker registers their own phone or authenticator app. Remove any method added in the attack window.

Step 6 — Document: Timestamp every action. Record what you found and what you removed. This is your evidence if legal or HR asks what happened. The module provides the template.