Microsoft 365 Security Operations
Master Microsoft 365 Security Operations
Configure, operate, and optimise the full Microsoft Security stack to run a modern, effective Security Operations Center (SOC). Detect, investigate, respond to, and recover from threats across Microsoft 365, Entra ID, Defender XDR, Sentinel, Intune, and Purview, turning alerts into outcomes and reactive monitoring into proactive defence.
What you'll be able to do
Course overview
The Microsoft 365 Security Operations course is the core training track for Security Engineers, Administrators, and Architects responsible for configuring and operating the Microsoft Security stack. You'll gain hands-on expertise to:
By the end, you'll have the practical skills and operational mindset to run a high-performing Microsoft 365 SOC, reducing mean time to detect and respond while confidently operating the entire Microsoft security ecosystem.
Who this course is for
You're a Security Engineer, Administrator, or Architect responsible for configuring and operating the Microsoft Security stack as part of your organisation's Security Operations Center (SOC). This course is built for you if you want to:
In short: if you're ready to own and run effective Microsoft 365 security operations that deliver real security outcomes, this course is for you.
What you'll learn
By the end of this Microsoft 365 Security Operations course you will be able to:
Key course takeaways
Things you need to know
What are the prerequisites for this course?
There are no prerequisites. The course teaches Microsoft 365 security operations from first principles. Familiarity with the Microsoft 365 admin center will help you move faster through the early modules, but is not required. Every concept is explained at first use.
What are the device requirements?
A device with a modern browser. Access to a Microsoft 365 E5 developer tenant (free from Microsoft) for hands-on Defender XDR, Sentinel, and Entra ID configuration. The course walks you through tenant setup in Module 0.
How will the course benefit your career?
Security operations is the backbone of every organisation's defence. Employers need people who can operate the Microsoft security stack as an integrated platform, not just manage individual products. This course gives you the skills to run a SOC, investigate real attack types end-to-end, and measure operational effectiveness. SC-200 exam objectives are fully covered, the certification is a side effect of operational competence.
Usage rights and disclaimer
Course materials: Licensed for individual professional development. You may deploy scripts, queries, detection rules, and playbooks in your production environment. You may not redistribute course content or share account credentials.
Security configurations: All KQL queries, detection rules, Sentinel playbooks, and Defender policies are provided as-is. Test every configuration in a non-production environment before deployment. Ridgeline Cyber Defence is not responsible for operational impact from deployed configurations.
Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.
Version and changelog
Current version: 1.0 | Last updated: June 2026
June 2026, v1.0: Course page restructured. 19 modules across 4 phases. SC-200 aligned. Investigation scenarios: AiTM phishing, BEC, token replay, consent phishing, insider threat.
This course is actively maintained.
End of Course Exam
Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.
Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.