Microsoft 365 Security Operations

Master Microsoft 365 Security Operations

Configure, operate, and optimise the full Microsoft Security stack to run a modern, effective Security Operations Center (SOC). Detect, investigate, respond to, and recover from threats across Microsoft 365, Entra ID, Defender XDR, Sentinel, Intune, and Purview, turning alerts into outcomes and reactive monitoring into proactive defence.

View Pricing Take End of Course Exam → 40 CPE Credits

What you'll be able to do

Configure and tune the full Microsoft Security stack (Defender XDR, Sentinel, Entra ID Protection, Defender for Cloud Apps, and Purview) for optimal detection and response
Build and operationalise efficient SOC workflows for alert triage, investigation, automation, and remediation
Create and maintain detection rules, analytics rules, and automated playbooks in Microsoft Sentinel
Investigate and respond to cross-domain incidents across identities, endpoints, email, and cloud workloads
Integrate Microsoft 365 security tools into a unified operations platform with clear visibility and reporting
Measure, optimise, and continuously mature your security operations with meaningful metrics and reporting
SEC301 | Premium tier | 19 modules across 4 phases | 36–40 hours at your own pace | 40 CPE credits | 5 free preview lessons, no account needed | SC-200 aligned | Updated June 2026
Course Agenda View all 18 modules

Resources

M3
References

Course overview

The Microsoft 365 Security Operations course is the core training track for Security Engineers, Administrators, and Architects responsible for configuring and operating the Microsoft Security stack. You'll gain hands-on expertise to:

Configure and tune Microsoft Defender XDR, Microsoft Sentinel, Entra ID Protection, and Defender for Cloud Apps for effective detection
Build and run efficient security operations workflows including incident triage, investigation, automation, and response
Integrate Microsoft 365 security tools into a unified SOC platform that delivers clear visibility and fast remediation
Measure, optimise, and mature your security operations with actionable metrics and playbooks

By the end, you'll have the practical skills and operational mindset to run a high-performing Microsoft 365 SOC, reducing mean time to detect and respond while confidently operating the entire Microsoft security ecosystem.

Who this course is for

You're a Security Engineer, Administrator, or Architect responsible for configuring and operating the Microsoft Security stack as part of your organisation's Security Operations Center (SOC). This course is built for you if you want to:

Move from fragmented tool management to operating a unified, high-performing Microsoft 365 SOC
Master the configuration and daily operations of Defender XDR, Sentinel, Entra ID, and related security services
Develop practical skills in threat detection, incident response, automation, and SOC optimisation
Reduce alert fatigue while dramatically improving detection and response times

In short: if you're ready to own and run effective Microsoft 365 security operations that deliver real security outcomes, this course is for you.

What you'll learn

By the end of this Microsoft 365 Security Operations course you will be able to:

Deploy, configure, and optimise Microsoft Defender XDR and Microsoft Sentinel for enterprise-scale operations
Build and tune high-fidelity detections, analytics rules, and automated response playbooks
Perform effective incident triage, investigation, and cross-domain threat hunting across the Microsoft security ecosystem
Operationalise Identity Protection, Defender for Cloud Apps, Intune, and Purview within daily SOC workflows
Integrate Microsoft security tools into cohesive processes that reduce mean time to detect (MTTD) and respond (MTTR)
Measure, report on, and continuously improve your security operations maturity and effectiveness

Key course takeaways

Run a production-grade Microsoft 365 SOC using the full Microsoft Security stack with confidence
Master configuration and operational best practices for Defender XDR, Sentinel, Entra ID Protection, and related tools
Build automated detection, investigation, and response capabilities that scale with your organisation
Significantly reduce alert noise while improving threat visibility and response speed
Create reusable playbooks, workflows, and metrics that mature your security operations program
Become the Microsoft 365 Security Operations expert who turns tools into real, measurable defence

Things you need to know

What are the prerequisites for this course?

There are no prerequisites. The course teaches Microsoft 365 security operations from first principles. Familiarity with the Microsoft 365 admin center will help you move faster through the early modules, but is not required. Every concept is explained at first use.

What are the device requirements?

A device with a modern browser. Access to a Microsoft 365 E5 developer tenant (free from Microsoft) for hands-on Defender XDR, Sentinel, and Entra ID configuration. The course walks you through tenant setup in Module 0.

How will the course benefit your career?

Security operations is the backbone of every organisation's defence. Employers need people who can operate the Microsoft security stack as an integrated platform, not just manage individual products. This course gives you the skills to run a SOC, investigate real attack types end-to-end, and measure operational effectiveness. SC-200 exam objectives are fully covered, the certification is a side effect of operational competence.

Usage rights and disclaimer

Course materials: Licensed for individual professional development. You may deploy scripts, queries, detection rules, and playbooks in your production environment. You may not redistribute course content or share account credentials.

Security configurations: All KQL queries, detection rules, Sentinel playbooks, and Defender policies are provided as-is. Test every configuration in a non-production environment before deployment. Ridgeline Cyber Defence is not responsible for operational impact from deployed configurations.

Fictional environment: All scenarios use Northgate Engineering. Any resemblance to real organizations is coincidental.

Version and changelog

Current version: 1.0  |  Last updated: June 2026

June 2026, v1.0: Course page restructured. 19 modules across 4 phases. SC-200 aligned. Investigation scenarios: AiTM phishing, BEC, token replay, consent phishing, insider threat.

This course is actively maintained.

COURSE ASSESSMENT

End of Course Exam

Complete the course, then prove your skills under time pressure. Pass mark: 70. Earn your certificate with CPE credits.

40minutes
3phases
100points
3scenarios
Take End of Course Exam

Requires 80% course completion. One random scenario per attempt. Certificate issued on pass.