Just passed with 800.
- Writes-back required P1 or P2 License
- Two authentication methods required for AAD admin role
- Does not need to register least one mobile device (more than 1 way instead of mobile)
- Has to be turned on before to enforce
MD ATP > CAS = MD ATP PORTAL
WD ATP > ATP = Azure Portal
Roles that allow view and manage assignments in Azure resource roles in PIM
- Subscriber Reviewer
- Resource Administrator
Security Admin / Reader and PIM cannot view assignment by default to Azure Resources roles
Four actions you perform in sequence to enable customer lockbox.
- Sign into Admin.portal.com
- Select Security and Protection
- Select Customer Lockbox
- Ensure Approval is set to On
Three actions to enable Microsoft Defender ATP settings in SCC Dash
- Open Microsoft Defender Security Center
- Select Settings, General, Advanced Features
- Turn on Office 365 Threat Intelligence Conncetion
- Threat Intelligence Connection
Four actions to provide personal data and providing copy to user.
- Assign eDiscovery permissions to potential case members
- Create DSR case
- Run the search query
- Export the data
Four actions to protection SPO with Cloud App Security (CAS) Conditional Access App Control (CAAC).
- In Azure Portal, Create Conditional Access Policy
- Set a policy to enforce Conditional Access App Control requirements
- In CAS Portal (CASP), create session
- Set Policy to block document print from non-corporate locations
- AP,CAP : Azure Portal, Conditional Access Policy
- CAAC: Conditional Access App Control
- CA(S)(P): CAS Portal (Session) (Policy)
Five actions to create schedule in Office 365 SCC to receive malware reports
- Sign into protection.office.com
- Go Reports & Dashboard
- Select Malware detected in email report icon
- Create schedule
- Create schedule and then Finish
P,RD,M, Create , Create , Finish
- P, protection.office.com
- RD, Report & Dashboard
- M, Malware
- Create Schedule
- Create Schedule
Four actions to temporary unblock MFA request.
- Sign into work account at https://portal.azure.com
- Browse Azure Active Directory and Security
- Go MFA and select Block/Unblock
- Add, populate the replication group, user, and reason field, and click Ok.
- PA, portal.azure.com
- AS, active directory > security
- MB, MFA > Block/Unblock
- AR, Add user + Reason
Application Logs: view Azure AD Connect events.
Creating a Data Subject Request (DSR)
1. Create a Data Subject Request (DSR) case.
2. View the results.
3. Export the results.
4. Download the results. (Export and download are not the same. Export uploads search results to Azure Storage in preparation for downloading)
- “Records are disposed of after their stated retention period is past.”
- Mark the content as a record as part of the label settings, and always have proof of disposition when content is deleted at the end of its retention period. Source: https://docs.microsoft.com/en-us/microsoft-365/compliance/retention?view=o365-worldwide
SCC contains permission roles such as: eDiscovery Manager
Principles of retention: –
- Retention wins over deletion
- Longest retention period wins
- Explicit inclusion wins over implicit inclusion
- Shortest deletion period wins
From Microsoft Azure Active Directory (Azure AD), you create a security group named Group1. You add 10 users to Group1.
You need to apply app enforced restrictions to the members of Group1 when they connect to Microsoft Exchange Online from non-compliant devices, regardless of their location.
- From Azure portal, create conditional access policy and configure:
- Users and groups”, cloud apps and session settings”.
- From Exchange Online Remote Powershell session, run:
- New-OwaMailbox Police and Set-OWAMailboxPolicy
- How long after the Azure ATP cloud service is updated will Sensor1 be updated? 72Hrs
Setup Azure Advanced Threat Protection (ATP) and VPN
Configure an Accounting Provider : 1813
To Configure RADIUS Accounting on the VPN system, Perform the following steps on your RRAS server.
- Open the Routing and Remote Access console.
- Right-click the server name and click Properties.
- In the Security tab, under Accounting provider, select RADIUS Accounting and click Configure.
To enable VPN integration, make sure you set the following parameters:
- Open port UDP 1813 on your Azure ATP sensors and/or Azure ATP standalone sensors.
Microsoft Office 365 Attack simulator
- Your organization has Office 365 Threat Intelligence, with Attack simulator visible in the Security & Compliance Center (go to Threat management > Attack simulator)
- Your organization’s email is hosted in Exchange Online. (Attack simulator is not available for on-premises email servers.)
- You are a GA
- Your organization is using Multi-factor authentication for Office 365 users
Sign-in activity reports in the Azure Active Directory portal
Where to view which users have used an authenticator app to access SharePoint Online
- AAD-> Monitoring -> Sign-ins
- WHO: GA, Security Admins, Security Reader, Global Reader, Report Reader, SELF
- Enterprise applications blade of the Azure Active Directory admin center, view the sign-ins
Microsoft Defender for Office 365 (Office 365, ATP)
- Who gets access to ATP reports: Security & Compliance Center by going to Reports > Dashboard ?
- Organization Management
- Security Administrator
- Security Operator
- Security Reader
Azure Active Directory (Azure AD) Privileged Identity Management (PIM)
- If no specific/selected approvers are selected, PIM admin or GA will become the default approvers.
- Privileged Role Administrator (default) can approve ALL activations
- GAs are not PIM admins (except for the first one who enabled PIM) and that you have to exclusively assign permissions.
- Only the Privileged Role Admins and the Global Admin who created it (who automatically becomes a PRA) are able to accept requests from eligible users.
0 – Security : No Data
1 – Basic : App installation / Updates
2 – Enhanced: Logs
3 – Full: Verbose Logs
S – Spam/Malware : 30 Days
F – Mail Flow :
Azure AD Identity Protection (AIP) – MFA
MFA Registration (Azure AD P2 feature)
MFA is disabled. If User1 is part of a enforced group and exclusion group. Exclusion wins.
MFA is disabled. If User2 is part of a enforced group. User2 will be prompted for MFA.
Correct! User1: can access without MFA User is in Group2 which is excluded from policy, exclusion wins
User2: will be prompted for MFA Identity Protection or Conditional Access MFA setting override per-User MFA settings
UNC, Local, and Sharepoint
Cloud Access Security Portal > AIP Integration