The Microsoft 365 security stack has many beneficial security features which we have reviewed over the course of the last five articles. Whether it is protecting your identity during authentication, securing managed devices, containerizing corporate data on personal devices or providing persistent protection to organization data; the Microsoft 365 security stack has you covered. Security features can provide a lot, but the true power around the Microsoft 365 security stack is its integration with itself.
Powering M365 Integration within Microsoft Cloud App Security:
MCAS provides discovery of Shadow IT, activity policies for investigating, file policy for actions against sensitive information including data at rest, managing OAuth app permissions, advanced reporting from Microsoft 365 plus third party connected apps telemetry and much more. By integrating Microsoft Cloud App Security with the following features you extend its overall capabilities into additional Microsoft 365 security stack areas.
Integration with Azure Advanced Threat Protection
When installing the Azure ATP sensor on your domain controllers, you will gain the ability to see on-premises activities around your domain controller authentications for all users in your organization. Integration between Azure ATP and MCAS provides advanced insights powering alerting capabilities around suspicious activities cross both cloud and on-premises environments. Signals from Azure ATP are forwarded to MCAS, making Activity Directory a selectable app, which will bring attention to threats like:
Powering M365 Integration within Microsoft Defender ATP:
MDATP provides endpoint detection and response security center where visibility around Windows OS, Windows Server, MacOS, Linux (public preview) and Android (public preview for the app) can be centrally protected. Integrating Microsoft Defender ATP with the following features can extend the functionality to new levels with increased Microsoft 365 signal consumption.
Integration with Azure Active Directory
When enabled MDATP will have the ability to see the user details from Azure AD including: user’s picture, name, title and department.
Integration withAzure Advanced Threat Protection
When enabled MDATP will have the ability to use signals from Azure ATP in its automated investigations providing insight into suspected compromised accounts and other related resources. This allow for enrichment of the overall machine-based investigation capabilities.
Visibility into the highest priority sensitivity label used on content of the device
Visibility into machine risk ratings
Integration with Microsoft Secure Score
When enabled, Microsoft Secure Score is able to receive signals from Microsoft Defender ATP to provide additional visibility into the devices’ security posture. This enhances the security risk assessment capabilities within the Microsoft Secure Score to add devices into the already included Microsoft 365 services.
Integration with Endpoint Manager
When enabled you can automatically onboard your devices managed by Endpoint Manager into Microsoft Defender ATP. Additional security advantages when integration is enabled include:
Powering M365 Integration with Microsoft Threat Protection:
Microsoft Threat Protection unifies threat protection services across your endpoints, user identities, affected mailboxes, and cloud apps. MTP provides a cross-product single pane of glass for combined incident queue, automated response to threat, cross-product threat hunting and self-healing all services mentioned above. By enabling Microsoft Threat Protection you can provide an interface for coordinating detection, prevention, investigation and response to threats that will provide the following advantages.
Cross-product single pane of glass
Centralized view containing all alerts from detections, impacted assets, automated actions taken and related evidence gathered through automated investigations.
Combined incidents queue
Scope of entire attack, list of impacted assets and automated remediation actions are grouped together and surfaced in a timely manner.
Automated response to threats
Threat information is shared in real time between multiple threat services to stop the progression of an attack. For example, if a malicious file is detected by Microsoft Defender ATP on an endpoint it will send a signal to Office 365 ATP to scan and remove the file from all email messages.
Self-healing for compromised devices, user identities and mailboxes
AI-powered automation actions and security playbooks are used to remediate impacted assets back to a secure state.
Cross-product threat hunting
Create your own custom threat hunting queries over the raw data collected by various M365 protection services. Microsoft Threat Protection provides query-based access to 30 days of historic raw signals and alert data across endpoint and Office 365 ATP data.
As we look back on what we have discussed about M365 integration, I hope you begin to not just look at each Microsoft 365 security stack capability as a single point of protection. Instead dive deeper into potential security solutions that integrate multiple Microsoft 365 security features into a cross service security solution. When you allow for threat signals throughout Microsoft 365 to integrate with one another you are able to bring individual pieces of threat intelligence together to for a picture that may not be obvious to the human eye.
Thank you so much for joining me during this journey while we discussed holistic cloud protection with the Microsoft 365 security stack. While our journey comes to an end, your journey in the security space will continue as cloud services continues to evolve so will security threats. When evaluating your cloud security posture always take a step back and look at security from a holistic cloud protection solution perspective.