For our final stop in the journey to holistic cloud protection with the Microsoft 365 security stack we will be discussing M365 Integration.  For anyone new joining us on this journey please ensure you check out Part I: Overview,  Part II: Identity Security, Part III: Device Security, Part IV: App Security, and Part V: Data Security to get caught up prior to reading Part VI: M365 Integration which will be discussed during this article.

The Microsoft 365 security stack has many beneficial security features which we have reviewed over the course of the last five articles.  Whether it is protecting your identity during authentication, securing managed devices, containerizing corporate data on personal devices or providing persistent protection to organization data; the Microsoft 365 security stack has you covered.  Security features can provide a lot, but the true power around the Microsoft 365 security stack is its integration with itself.

Powering M365 Integration within Microsoft Cloud App Security:

MCAS provides discovery of Shadow IT, activity policies for investigating, file policy for actions against sensitive information including data at rest,  managing OAuth app permissions, advanced reporting from Microsoft 365 plus third party connected apps telemetry and much more.  By integrating Microsoft Cloud App Security with the following features you extend its overall capabilities into additional Microsoft 365 security stack areas.

• Integration with Azure Advanced Threat Protection
  • When installing the Azure ATP sensor on your domain controllers, you will gain the ability to see on-premises activities around your domain controller authentications for all users in your organization.  Integration between Azure ATP and MCAS provides advanced insights powering alerting capabilities around suspicious activities cross both cloud and on-premises environments.  Signals from Azure ATP are forwarded to MCAS, making Activity Directory a selectable app, which will bring attention to threats like:
    • Pass-the-Ticket or Pass-the-Hash
    • Brute force
    • Lateral Movement
    • Reconnaissance using DNS
    • Honeytoken activity
    • Suspicious communication over DNS

• Integration with Azure Information Protection
  • Azure Information Protection provides a method to apply persistent protection, using AES 256-bit encryption, to content and ensure only those with the correct rights have access.  Integration between Azure Information Protection and MCAS provides the ability to:
    • Apply sensitivity label to data at rest not only in Microsoft 365’s cloud storage (SharePoint/OneDrive), but also third parties like Box or G-Suite.
    • View sensitive documents across both Microsoft 365 and selected third party connected cloud apps with masking of the sensitive information.
    • Apply/change/remove a sensitivity label when specific conditions happen

• Integration with Azure AD Identity Protection
  • Azure AD Identity Protection provides user behavior analysis around risky sign-ins, risky users, unusual anomalous in behavior and additional risk detections to provide alerts.  Integration between Azure AD Identity Protection and MCAS provides the ability to create policies around:
    • Leaked credentials
    • Risky sign-in

Powering M365 Integration within Microsoft Defender ATP:

MDATP provides endpoint detection and response security center where visibility around Windows OS, Windows Server, MacOS, Linux (public preview) and Android (public preview for the app) can be centrally protected.  Integrating Microsoft Defender ATP with the following features can extend the functionality to new levels with increased Microsoft 365 signal consumption.

• Integration with Azure Active Directory
  • When enabled  MDATP will have the ability to see the user details from Azure AD including: user’s picture, name, title and department.

• Integration with Azure Advanced Threat Protection
  • When enabled MDATP will have the ability to use signals from Azure ATP in its automated investigations providing insight into suspected compromised accounts and other related resources.  This allow for enrichment of the overall machine-based investigation capabilities.

• Integration with Office 365 Threat Intelligence
  • When enabled MDATP will be able to forward signals from Office 365 Advanced Threat Protection to the Microsoft Defender Security Center.  These signals will allow for comprehensive investigations across Office 365 mailboxes along with Windows machines.  This will provide visibility around:
    • Windows devices that are used by the recipients of a detected malicious email
    • Alerts from Office 365 ATP pertaining to specific machines

• Integration with Azure Information Protection
  • When enabled MDATP is able to have signals related to the sensitivity of content found on the device and overall machine risk.
    • Visibility into the highest priority sensitivity label used on content of the device
    • Visibility into machine risk ratings

• Integration with Microsoft Secure Score
  • When enabled, Microsoft Secure Score is able to receive signals from Microsoft Defender ATP to provide additional visibility into the devices’ security posture.  This enhances the security risk assessment capabilities within the Microsoft Secure Score to add devices into the already included Microsoft 365 services.

• Integration with Endpoint Manager
  • When enabled you can automatically onboard your devices managed by Endpoint Manager into Microsoft Defender ATP.  Additional security advantages when integration is enabled include:
    • Device risk-based conditional access
    • Device health for compliance policies

Powering M365 Integration with Microsoft Threat Protection:

Microsoft Threat Protection unifies threat protection services across your endpoints, user identities, affected mailboxes, and cloud apps.  MTP provides a cross-product single pane of glass for combined incident queue, automated response to threat, cross-product threat hunting and self-healing all services mentioned above.  By enabling Microsoft Threat Protection you can provide an interface for coordinating detection, prevention, investigation and response to threats that will provide the following advantages.

• Cross-product single pane of glass
  • Centralized view containing all alerts from detections, impacted assets, automated actions taken and related evidence gathered through automated investigations.

• Combined incidents queue
  • Scope of entire attack, list of impacted assets and automated remediation actions are grouped together and surfaced in a timely manner.
• Automated response to threats
  • Threat information is shared in real time between multiple threat services to stop the progression of an attack.  For example, if a malicious file is detected by Microsoft Defender ATP on an endpoint it will send a signal to Office 365 ATP to scan and remove the file from all email messages.
• Self-healing for compromised devices, user identities and mailboxes
  • AI-powered automation actions and security playbooks are used to remediate impacted assets back to a secure state.
• Cross-product threat hunting
  • Create your own custom threat hunting queries over the raw data collected by various M365 protection services.  Microsoft Threat Protection provides query-based access to 30 days of historic raw signals and alert data across endpoint and Office 365 ATP data.

As we look back on what we have discussed about M365 integration, I hope you begin to not just look at each Microsoft 365 security stack capability as a single point of protection.  Instead dive deeper into potential security solutions that integrate multiple Microsoft 365 security features into a cross service security solution.  When you allow for threat signals throughout Microsoft 365 to integrate with one another you are able to bring individual pieces of threat intelligence together to for a picture that may not be obvious to the human eye.

Thank you so much for joining me during this journey while we discussed holistic cloud protection with the Microsoft 365 security stack.  While our journey comes to an end, your journey in the security space will continue as cloud services continues to evolve so will security threats.   When evaluating your cloud security posture always take a step back and look at security from a holistic cloud protection solution perspective.