A Journey to Holistic Cloud Protection with the Microsoft 365 Security Stack Pt 6 - M365 Integration

Published May 11 2020 08:19 AM 2,906 Views

For our final stop in the journey to holistic cloud protection with the Microsoft 365 security stack we will be discussing M365 IntegrationFor anyone new joining us on this journey please ensure you check out Part I: Overview,  Part II: Identity Security, Part III: Device Security, Part IV: App Security, and Part V: Data Security to get caught up prior to reading Part VI: M365 Integration which will be discussed during this article.


The Microsoft 365 security stack has many beneficial security features which we have reviewed over the course of the last five articles.  Whether it is protecting your identity during authentication, securing managed devices, containerizing corporate data on personal devices or providing persistent protection to organization data; the Microsoft 365 security stack has you covered.  Security features can provide a lot, but the true power around the Microsoft 365 security stack is its integration with itself.


Powering M365 Integration within Microsoft Cloud App Security:

MCAS provides discovery of Shadow IT, activity policies for investigating, file policy for actions against sensitive information including data at rest,  managing OAuth app permissions, advanced reporting from Microsoft 365 plus third party connected apps telemetry and much more.  By integrating Microsoft Cloud App Security with the following features you extend its overall capabilities into additional Microsoft 365 security stack areas.


  • Integration with Azure AD Identity Protection
    • Azure AD Identity Protection provides user behavior analysis around risky sign-ins, risky users, unusual anomalous in behavior and additional risk detections to provide alerts.  Integration between Azure AD Identity Protection and MCAS provides the ability to create policies around:
      • Leaked credentials
      • Risky sign-in


Powering M365 Integration within Microsoft Defender ATP:

MDATP provides endpoint detection and response security center where visibility around Windows OS, Windows Server, MacOS, Linux (public preview) and Android (public preview for the app) can be centrally protected.  Integrating Microsoft Defender ATP with the following features can extend the functionality to new levels with increased Microsoft 365 signal consumption.


  • Integration with Azure Active Directory
    • When enabled  MDATP will have the ability to see the user details from Azure AD including: user’s picture, name, title and department.
  • Integration with Azure Advanced Threat Protection
    • When enabled MDATP will have the ability to use signals from Azure ATP in its automated investigations providing insight into suspected compromised accounts and other related resources.  This allow for enrichment of the overall machine-based investigation capabilities.
  • Integration with Microsoft Secure Score
    • When enabled, Microsoft Secure Score is able to receive signals from Microsoft Defender ATP to provide additional visibility into the devices’ security posture.  This enhances the security risk assessment capabilities within the Microsoft Secure Score to add devices into the already included Microsoft 365 services.


Powering M365 Integration with Microsoft Threat Protection:

Microsoft Threat Protection unifies threat protection services across your endpoints, user identities, affected mailboxes, and cloud apps.  MTP provides a cross-product single pane of glass for combined incident queue, automated response to threat, cross-product threat hunting and self-healing all services mentioned above.  By enabling Microsoft Threat Protection you can provide an interface for coordinating detection, prevention, investigation and response to threats that will provide the following advantages.


  • Cross-product single pane of glass
    • Centralized view containing all alerts from detections, impacted assets, automated actions taken and related evidence gathered through automated investigations.
  • Combined incidents queue
    • Scope of entire attack, list of impacted assets and automated remediation actions are grouped together and surfaced in a timely manner.
  • Automated response to threats
    • Threat information is shared in real time between multiple threat services to stop the progression of an attack.  For example, if a malicious file is detected by Microsoft Defender ATP on an endpoint it will send a signal to Office 365 ATP to scan and remove the file from all email messages.
  • Self-healing for compromised devices, user identities and mailboxes
    • AI-powered automation actions and security playbooks are used to remediate impacted assets back to a secure state.
  • Cross-product threat hunting
    • Create your own custom threat hunting queries over the raw data collected by various M365 protection services.  Microsoft Threat Protection provides query-based access to 30 days of historic raw signals and alert data across endpoint and Office 365 ATP data.


As we look back on what we have discussed about M365 integration, I hope you begin to not just look at each Microsoft 365 security stack capability as a single point of protection.  Instead dive deeper into potential security solutions that integrate multiple Microsoft 365 security features into a cross service security solution.  When you allow for threat signals throughout Microsoft 365 to integrate with one another you are able to bring individual pieces of threat intelligence together to for a picture that may not be obvious to the human eye.


Thank you so much for joining me during this journey while we discussed holistic cloud protection with the Microsoft 365 security stack.  While our journey comes to an end, your journey in the security space will continue as cloud services continues to evolve so will security threats.   When evaluating your cloud security posture always take a step back and look at security from a holistic cloud protection solution perspective.


Version history
Last update:
‎May 11 2020 08:19 AM
Updated by: