How to secure the modern workplace with Microsoft 365 Advanced Threat Protection

I thought it was well written and well intentioned. In fact, I wish I wrote it! Very well done.

There are dozens of things I could compliment you on, but for the purpose of cutting right to some suggestions for improvement (since you asked for feedback), I would suggest these:

1. The statement that "Azure ATP is a threat protection for identities." I suggest adding "on-premises" in front of "identities" because the small businesses that buy M365 E5 and have no on-premises AD are not good candidates for Azure ATP, in fact, they can't use it at all, because Azure ATP is 100% dependent up on on-premises domain controllers and can only detect attacks in on-premises AD.  These users should instead of Cloud App Security, which can be used to detect compromised identities in nearly the same way that Azure ATP does for on-premises identities. Therefore, I recommend emphasizing the "on-premises" exclusive focus of Azure ATP when you describe this solution. And be sure that when you describe Cloud App Security, that you do not limit it to just the Application layer security or discovering Shadow IT, be sure to mention that it also has nearly the same (or sometimes better!) identity detection features as Azure ATP.

2. I recommend mentioning that Spoof Intelligence is limited to a maximum of 60 users, as the way it is written now makes it seem as if it protects all users, whereas it was only designed to protect the top officers in "CEO Fraud" or more commonly described today as "Business Email Fraud."

3. When you discuss the benefits and pros of Office ATP, I think it is important to discuss some of the things it cannot do, so that prospective customers go in with eyes wide open. For example, it is unable to scan hyperlinks in PDF documents, and it also cannot scan encrypted or password protected zip files - those get passed through unblocked unless you create an Exchange transport rule to block those.

4. I recommend placing greater emphasis on MFA in general, because attacks usually start with compromised identities. And so if organizations had MFA to begin with, then the spoofed emails containing hyperlinks would be as big of a concern, because if that email gets the user to provide their username and password, the attacker still can't logon. In other words, a failure in ATP can be overcome by an identity protected with MFA.

5. You mentioned the Azure Identity Protection service in passing, but I think it deserves greater justice, because it detects and blocks, TOR web browsers, Impossible Travel, Leaked Credentials, and botnet infected devices. Many of these features (and more) are uniquely why I recommend Azure AD P2 (EMS E5) or M365 E5.

Otherwise a fantastic article and contribution to the community. I could have listed 100 things I loved about the article, but I hope you instead found value in these small 5 items.

Kindest Regards,

Joe