Guide to Training Resources for Microsoft 365 Security/ Compliance (+Azure Sentinel and Azure Security Center)

I sound like a broken record all the time when I say “technical readiness is the most important thing you’ll do in your IT career”. If you focus on Microsoft technology, specifically the security and compliance suite of products, there are many resources available to help you learn and grow enabling you to advance in your career.

The purpose of this blog post is to share resources that I use frequently to maintain my technical readiness with Microsoft security and compliance and use as a reference. Now, this is not an exhaustive list – I am sure there’s more out there that I am not aware of, but use this post to get started. Please subscribe and bookmark this page as I will update it frequently.

Note: You are more than welcome to stay up to date on Microsoft Security & Compliance by following my YouTube channel http://aka.ms/SosemanTV, follow me on Twitter @SosemanMatt and follow me on LinkedIn. I try to post as much as I can to help you!

Is there something I missed in this blog? Leave a comment and I’ll add it!

***START HERE -> Technical Documentation

The technical documentation for all Microsoft IT products and services can be found at docs.microsoft.com and is available at no charge to the public. The website is built on GitHub which allows the content to be updated frequently, post comments, see who updated it, download the article as a PDF and more! This is not your father’s TechNet!

Whenever I get asked a question I don’t know, or I want to learn about a new feature that was just released, the first place I go is the product’s technical documentation. I promise you, there is ahigh probability you will find your answer if you check the documentation first 🙂

If you want to get started with a product that you know nothing about, reading the documentation will bring you up to speed pretty fast. The downside, is you need to invest your time in reading it!

Before I share links to the documentation, consider taking advantage of these three features of the website:

Subscribe for updates to the product so you know when things change

Most of the products’ technical documentation will have a “What’s New” section that will show you all the latest changes/updates to the product. They will usually contain an RSS feed too. I use Microsoft PowerAutomate to subscribe to the RSS feed and receive email notifications whenever there are changes to specific products I want to follow.

Example of a What’s New section and it’s RSS feed on docs.microsoft.com
Download as PDF

Most of the products technical documentation will have a “Download PDF’ option in the lower left corner of the pages. Clicking this will download ALL documentation for that product to a PDF! This makes it super easy to search, share with a customer, etc. I use this frequently and like to save the PDFs to my tablet and read on the couch, or wherever I find a comfy nook!

Save as Bookmark

A feature I use frequently is saving specific articles from docs.microsoft.com for a product to my bookmarks – not my browser bookmarks but bookmarks in the website itself. This way I can access it later for reference. If you see a article you want to save, click “Bookmark” in the upper right corner (requires you to sign in). You can access your bookmarks by clicking on your profile in the upper right corner.

Example of where to find the bookmark feature

Okay, let’s get to some links!

Direct links to Technical Documentation

(I’m not going to post ALL links, but here’s the major products. If there’s something not on this list, performing an internet search for the product name and appending documentation to the end of the search string will often return the documentation website for that product).

Identity & Access Management

Azure Active Directory

Zero Trust

Threat Protection

Microsoft 365 Defender (formerly Microsoft Threat Protection)

Microsoft Defender for Office 365 (formerly Office 365 ATP)

Microsoft Defender for Identity (formerly Azure ATP)

Microsoft Defender for Endpoint (formerly Microsoft Defender ATP)

Exchange Online Protection

Information Protection

Microsoft Information Protection (formerly Azure Information Protection)

Office 365 DLP.

Endpoint DLP

Cloud Security

Azure Security Center

Azure Sentinel

Microsoft Cloud App Security

Unified Endpoint Management

Microsoft Endpoint Manager

Microsoft Intune

Microsoft Endpoint Configuration Manager

Windows Autopilot

Compliance

Microsoft Compliance Manager

Insider Risk Management

Communications Compliance

Information governance

Records Management

Data Subject Requests

eDiscovery

Data Classification

Information Barriers

Privileged Access Management

Microsoft Trust Center

Azure governance

Security Programs

Microsoft Security Response Center

Cyber Defense Operations Center

Digital Crimes Unit

Microsoft Detection and Response Team

Government Security Program

Governance

Modernize security strategy

Governance videos and slides

Governance article

Governance capabilities

Azure

API Management

Azure App Service

Azure Resource Manager

Azure Backup

Azure Event Hubs

Azure ExpressRoute

Azure Load Balancer

Azure Service Bus Messaging

Azure Service Bus Relay

Azure Service Fabric

Azure Spring Cloud

Azure SQL Database

Azure Virtual Machine Scale Sets

Linux Virtual Machines

Windows Virtual Machines

Azure VPN Gateway

Getting Started in Microsoft Security

Chief Information Security Officer (CISO) Workshop Training The Chief Information Security Office (CISO) workshop contains a collection of security learnings, principles, and recommendations for modernizing security in your organization. This training workshop is a combination of experiences from Microsoft security teams and learnings from customers.

Microsoft Security Best Practices is a collection of best practices that provide clear actionable guidance for security related decisions. This is designed to help you increase your security posture and reduce risk whether your environment is cloud-only, or a hybrid enterprise spanning cloud(s) and on-premises data centers. This guidance was formerly referred to as Azure Security Compass and is now increasing in scope to encompass all Microsoft security guidance and capabilities, including Microsoft 365.

Azure security benchmark introduction Microsoft has found that using security benchmarks can help you quickly secure cloud deployments. Benchmark recommendations from your cloud service provider give you a starting point for selecting specific security configuration settings in your environment and allow you to quickly reduce risk to your organization.

Microsoft security engineering documentation This collection of resources is designed to help you find security related documentation and information from across Microsoft.

Microsoft Digital Defense Report Insights about the threat intelligence landscape and guidance from experts, practitioners, and defenders at Microsoft

Networking up (to the cloud) — One architect’s viewpoint In this article, Ed Fisher, Security & Compliance Architect at Microsoft, describes how to optimize your network for cloud connectivity by avoiding the most common pitfalls.

Blogs

These blogs are great training resources, and will often write about new features, and even have videos/webinars to watch to learn more. Highly recommend following them.

Microsoft Security Blog

Microsoft Security Intelligence Blog

Microsoft 365 Blog

Microsoft Security and Compliance Blog

Microsoft Defender for Endpoint Blog

Windows IT Pro Blog

Microsoft 365 Defender

Azure Sentinel

Microsoft Endpoint Manager Blog

CISO Series

Marks List

Microsoft Ignite

I can’t say this enough, these videos are AMAZING and extremely valuable (and available at no cost). Often the speakers are developers and program managers on the engineering teams at Microsoft. Take advantage of these! https://myignite.microsoft.com/home looking for recommendations? Check out my other blog on my favorite Ignite sessions to watch!

Microsoft Learn

This is one of my favorites! Whether you’re just starting or an experienced professional, our hands-on approach helps you arrive at your goals faster, with more confidence and at your own pace. https://docs.microsoft.com/en-us/learn/

Virtual Hub: Security, Compliance, Identity

Collection of online courses, documentation, webinars and videos!

Security https://adoption.microsoft.com/virtual-hub/security-compliance-and-identity/security/

Compliance https://adoption.microsoft.com/virtual-hub/security-compliance-and-identity/compliance/

Identity https://adoption.microsoft.com/virtual-hub/security-compliance-and-identity/identity/

YouTube Channels

Matt Soseman http://aka.ms/SosemanTV

Security Community short videos

Microsoft Security

Microsoft Mechanics

Webinars

Security Community Webinars (covering Azure Security, Sentinel, and Microsoft 365 security) These are updated frequently!

Lessons Learned from the Microsoft Security Operations Center

A good series of blogs on the importance of modernizing your Security Operations Center, and lessons Microsoft learned in doing so.

CISO Series: Lessons learned from the Microsoft SOC—Part 1: Organization

CISO Series: Lessons learned from the Microsoft SOC—Part 2a: Organizing people

CISO Series: Lessons learned from the Microsoft SOC Part 2b: Career paths and readiness

CISO series: Lessons learned from the Microsoft SOC—Part 3a: Choosing SOC tools

CISO series: Lessons learned from the Microsoft SOC—Part 3b: A day in the life

CISO Series: Lessons learned from the Microsoft SOC—Part 3c: A day in the life part 2

Tech Community Video Hub

The Tech Community Video Hub contains hundreds of great training videos!

Advanced L400 Ninja Training

I *love* the ninja trainings! These include dozens (and dozens) of videos to watch on a given product and are super deep!

Microsoft Defender for Endpoint

Azure Sentinel

Azure Security Center

Partners: Virtual End-to-End Microsoft Security Bootcamp

Virtual End-to-End Microsoft Security Bootcamp We recently conducted an interactive bootcamp with our Engineering Security experts to help you learn more about Microsoft Security solutions. The live event consisted of three, half-day sessions focused focuses on providing practice leads, security architects, and consultants a deeper understanding of the capabilities within the Microsoft Security stack. We discussed opportunities across the Microsoft Security pillars and provided guided hands-on lab experiences. Even though the live event is over, you can still access recordings and content. We recommend that you watch all sessions to fully understand Microsoft’s end-to-end Security solutions.

Partners: Building a Security Practice: Partner Series

Building a Security Practice: Partner Series This course covers a training series delivered over five weeks with Microsoft Cybersecurity Solutions group and security experts. This is a great series to leverage to learn from Microsoft security experts on how to build and expand your Microsoft Security practice.

Partners: Microsoft 365 & Security Partner Presales Bootcamp 

Microsoft 365 & Security Partner Presales Bootcamp   Managing that first touch point with a client is a crucial step in establishing an ongoing partnership. We’re excited to invite you to our first Microsoft 365 & Security Partner Presales Bootcamp to learn more about conversation best practices, objection handling, and sales programs. Consisting of seven unique 150-minute live sessions, from September 29 to October 13, this comprehensive training series offers you a deep-dive into various conversation starters across Microsoft 365. Interact directly with our sales specialists and get follow-up experience to directly apply your learnings in your day-to-day job. 

Whitelist apps with Content Filtering in Microsoft Defender ATP (using Custom IOCs)

I recently published a video discussing how Microsoft Defender ATP can perform dynamic web content filtering for Windows 10 clients.

One question that came up was how can I block a category of content (e.g. video streaming services) but whitelist a specific video streaming website like YouTube?

The answer: Custom Domain/URL indicators in Microsoft Defender ATP. This blog will describe how.

Business Problem

I have web content filtering setup within Microsoft Defender ATP, with a global policy applied to all device groups, to block web traffic to streaming media & downloads websites:

Screenshot showing streaming media sites are blocked

But I have a business requirement to allow YouTube (example scenario for the marketing department to publish advertising videos.) How can I allow access to YouTube but still block other streaming sites?

Currently when browsing to YouTube with web content filtering enabled, I receive the following notification:

Website blocked w/ web content filtering in Microsoft Defender ATP

The Solution

Easy. With a custom indicator! Within Microsoft Defender ATP navigate to Settings -> Indicators -> URLs/Domains

Indicators page in Microsoft Defender ATP

Click on +Add Indicator and in the URL/Domain field type http://www.youtube.com then click Next

Add URL/Domain Indicator

Click Allow as the Response Action , in the Title field type Allow YouTube and in the Description field type Allow YouTube (or some other description) and click Next

Action page for URL/Domain indicator

For Scope assume the default All devices in my scope and click Next then click Save.

IMPORTANT: If I wanted to whitelist YouTube but only for certain devices in the marketing department, then I would need to create a device group called “Marketing Devices” and add all the devices in the marketing department to that group – then scope this indicator policy to that group.

The indicator will be added to the list. Allow time for the change to propagate before testing.

YouTube allow indicator added

Conclusion

It’s that easy! I recommend taking careful consideration however as you don’t want to be in the business of whitelisting applications. For situations that dictate it though, this is an easy solution to the problem.

If you want to learn more about custom indicators of compromise in Microsoft Defender ATP see the following video: