Month: May 2025

How Windows VBS Helps Prevent Token Theft

dragon

VBS creates an isolated virtual environment to host critical security processes, making them inaccessible to malware running in the normal operating system. The key feature of VBS relevant to token theft is Credential Guard.

  1. Credential Guard:

    • It uses VBS to isolate and protect the Local Security Authority Subsystem Service (LSASS) process.

    • LSASS stores sensitive credential information like NTLM password hashes and Kerberos Ticket Granting Tickets (TGTs).

    • Attackers often try to dump LSASS memory (e.g., using Mimikatz) to extract these credentials, which can then be used in pass-the-hash or pass-the-ticket attacks to impersonate users and gain access to resources, including M365 services (especially in hybrid environments).

    • With Credential Guard enabled, LSASS runs in the VBS isolated environment. The normal OS LSASS process only communicates with it via a secure Remote Procedure Call (RPC) interface. Even if an attacker gains kernel-level privileges in the normal OS, they cannot directly access the credential material stored within the VBS-protected LSASS.

    • This makes it much harder to steal the credentials that would be used to obtain M365 tokens in the first place or to abuse on-premises credentials that might be synchronized to Azure AD.

  2. Hypervisor-Protected Code Integrity (HVCI) / Memory Integrity:

    • While not directly preventing token theft, HVCI is another VBS feature that enhances overall system security. It ensures that only signed and verified code can run in the Windows kernel.

    • This makes it harder for malware to compromise the kernel, which could then be used to bypass other security measures, including potentially VBS itself or to inject code into processes holding tokens.

Important Considerations for M365 Tokens: M365 primarily uses OAuth 2.0 tokens (access tokens, refresh tokens) which are typically stored by applications (Outlook, Teams, browser) rather than directly in LSASS in the same way as NTLM hashes or Kerberos TGTs.

  • Credential Guard primarily protects against theft of Windows logon credentials (NTLM/Kerberos) that could be used to authenticate and then obtain M365 tokens.
  • It does not directly protect M365 access/refresh tokens stored in browser caches or application data if the user’s session is already compromised at the user-mode level (e.g., malware running as the user).

Appropriate Configuration for Windows Devices (using M365 Business Premium tools):

M365 Business Premium includes Microsoft Intune for device management, which is the recommended way to configure these settings.

  1. Hardware & Firmware Requirements:

    • 64-bit CPU with virtualization extensions (Intel VT-x or AMD-V) and SLAT.

    • TPM 2.0 (Trusted Platform Module).

    • UEFI firmware with Secure Boot enabled.

    • BIOS/UEFI virtualization support enabled.

  2. Enable VBS, Credential Guard, and HVCI via Intune:

    • Using Endpoint Security Profiles (Recommended):

      1. Go to the Microsoft Intune admin center.

      2. Navigate to Endpoint security > Account protection.

      3. Click Create Policy.

      4. Platform: Windows 10 and later. Profile: Account protection. Click Create.

      5. Name the policy (e.g., “Enable Credential Guard”).

      6. Under Configuration settings:

        • Block Windows Hello for Business: Typically Not configured or Disabled unless you have specific reasons to block it.

        • Enable Credential Guard: Set to Enable with UEFI lock. This prevents it from being disabled remotely without physical presence for UEFI changes. (Choose “Enable without UEFI lock” if you need more flexibility during initial rollout/testing, but “with UEFI lock” is more secure).

        • Turn on Security Guard: (This likely refers to Microsoft Defender Security Guard, which is related to Secure Boot and VBS launch). Set to Enabled.

      7. Assign the policy to your target device groups.

      8. To enable HVCI (Memory Integrity):

        • Navigate to Endpoint security > Attack surface reduction.

        • Click Create Policy.

        • Platform: Windows 10 and later. Profile: Attack Surface Reduction Rules (or look for specific HVCI profiles if available, sometimes it’s under Device Configuration > Endpoint Protection).

        • Alternatively, and often more straightforward for HVCI:

          • Go to Devices > Configuration profiles.

          • Click Create profile.

          • Platform: Windows 10 and later. Profile type: Settings catalog.

          • Search for “Hypervisor Enforced Code Integrity” or “Memory Integrity”.

          • Add the setting (e.g., VirtualizationBasedSecurity > HypervisorEnforcedCodeIntegrity) and set it to Enabled.

    • Secure Boot: This is typically enabled in the device UEFI/BIOS. Intune can report on Secure Boot status but doesn’t directly enable it from a cold start. Devices must be provisioned with it enabled.

  3. Verify Deployment:

    • On a client device, you can check msinfo32.exe. Look for “Virtualization-based security” status and “Credential Guard” / “Memory Integrity” listed as running.

    • In Task Manager > Performance > CPU, you should see “Virtualization: Enabled”.

Complementary M365 Business Premium Security Measures:

VBS is one layer. For comprehensive token theft protection with M365:

  • Multi-Factor Authentication (MFA): Enforce MFA for all users via Conditional Access. This is the single most effective measure against credential/token compromise.

  • Conditional Access Policies:
    • Require compliant devices (managed by Intune, with VBS enabled).

    • Block legacy authentication.

    • Restrict access from untrusted locations or risky sign-ins.

    • Implement session controls (e.g., sign-in frequency).
  • Microsoft Defender for Business (included in M365 BP): Provides endpoint detection and response (EDR) capabilities to detect and block malicious activities, including attempts to steal tokens or abuse legitimate processes.

  • Identity Protection (Azure AD P1 features are included in M365 BP): Detects risky sign-ins and compromised user accounts, allowing for automated remediation.

  • Application Guard: Use Microsoft Defender Application Guard for Edge/Office to isolate untrusted websites and documents, preventing malware from accessing user session tokens in the browser or system.

  • Principle of Least Privilege: Ensure users do not have local admin rights unless absolutely necessary.

  • User Education: Train users to recognize phishing attempts and social engineering.

Conclusion:

Yes, VBS, particularly Credential Guard, is a valuable tool provided by Windows that, when configured (ideally via Intune with M365 Business Premium), significantly hardens devices against the theft of Windows credentials that could be used to obtain M365 tokens. However, it’s most effective as part of a broader defense-in-depth strategy that includes MFA, Conditional Access, Defender for Business, and other security best practices to protect M365 application-level tokens and user sessio

CIA Brief 20250510

image

How Microsoft is taking down AI hackers who create harmful images of celebrities and others –

https://news.microsoft.com/source/features/ai/how-microsoft-is-taking-down-ai-hackers-who-create-harmful-images-of-celebrities-and-others/

Transitioning to Microsoft Planner and retiring Microsoft Project for the web –

https://techcommunity.microsoft.com/blog/plannerblog/transitioning-to-microsoft-planner-and-retiring-microsoft-project-for-the-web/4410149

Streamline your business documents and agreements with intelligent insights –

https://techcommunity.microsoft.com/blog/spblog/streamline-your-business-documents-and-agreements-with-intelligent-insights/4411649

Copilot Chat helps keep your day moving –

https://www.youtube.com/watch?v=gdO-C4uci5o

Empowering multi-agent apps with the open Agent2Agent (A2A) protocol –

https://www.microsoft.com/en-us/microsoft-cloud/blog/2025/05/07/empowering-multi-agent-apps-with-the-open-agent2agent-a2a-protocol/

Highlighting the importance of securing your business during National Small Business –

https://techcommunity.microsoft.com/blog/microsoft_365blog/highlighting-the-importance-of-securing-your-business-during-national-small-busi/4410430

Microsoft adopts Google’s standard for linking up AI agents –

https://techcrunch.com/2025/05/07/microsoft-adopts-googles-standard-for-linking-up-ai-agents/

Reimagine your business processes with agents in Microsoft 365 Copilot Chat –

https://www.youtube.com/watch?v=3hYXeQVxLVU

OneDrive: Personalized Intelligence. Seamless Collaboration. Always On –

https://techcommunity.microsoft.com/blog/onedriveblog/onedrive-personalized-intelligence-seamless-collaboration-always-on/4411621

Highlighting the importance of securing your business during National Small Business Week –

https://techcommunity.microsoft.com/blog/microsoft_365blog/highlighting-the-importance-of-securing-your-business-during-national-small-busi/4410430

Simple, Smart, and Secure: The next step in sharing files in Microsoft 365 –

https://techcommunity.microsoft.com/blog/onedriveblog/simple-smart-and-secure-the-next-step-in-sharing-files-in-microsoft-365/4411655

Introducing a new generation of Windows experiences –

https://blogs.windows.com/windowsexperience/2025/05/06/introducing-a-new-generation-of-windows-experiences/

Expanding the Surface for Business Copilot+ PC portfolio –

https://blogs.windows.com/devices/2025/05/06/expanding-the-surface-for-business-copilot-pc-portfolio/

Microsoft 365 Business Premium –

https://www.youtube.com/watch?v=njXOcmncBcg

Introducing all-new Surface Copilot+ PCs: The Surface Pro, 12-inch and Surface Laptop, 13-inch –

https://blogs.windows.com/devices/2025/05/06/introducing-all-new-surface-copilot-pcs-the-surface-pro-12-inch-and-surface-laptop-13-inch/

Enhance your customer retention strategy with Microsoft 365 Copilot –

https://www.youtube.com/watch?v=7PtVRLIfGa4

Empowering everyone with agents in Copilot Chat –

https://www.microsoft.com/en-us/education/blog/2025/04/empowering-everyone-with-agents-in-copilot-chat/

After hours

F1 Drivers RACE Life-Size LEGO Cars! – https://www.youtube.com/watch?v=gXY40oiNhEA

Editorial

If you found this valuable, the I’d appreciate a ‘like’ or perhaps a donation at https://ko-fi.com/ciaops. This helps me know that people enjoy what I have created and provides resources to allow me to create more content. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week

How Microsoft Defender for Cloud Apps fortifies Microsoft 365

What is Microsoft Defender for Cloud Apps?

At its core, MDCA is a Cloud Access Security Broker (CASB). It sits between your users and cloud applications (like Microsoft 365) to provide:

  1. Visibility: Discover and identify cloud services and apps being used, including Shadow IT. For M365, it gives deep insights into activities within Exchange Online, SharePoint Online, OneDrive, Teams, etc.

  2. Data Security: Identify and control sensitive information (DLP capabilities) within M365, preventing data leakage.

  3. Threat Protection: Detect anomalous behavior, malware, and other threats targeting your M365 data and users.

  4. Compliance: Assess if your cloud app usage, including M365 configurations, aligns with compliance requirements.

How MDCA Improves Microsoft 365 Security:

  1. Enhanced Visibility & Activity Monitoring:

    • MDCA logs detailed activities within M365 (file shares, downloads, logins, admin changes, mail rule creations, etc.). This is far more granular than standard M365 audit logs alone and is presented in a way that’s easier to query and investigate.

    • You can see who is accessing what, from where, and what they’re doing with the data.

  2. Advanced Threat Detection & Anomaly Detection:

    • MDCA uses User and Entity Behavior Analytics (UEBA) to learn normal user patterns. It can then flag suspicious activities like:

      • Impossible travel: Logins from geographically distant locations in a short time.

      • Mass downloads/deletions: A user suddenly downloading or deleting an unusual number of files.

      • Suspicious inbox rules: Creation of forwarding rules that might exfiltrate email.

      • Ransomware activity: Rapid encryption of files.

      • Compromised account activity: Unusual administrative actions.

  3. Data Loss Prevention (DLP) and Information Protection:

    • Integration with Microsoft Purview Information Protection: MDCA can read sensitivity labels applied by Purview.

    • Content Inspection: It can scan files in SharePoint Online and OneDrive for sensitive data (credit card numbers, PII, custom keywords, etc.) even if they aren’t labeled.

    • Policies: You can create policies to automatically:

      • Apply sensitivity labels.

      • Restrict sharing (e.g., remove external sharing links for files containing PII).

      • Quarantine files.

      • Notify admins or users.

  4. OAuth App Governance (Third-Party App Control):

    • Many users grant third-party apps access to their M365 data (e.g., “Login with Microsoft,” calendar sync apps). Some of these apps can be risky.

    • MDCA discovers these OAuth apps, assesses their permission levels and community trust, and allows you to:

      • Approve/Ban apps: Sanction safe apps and ban risky ones organization-wide.

      • Revoke app access: For specific users or for an entire app.

      • Get alerted on new, risky apps being authorized.

  5. Conditional Access App Control (Session Control):

    • This is a powerful feature used in conjunction with Microsoft Entra Conditional Access.

    • When a user session to M365 apps (like SharePoint, Exchange Online) is routed through MDCA (as a reverse proxy), you can apply real-time controls:

      • Block downloads/uploads: Prevent users on unmanaged devices from downloading sensitive files.

      • Monitor sessions: Log all activities without blocking.

      • Block copy/paste: Prevent data exfiltration.

      • Apply labels on download: Ensure files downloaded to unmanaged devices are labeled and protected.

      • Block specific activities: e.g., prevent printing from an unmanaged device.

  6. Security Configuration Assessment:

    • While more directly handled by Microsoft Defender for Cloud (for Azure resources) or Microsoft Secure Score, MDCA contributes by identifying misconfigurations or risky behaviors within the M365 app context that could indicate broader security posture weaknesses.

Configuration Examples to Provide Protection:

Here’s how you might configure MDCA (steps are generalized as the UI can evolve, but concepts remain):

Prerequisite: Connect Microsoft 365 to Defender for Cloud Apps.

  • Go to the Microsoft Defender XDR portal (security.microsoft.com) -> Settings -> Cloud Apps -> Connected apps.

  • Click “+Connect an app” and select Microsoft 365. Follow the wizard to authorize the connection.

Example 1: Alert on Suspicious Inbox Forwarding Rules

  • Goal: Detect potential email exfiltration by compromised accounts.

  • Configuration:
    1. In the Microsoft Defender XDR portal, go to Cloud Apps -> Policies -> Policy management.

    2. Click Create policy and select Activity policy.

    3. Name: “Suspicious Inbox Forwarding Rule Creation”

    4. Severity: High

    5. Category: Threat Detection

    6. Triggers (Activities matching all of the following):
      • Activity type: Create inbox rule (or similar, depending on the exact activity name for Exchange Online).

      • App: Microsoft Exchange Online
      • Rule details/parameters: (You might need to use advanced filters here) Look for rule actions like Forward to, Redirect to where the recipient domain is Not in your organization’s approved domains.
    7. Actions:
      • Send alert: Email security admins, create an incident in Microsoft Sentinel.

      • (Optional Governance Action): Suspend user in Microsoft Entra ID (use with extreme caution and after thorough testing).
    8. Save the policy.

Example 2: Block Download of “Highly Confidential” Files to Unmanaged Devices

  • Goal: Prevent sensitive data from being downloaded to personal or untrusted devices.

  • Prerequisites:
    • Microsoft Entra ID P1/P2 for Conditional Access.

    • Sensitivity labels (“Highly Confidential”) configured in Microsoft Purview Information Protection.

    • Unmanaged devices identified (e.g., via Intune compliance or Hybrid Azure AD Join status).
  • Configuration:
    • Step A: Create a Conditional Access Policy in Entra ID:
      1. Go to portal.azure.com -> Microsoft Entra ID -> Security -> Conditional Access.

      2. Create a new policy.

      3. Name: “MDCA Session Control for SharePoint Unmanaged Devices”

      4. Users: All users (or a pilot group).

      5. Target resources (Cloud apps or actions): Select SharePoint Online.

      6. Conditions:
        • Device platforms: Any device.

        • Locations: Any location.

        • Client apps: Browser, Mobile apps and desktop clients.

        • Filter for devices: Exclude devices Marked as compliant (or Hybrid Azure AD Joined).
      7. Access controls -> Session: Select Use Conditional Access App Control and choose Block downloads (Preview) or Use custom policy... if you want more granular MDCA control.

      8. Enable policy.
    • Step B: (If “Use custom policy…” was chosen above) Create a Session Policy in MDCA:
      1. In the Microsoft Defender XDR portal, go to Cloud Apps -> Policies -> Policy management.

      2. Click Create policy and select Session policy.

      3. Name: “Block Highly Confidential Downloads to Unmanaged”

      4. Session control type: Control file download (with DLP).

      5. Triggers (Activities matching all of the following):
        • App: Microsoft SharePoint Online
        • Device Tag: Does not equal Intune Compliant (or your identifier for managed devices).

        • Sensitivity label (from Microsoft Purview Information Protection): Equals Highly Confidential.

        • Activity type: File download.
      6. Actions:
        • Select Block.

        • Customize block message for the user.

        • Send alert.
      7. Save the policy.

Example 3: Detect and Alert on Mass Downloads from OneDrive

  • Goal: Identify potential data theft or compromised accounts.

  • Configuration:
    1. In the Microsoft Defender XDR portal, go to Cloud Apps -> Policies -> Policy management.

    2. Many anomaly detection policies are built-in. Look for “Mass Download” or similar. If it exists, review its settings and enable it.

    3. If creating new, select Create policy -> Anomaly detection policy.

    4. Name: “Mass Download from OneDrive”

    5. Scope: You can scope it to specific users/groups, or all users.

    6. Conditions: MDCA’s UEBA engine will handle most of this. You’ll primarily enable the detection type for “Mass Download” and ensure it’s active for Microsoft OneDrive for Business.

    7. Risk factors/thresholds: Adjust sensitivity if needed (e.g., number of downloads, timeframe).

    8. Actions:
      • Send alert: Email security admins.

      • Create an alert in Microsoft Defender XDR.
    9. Save the policy.

Example 4: Govern Risky OAuth Apps

  • Goal: Prevent risky third-party apps from accessing M365 data.

  • Configuration:
    1. In the Microsoft Defender XDR portal, go to Cloud Apps -> OAuth apps.

    2. Review the list of apps. Filter by permissions (e.g., Mail.ReadWrite.All, Files.ReadWrite.All), community trust level, or last used.

    3. For a suspicious or overly permissive app:

      • Click on the app.

      • You can choose to Ban app. This prevents new users from authorizing it and revokes existing authorizations.
    4. Create a Policy for new OAuth apps:
      • Go to Cloud Apps -> Policies -> Policy management.

      • Click Create policy and select OAuth app policy.

      • Name: “Alert on New High-Permission OAuth Apps”

      • Severity: Medium/High

      • Triggers:
        • Permission level: High
        • Community use: Rare or Uncommon
        • (Optional) Specific permissions: e.g., Mail.Read.All
      • Actions:
        • Send alert.
        • (Optional Governance Action): Revoke app.
      • Save the policy.

Key Considerations:

  • Licensing: MDCA is typically part of Microsoft 365 E5, EMS E5, or available as a standalone license.

  • Alert Fatigue: Start with a few high-priority policies and tune them. Don’t enable everything at once.

  • User Impact: Be mindful of policies that might block legitimate user activity. Communicate changes and have a process for exceptions if needed.

  • Integration: MDCA works best when integrated with other Microsoft Defender XDR components and Microsoft Sentinel for a holistic security view and response capability.

By leveraging these capabilities and configurations, Defender for Cloud Apps significantly strengthens the security posture of your Microsoft 365 environment, providing deep visibility, data protection, and threat detection beyond the native capabilities of M365 itself.

Security Requirements for Microsoft Partners and Their Customers

bp1

1. Introduction: The Microsoft AI Cloud Partner Program serves as a framework to empower organizations through various benefits and incentives.1 Within this program, security stands as a fundamental pillar, critical for safeguarding the integrity of both the partner’s operational environment and the environments of their customers.1 This report aims to provide a comprehensive analysis of the specific security requirements that Microsoft partners must adhere to, drawing upon recent updates and guidelines. Furthermore, it will address the user’s inquiry regarding the necessity of achieving a Secure Score of 70 for both the partner and their customers.

The increasing sophistication of cyber threats necessitates a strong emphasis on security within the partner ecosystem. Microsoft’s partner network plays a vital role in delivering cloud services, making the security posture of each partner a crucial factor in maintaining the trust and security of the broader ecosystem. A vulnerability in a partner’s infrastructure could potentially expose numerous customers to risks. Therefore, Microsoft is proactively establishing security standards to mitigate these potential threats and ensure a secure environment for all stakeholders. The introduction of new benefits packages alongside these security requirements indicates a strategic alignment by Microsoft, where partners who demonstrate robust security practices are more likely to access enhanced resources and opportunities within the program. This interconnected approach incentivizes partners to prioritize security as a core aspect of their participation in the Microsoft AI Cloud Partner Program.

2. Mandatory Security Requirements for Microsoft Partners: Microsoft mandates several fundamental security obligations for partners participating in its programs. These requirements are designed to protect both the partners themselves and their customers from a range of cyber threats.

A primary mandatory security requirement is the enforcement of Multi-Factor Authentication (MFA) for all user accounts associated with a partner’s tenant.3 This obligation extends to partners involved in the Cloud Solution Provider (CSP) program, as well as Advisors and Control Panel Vendors.3 Partners must ensure that MFA is active whenever users sign in to Microsoft commercial cloud services, conduct transactions within the CSP program through Partner Center, or interact with relevant APIs.4 Microsoft provides its own MFA solution through Microsoft Entra security defaults, which is available at no additional cost.3 It is important to note that non-Microsoft MFA solutions are not taken into account when calculating the Partner Center security score.5 Failure to comply with these MFA requirements can result in the partner losing access to their customer tenants.4 The strong emphasis on MFA as a non-negotiable requirement underscores its critical role in preventing unauthorized access to sensitive environments. Passwords alone are often insufficient in today’s threat landscape, and MFA adds a crucial layer of defense by requiring users to provide multiple forms of verification, thereby significantly reducing the likelihood of account compromise. Microsoft’s firm stance on MFA reflects the widespread prevalence of credential theft in cyberattacks.

Another key mandatory requirement is the adoption of the Secure Application Model for partners who integrate with Partner Center APIs.3 This framework is essential for all app and user authentication models used in such integrations.3 By mandating this model, Microsoft aims to enhance the security of partner infrastructure and safeguard customer data from potential security risks.4 This shift towards the Secure Application Model for API integrations signifies a move towards more secure and less privileged access methods, ultimately reducing the potential attack surface. Traditional API access methods might involve storing credentials, which can introduce vulnerabilities. The Secure Application Model likely leverages modern authentication protocols like OAuth 2.0 and the principle of least privilege, ensuring that applications only possess the necessary permissions to perform their intended functions.

Beyond these core requirements, Microsoft also advises partners to embrace the principles of Zero Trust security.4 Furthermore, the removal of inactive Delegated Admin Privileges (DAP) is strongly recommended, as DAP is in the process of being deprecated and replaced by the more secure Granular Delegated Admin Privileges (GDAP).4 The recommendation to transition to GDAP and eliminate inactive DAP highlights Microsoft’s commitment to bolstering security through finer-grained access controls. DAP provides broad administrative rights to partner tenants over customer tenants, meaning that if a partner account with DAP is compromised, an attacker could potentially gain extensive control over the customer’s Microsoft 365 environment. GDAP, on the other hand, allows for the assignment of more specific roles with limited permissions, thereby mitigating this significant risk.

3. Understanding the Partner Center Security Score: To help partners assess and improve their security posture, Microsoft provides the Partner Center security score.5 This metric is designed to give partners a clear understanding of their tenant’s security level.5 It is accessible to direct-bill partners and indirect providers participating in the CSP, Value Added Reseller, or Advisor programs.5 The Partner Center security score ranges from 0 to 100 and reflects the tenant’s security based on adherence to specific security requirements established by Microsoft.5

The calculation of the Partner Center security score is based on the security scores assigned to individual security requirements.5 Each security requirement has a maximum possible score, ranging from 0 to 20 points, determined by its relative importance.5 Currently, a security requirement is considered either fully met, in which case it earns the maximum possible score, or not met, resulting in a score of 0 for that specific requirement.5 The overall Partner Center security score is calculated using the following formula: (Sum of individual security requirement scores) / (sum of individual security requirement max scores) * 100.5 This formula provides a weighted average of the partner’s compliance with the mandatory security measures.

There are several specific security requirements that contribute to the Partner Center security score, each with a defined maximum score 5:

  • Enable MFA: This requirement focuses on ensuring that multifactor authentication is enabled for all administrative roles within the partner’s tenant. Achieving this earns a maximum of 20 points. To be considered complete, every administrative user must be covered by MFA through security defaults, Conditional Access, or per-user MFA, and each admin user needs to have set up additional verification factors.5
  • Response to alerts is 24 hours or less on average: This requirement encourages partners to promptly address security alerts. Partners must triage and respond to alerts within 24 hours of their appearance in Partner Center, with an ideal goal of responding within one hour. Meeting this requirement contributes 10 points to the overall score. The average response time is calculated based on the activity of the last 30 days.5
  • Provide a security contact: This requirement emphasizes the importance of having a designated point of contact for security-related issues. Partners need to provide an email address, phone number, and the name of an individual or group responsible for responding to security incidents. Compliance with this requirement results in 20 points.5
  • All Azure subscriptions have a spending budget: This requirement applies specifically to partners operating under the new commerce experience. By setting up a spending budget for all their customers’ Azure subscriptions, partners can earn 10 points. Partners who are still on the traditional experience do not receive any points for this particular requirement.5
  • Users with administrative roles in the customer tenants must use MFA: This requirement extends the MFA mandate to the administrative roles within the partner’s customer tenants. Ensuring that MFA is enabled for these roles earns 20 points.5

It is important to reiterate that non-Microsoft MFA solutions are not supported for the “Enable MFA” requirement within the Partner Center security score framework and are therefore not factored into the score calculation.5 Partners can monitor and manage their security settings and view their current Partner Center security score through the Security requirements dashboard available in Partner Center.5 Furthermore, the partner security score API can be utilized to programmatically retrieve the score and gain insights into the security posture of their customers.6 The Partner Center security score is specifically tailored to the Microsoft ecosystem and the partner’s role within it. The requirements are designed to address common vulnerabilities and ensure partners are adhering to Microsoft’s security best practices for managing their own and their customers’ cloud environments. The weighting of different security requirements, such as the high scores assigned to MFA for both partner and customer administrators, clearly indicates Microsoft’s priorities in securing the partner channel by preventing unauthorized access with elevated privileges. The inclusion of the Azure spending budget requirement for new commerce partners suggests a connection between security and financial management, potentially aimed at preventing resource abuse or unauthorized consumption through proactive oversight.

To provide a clear overview of the Partner Center security score components, the following table summarizes the specific requirements and their corresponding maximum scores:

Security Requirement Maximum Score Description
Enable MFA 20 points Requires multifactor authentication (MFA) to be enabled for administrative roles within the partner’s tenant.
Response to alerts is 24 hours or less on average 10 points Requires partners to triage and respond to security alerts appearing in Partner Center within 24 hours, with a goal of responding within one hour.
Provide a security contact 20 points Requires partners to provide an email address, phone number, and name of an individual or group responsible for responding to security incidents.
All Azure subscriptions have a spending budget 10 points Applies to partners on the new commerce experience and requires them to set up a spending budget for all their customers’ Azure subscriptions. Partners on the traditional experience do not receive points for this requirement.
Users with administrative roles in the customer tenants must use MFA 20 points Requires MFA to be enabled for all users holding administrative roles within the partner’s customer tenants.

4. The Solutions Partner for Security Designation and Partner Capability Score: The Microsoft AI Cloud Partner Program offers various designations to recognize partners with specific expertise. One such designation is the Solutions Partner for Security, which distinguishes partners who possess the necessary skills to protect customers from increasingly sophisticated cyberattacks across diverse environments, including remote, hybrid, and cloud infrastructures.2 To achieve this designation, partners are required to meet certain qualification criteria based on their partner capability score for security.8

The partner capability score is a composite score derived from a partner’s performance, skilling, and customer success, using data already recorded within Partner Center.8 To attain the Solutions Partner for Security designation, a partner must achieve a minimum score of 70 points, with at least one point in each of the following four key metrics 8:

  • Performance – Net customer adds
  • Skilling – Intermediate certifications
  • Customer success – Usage growth
  • Customer success – Deployments

Microsoft offers two distinct pathways for partners to pursue this designation: the Enterprise path and the Small and Medium Business (SMB) path, each with its own specific criteria.8 Microsoft evaluates partners on both paths and ultimately selects the highest score achieved from either path at the solution area level to determine qualification.8 This flexibility allows partners to leverage their strengths and focus on the path that best aligns with their business strategy and customer base.

The partner capability score for security is comprised of four metrics organized into three categories 8:

  • Performance (Maximum 20 points): This category assesses a partner’s ability to expand their customer base by leveraging Microsoft Security products and services. The primary metric is Net customer adds for both Microsoft 365 and Azure Security workloads. The calculation methods and eligibility criteria for net customer adds differ between the Enterprise and SMB tracks, taking into account factors like Azure Consumed Revenue (ACR) and the number of paid licenses for specific Microsoft 365 workloads.8
  • Skilling (Maximum points vary based on track): This category measures the security-related skills acquired by a partner organization through the number of certified individuals. The key metric is Intermediate certifications. Both the Enterprise and SMB tracks have mandatory prerequisites, requiring individuals to complete the Azure Security Engineer Associate and Microsoft Security Operations Analyst certifications. Additional points are awarded for completing advanced certifications such as Microsoft Cybersecurity Architect expert, Microsoft Identity and Access Administrator, or Microsoft Information Protection Administrator. The specific requirements and point allocations for these certifications vary between the Enterprise and SMB tracks.8
  • Customer Success: This category evaluates a partner’s effectiveness in driving the adoption and growth of Microsoft security solutions among their customers. It consists of two metrics:
  • Deployments (Maximum 20 points): This metric awards points based on the growth in the number of customer deployments of eligible Azure and Microsoft 365 security workloads. Similar to the Performance category, the calculation methods and eligible workloads differ between the Enterprise and SMB tracks.8
  • Usage growth (Maximum 20 points): This metric focuses on the growth in the usage of security workloads by a partner’s customers, measured by Security Azure consumed revenue (ACR) and the growth in the number of Microsoft 365 protected users. Again, the thresholds and calculation methods vary between the Enterprise and SMB tracks.8

The partner capability score for security is one of six solution areas within the broader Microsoft AI Cloud Partner Program.9 Achieving the Solutions Partner for Security designation comes with various benefits, including access to go-to-market services, technical advisory hours, technical support incidents, and exclusive product benefits tailored for security.2 The requirement of a minimum partner capability score of 70 points is specifically for attaining the Solutions Partner for Security designation and is not a general mandatory security requirement for all partners. The multi-faceted nature of the partner capability score, encompassing performance, skilling, and customer success, underscores Microsoft’s emphasis on a holistic approach to security expertise. To achieve this designation, partners must demonstrate not only that their staff possess the necessary security skills but also that they are actively acquiring new security customers and driving the adoption and usage of Microsoft security solutions among their existing customers. The existence of separate Enterprise and SMB tracks acknowledges the diverse business models within the partner ecosystem and provides achievable paths for different types of partners to demonstrate their security capabilities.

To further clarify the metrics for achieving the Solutions Partner for Security designation, the following table provides a summary of the requirements for both the Enterprise and SMB tracks:

Category Metric Enterprise Track Details SMB Track Details
Performance Net customer adds Each net new customer contributes two points, up to a maximum of 20 points from ten customers. Each net new customer contributes four points, up to a maximum of 20 points from five customers.
Skilling Intermediate certifications
Step 1 (Required): At least two people must complete the Azure Security Engineer Associate certification (0 points).
Step 2 (Required): At least two people must complete the Microsoft Security Operations Analyst certification (0 points).
Step 3: Each certified individual completing one of the advanced certifications adds 6.67 points.
Step 1 (Required): At least one person must complete the Azure Security Engineer Associate certification (4 points).
Step 2 (Required): At least one person must complete the Microsoft Security Operations Analyst certification (4 points).
Step 3: Each certified individual completing one of the advanced certifications adds 8 points.
Customer Success Deployments Each net new customer contributes 3.3 points, up to a maximum of 20 points from six deployments. Each net new customer contributes 3.3 points, up to a maximum of 20 points from six deployments.
Customer Success Usage growth Every Security Azure consumed revenue (ACR) growth of USD 1,250 earns one point (maximum 20 points). Every Microsoft 365 protected users growth of 125 earns one point (maximum 20 points). Every Security Azure consumed revenue (ACR) growth of USD 750 earns one point (maximum 20 points). Every Microsoft 365 protected users growth of 50 earns one point (maximum 20 points).

5. Security Considerations for Customer Tenants: Ensuring the security of customer tenants is a critical aspect of the Microsoft partner program. While partners are primarily responsible for their own security, they also play a crucial role in safeguarding the environments of their customers.

One specific requirement that directly links partner security to customer security is the mandate for MFA for administrative roles within customer tenants.5 This requirement carries a significant weight of 20 points in the Partner Center security score calculation for the partner.5 This high weighting underscores the importance Microsoft places on securing privileged access within customer environments. Furthermore, the Partner Center provides partners with insights into customer MFA adoption statistics, allowing them to monitor and encourage the enablement of MFA across their customer base.5 This visibility empowers partners to identify potential security gaps and proactively engage with their customers to promote this essential security measure.

Microsoft emphasizes that partners have a vital role in protecting customer trust by implementing all necessary security measures.4 The partner security score API also enables partners to gain insights into their customers’ overall security posture.7 While the provided information highlights the importance of customer MFA and offers tools for partners to monitor it, there is no explicit mention of a specific security score requirement for customer tenants that partners must meet.6 However, the strong emphasis on MFA for customer administrators and the availability of customer security insights within the Partner Center framework indicate that Microsoft expects partners to have a clear understanding of their customers’ security practices and to take proactive steps to improve them. Although partners are not directly penalized based on a customer’s overall Microsoft Secure Score, their own Partner Center security score is directly affected by the enablement of MFA for administrative roles within their customer tenants. This creates a strong incentive for partners to actively promote and facilitate the adoption of MFA among their customers’ administrators, reflecting a shared responsibility for security within the Microsoft ecosystem.

6. Microsoft Secure Score vs. Partner Center Security Score: It is important to distinguish between the Microsoft Secure Score, which is a broad measure of an organization’s overall security posture, and the Partner Center security score, which is specifically designed for Microsoft partners.

The Microsoft Secure Score is a measurement of an organization’s security health across Microsoft 365, Microsoft Entra ID, and other Microsoft services.11 A higher score indicates that more of the recommended security actions have been implemented.11 This score helps organizations to understand their current security state, identify areas for improvement, and compare their posture against industry benchmarks.11 Points are awarded for configuring recommended security features, performing security-related tasks, or mitigating risks through non-Microsoft solutions.11 Security defaults within Microsoft Entra ID contribute to the Microsoft Secure Score.11 While a target of 80% or higher is generally considered a good Microsoft Secure Score, this can vary depending on the organization’s size and industry.12 The Microsoft Secure Score can be accessed through the Microsoft Defender portal.11

Conversely, the Partner Center security score is specific to Microsoft partners participating in the CSP, Value Added Reseller, or Advisor programs.5 Its primary focus is on the security posture of the partner’s tenant and, to a certain extent, their customers’ tenants, particularly concerning MFA for administrative roles, within the context of the partner program.5 This score is calculated based on specific mandatory security requirements established by Microsoft for its partners.5 The Partner Center security score ranges from 0 to 100 5 and can be monitored and managed through the Security requirements dashboard in Partner Center.5 The partner security score API provides a quantifiable measure of a partner’s security performance and also offers insights into the security posture of their customers.6 The Microsoft Secure Score serves as a comprehensive security assessment tool for any organization using Microsoft products, whereas the Partner Center security score is a specific set of requirements and a scoring mechanism tailored by Microsoft for its partners within the partner program framework. While achieving a high Microsoft Secure Score is generally indicative of strong security practices, maintaining a high Partner Center security score is crucial for partners to ensure compliance with program requirements and potentially access certain benefits or maintain their partner status.

7. Addressing the Secure Score of 70 Requirement: The user specifically asked whether a Secure Score of 70 would be required for both the partner and their customers based on the provided blog post. The analysis of the research snippets reveals important distinctions regarding the use of the number 70 in relation to security within the Microsoft partner program.

The research indicates that a score of 70 is relevant in the context of the Solutions Partner for Security designation. To attain this specific designation, a partner needs to achieve a minimum partner capability score of 70 for the security solution area.8 It is crucial to understand that this partner capability score is based on a combination of performance metrics (net customer adds), skilling (intermediate certifications), and customer success metrics (usage growth and deployments), and it is distinct from the Partner Center security score.8

The provided snippets do not explicitly state a requirement for partners to maintain a Partner Center security score of exactly 70. The Partner Center security score is designed to measure a partner’s adherence to specific mandatory security requirements set by Microsoft. The general principle is to aim for the highest possible score by ensuring that all these mandatory requirements are fully met.5 There is no indication that a score of 70 is a specific threshold that partners must reach for this particular metric.

Similarly, the research snippets do not specify a mandatory Microsoft Secure Score of 70 for customer tenants that partners are obligated to ensure. While Microsoft encourages partners to promote security best practices among their customers, such as the implementation of MFA for administrative roles, there is no mention of a specific Microsoft Secure Score target for customers within the defined partner program requirements.6 The user’s query might stem from a general understanding that a security score around 70-80 is often considered a reasonable benchmark for overall security posture. However, it is essential to differentiate between the various scoring mechanisms within the Microsoft ecosystem and the specific context in which they are used. The Partner Center security score is about meeting specific mandated requirements for partners, while the partner capability score of 70 is related to achieving a particular Solutions Partner designation. Therefore, partners should primarily focus on meeting all the mandatory security requirements that contribute to the Partner Center security score to ensure compliance with the partner program, rather than focusing on an arbitrary score of 70 for this metric or for their customers’ overall Microsoft Secure Score.

8. Recommendations for Microsoft Partners: To effectively navigate the security requirements of the Microsoft AI Cloud Partner Program and enhance the security posture of both their own organizations and their customers, partners should consider the following recommendations:

  • Prioritize Enabling Multi-Factor Authentication (MFA): Ensure that MFA is enforced for all user accounts, both administrative and standard, within the partner tenant. This can be achieved using Microsoft Entra security defaults or other compatible MFA methods. Additionally, actively encourage and assist customers in enabling MFA for all their users, with a particular focus on administrative roles. Leverage the customer MFA statistics available in Partner Center to identify any gaps in adoption.3
  • Adopt the Secure Application Model: If your organization integrates with Partner Center APIs, it is crucial to ensure that all applications adhere to the Secure Application Model framework for authentication and authorization. This will help protect both your infrastructure and your customers’ data.3
  • Maintain Responsiveness to Security Alerts: Establish clear and efficient processes for monitoring and responding to security alerts that appear within Partner Center. Aim for a response time within 24 hours, with an ideal target of one hour, to maximize your Partner Center security score and mitigate potential risks.5
  • Provide and Maintain a Security Contact: Ensure that the designated security contact information (including name, email address, and phone number) within Partner Center is accurate and kept up-to-date. This ensures that Microsoft can effectively communicate with your organization in the event of any security-related issues.5
  • Set Azure Spending Budgets for Customers (New Commerce): For partners who are operating under the new commerce experience, it is important to configure spending budgets for all customer Azure subscriptions. This action contributes to your Partner Center security score and can also help in managing and monitoring resource consumption.5
  • Aim for the Solutions Partner for Security Designation: If your organization has security as a core area of expertise, consider working towards achieving the Solutions Partner for Security designation. This involves focusing on improving your performance metrics (net customer adds), skilling levels (relevant certifications), and customer success in deploying and driving the usage of security-related workloads.8
  • Regularly Review the Security Requirements Dashboard: Make it a practice to regularly utilize the Security requirements dashboard within Partner Center to monitor your current security score and identify any areas where improvements can be made to meet the mandatory requirements.5
  • Leverage the Partner Security Score API: Explore the potential of using the partner security score API to gain deeper insights into both your organization’s and your customers’ security posture. This proactive approach can help in identifying and addressing potential risks before they escalate.6
  • Transition to Granular Delegated Admin Privileges (GDAP): If your organization is still using Delegated Admin Privileges (DAP), plan and execute a migration to Granular Delegated Admin Privileges (GDAP). GDAP offers enhanced security by providing more granular and least-privileged access to customer tenants, reducing the potential impact of compromised partner accounts.4

These recommendations highlight the importance of a multi-layered approach to security, encompassing technical implementations like MFA and secure application models, operational procedures for alert management, and strategic goals such as achieving the Solutions Partner designation. Microsoft provides partners with both the requirements and the necessary tools, such as the Partner Center dashboard and API, to effectively manage and continuously improve their security posture, demonstrating a strong commitment to security within the partner program.

9. Conclusion: In summary, Microsoft partners are required to adhere to several mandatory security measures to ensure the safety and integrity of their own operations and the environments of their customers. These include the critical step of enforcing Multi-Factor Authentication (MFA) on their partner tenants and adopting the Secure Application Model when integrating with Partner Center APIs. The Partner Center security score serves as a key indicator of a partner’s compliance with these specific security requirements.

Achieving a partner capability score of at least 70 is a specific requirement for attaining the Solutions Partner for Security designation, which recognizes expertise in this critical area. This score is based on a holistic evaluation of a partner’s performance, skilling, and success in delivering security solutions. While promoting the adoption of MFA for administrative roles within customer tenants is a crucial responsibility for partners and directly impacts their Partner Center security score, the research does not indicate an explicit requirement for a specific Microsoft Secure Score target for customers.

Therefore, based on the analysis of the provided research snippets, a Partner Center security score of 70 is not explicitly mandated as a general requirement. Furthermore, a Microsoft Secure Score of 70 is not a defined requirement for customers within the context of the partner program requirements discussed. Instead, partners should prioritize meeting all the mandatory security requirements outlined by Microsoft to achieve the highest possible Partner Center security score. Simultaneously, they should actively work to improve the security posture of their customer tenants by promoting and facilitating the adoption of security best practices, particularly the implementation of Multi-Factor Authentication.

Works cited
  1. New benefits packages for the Microsoft AI Cloud Partner Program, accessed on May 9, 2025, https://www.microsoft.com/en-us/americas-partner-one/News/new-benefits-packages-for-the-microsoft-ai-cloud-partner-program
  2. Counter cyber threats as a Solutions Partner for Security, accessed on May 9, 2025, https://partner.microsoft.com/de-de/blog/article/counter-cyber-threats-as-a-solutions-partner-for-security
  3. Partner security requirements FAQ – Partner Center | Microsoft Learn, accessed on May 9, 2025, https://learn.microsoft.com/en-us/partner-center/security/partner-security-requirements-faq
  4. Partner security requirements – Partner Center | Microsoft Learn, accessed on May 9, 2025, https://learn.microsoft.com/en-us/partner-center/security/partner-security-requirements
  5. Security requirements dashboard for Partner Center – Learn Microsoft, accessed on May 9, 2025, https://learn.microsoft.com/en-us/partner-center/security/security-requirements
  6. What is the Security workspace? – Partner Center | Microsoft Learn, accessed on May 9, 2025, https://learn.microsoft.com/en-us/partner-center/security/overview
  7. Use the partner security score API in Microsoft Graph (preview), accessed on May 9, 2025, https://learn.microsoft.com/en-us/graph/api/resources/partner-security-score-api-overview?view=graph-rest-beta
  8. Solutions Partner for Security – Partner Center | Microsoft Learn, accessed on May 9, 2025, https://learn.microsoft.com/en-us/partner-center/membership/solutions-partner-security
  9. Solutions Partner program Partner Capability Score – Partner Center | Microsoft Learn, accessed on May 9, 2025, https://learn.microsoft.com/en-us/partner-center/membership/partner-capability-score
  10. Specialization – Microsoft Partner Network, accessed on May 9, 2025, https://partner.microsoft.com/en-us/partnership/specialization
  11. Microsoft Secure Score – Microsoft Defender XDR, accessed on May 9, 2025, https://learn.microsoft.com/en-us/defender-xdr/microsoft-secure-score
  12. Microsoft Secure Score – A Complete Overview – AdminDroid Blog, accessed on May 9, 2025, https://blog.admindroid.com/boost-up-your-security-posture-with-microsoft-secure-score/

How to enrol a device in Intune that has previously been joined to Entra id

Screenshot 2025-05-09 091912

When a device is Entra ID joined *before* the user has an Intune license or before automatic MDM enrollment is configured for that user/group, it won’t automatically enroll in Intune.

Here’s how to get it enrolled without needing to unjoin and rejoin Entra ID (which is the more disruptive option):

Method 1: Trigger Enrollment via Settings (Easiest & Preferred)

This is often the simplest way if automatic enrollment is now correctly configured for the user.

  1. Ensure Prerequisites:

    • Intune License: Confirm the user logging into the Windows device has an active Intune license assigned (e.g., part of Microsoft 365 E3/E5/F3, EMS E3/E5, or a standalone Intune license).

    • MDM User Scope: In the Microsoft Entra admin center (entra.microsoft.com):

      • Navigate to Devices > Enrollment > Windows enrollment.

      • Click on Automatic Enrollment.

      • Ensure the MDM user scope is set to All or a group that the licensed user is a member of. (The MAM user scope is for a different purpose, usually BYOD).
    • CNAME Records: While Entra ID join worked, it’s good to ensure your DNS CNAME records for EnterpriseRegistration and EnterpriseEnrollment are correctly pointing to Microsoft’s services. This is usually fine if Entra join worked, but it’s a foundational piece for MDM enrollment.

  2. On the Windows Device:

    • Log in as the user who has the Intune license.

    • Go to Settings > Accounts > Access work or school.

    • You should see “Connected to ‘s Microsoft Entra ID”.

    • Click on this connection, then click the Info button.

    • Look for a Sync button. Click it.

      • This action forces the device to re-evaluate its MDM enrollment status with Entra ID. If the user is now in scope and licensed, it should trigger the Intune enrollment process.
    • Wait: Enrollment can take a few minutes. You might see a notification, or you can check the Intune portal (Microsoft Intune admin center) under Devices > Windows to see if the device appears and its compliance status.

    • Reboot: Sometimes a reboot helps kickstart the process after clicking “Sync.”

Method 2: Enroll via Company Portal App

  1. Ensure Prerequisites: Same as Method 1 (License and MDM User Scope).

  2. On the Windows Device:
    • Install the Company Portal app from the Microsoft Store.

    • Open the Company Portal app.

    • Sign in with the Entra ID credentials of the licensed user.

    • The Company Portal app will typically detect that the device isn’t yet managed by Intune and will guide the user through the enrollment process. Follow the on-screen prompts.

Method 3: Enroll Only in Device Management (Less Common for this scenario but an option)

This method is typically for devices that are not Entra ID joined but you want to enroll them into Intune. However, it can sometimes nudge an already Entra ID joined device.

  1. Ensure Prerequisites: Same as Method 1.

  2. On the Windows Device:
    • Go to Settings > Accounts > Access work or school.

    • Click Connect.

    • Crucially, on the “Set up a work or school account” screen, look for a link that says something like “Enroll only in device management” or similar phrasing. Do not just type the email address in the main box, as that will try to Entra ID join it (which it already is).

    • Enter the user’s Entra ID email address and follow the prompts.

Troubleshooting & Verification:

  • Check Intune Portal: After attempting enrollment, go to the Microsoft Intune admin center (intune.microsoft.com) > Devices > Windows. Search for the device. It might take 5-30 minutes (sometimes longer) to appear or update its status.

  • Event Viewer on the Device:
    • Open Event Viewer.

    • Navigate to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin.

    • Look for events related to MDM enrollment (Event ID 75 or 76 often indicate successful enrollment). Errors here can give clues.
  • Check MDM URLs in Registry (Advanced):
    • Open Registry Editor (regedit).

    • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments.

    • Look for a subkey with a GUID. Inside, you should find values like DiscoveryServiceFullUrl, EnrollmentServiceFullUrl, PolicyServiceFullUrl pointing to Intune services (e.g., https://enrollment.manage.microsoft.com/...). If these are present, enrollment likely succeeded or is in progress.
  • Patience: Sometimes it just takes a little while for all the syncs to happen.

Last Resort (If the above fails and you’re sure licensing/scoping is correct):

  1. Disconnect from Entra ID and Rejoin:
    • Backup important local data if any.
    • Go to Settings > Accounts > Access work or school.

    • Click the “Connected to ‘s Microsoft Entra ID” account and click Disconnect. Confirm the disconnection.

    • Reboot the device.

    • After rebooting, go back to Settings > Accounts > Access work or school.

    • Click Connect.

    • Choose to Join this device to Microsoft Entra ID and sign in with the licensed user’s credentials.

    • This fresh join process should trigger the Intune enrollment immediately, assuming automatic enrollment is configured.

Start with Method 1 (Sync button) as it’s the least invasive. Method 2 (Company Portal) is also very reliable.

Benefits of using KQL to improve the security

Screenshot 2025-05-08 091712

What is KQL?

KQL is a powerful, read-only query language designed to explore data and discover patterns. It’s used across various Microsoft services, most notably for our discussion:

  1. Microsoft Sentinel: A cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution.

  2. Microsoft 365 Defender: An XDR (Extended Detection and Response) platform that provides integrated threat protection, detection, and response across endpoints, identities, email, and cloud apps. Its “Advanced Hunting” feature uses KQL.

Essentially, KQL allows you to “talk” to the vast amounts of security log data generated by your M365 services.

Benefits of Using KQL to Improve M365 Tenant Security:

  1. Proactive Threat Hunting:

    • Beyond Built-in Detections: While Microsoft provides many out-of-the-box detections, KQL allows you to hunt for specific, emerging threats, anomalous behaviors, or indicators of compromise (IOCs) that might not trigger a standard alert.

    • Hypothesis-Driven Investigation: You can form a hypothesis (e.g., “Are there any unusual external email forwarding rules set up?”) and use KQL to validate it against your logs.

  2. Deep Incident Investigation & Root Cause Analysis:

    • Contextual Understanding: When an alert fires, KQL lets you dive deep into the raw logs (Azure AD sign-ins, Exchange mail flow, SharePoint activity, Defender alerts, etc.) to understand the full scope, timeline, and impact of an incident.

    • Connecting the Dots: You can join data from different sources (e.g., correlate a suspicious sign-in with subsequent file access or email activity) to build a complete picture.

  3. Custom Detection Rule Creation:

    • Tailored Alerts: If you identify a pattern of malicious activity specific to your environment or a new threat vector, you can write KQL queries and turn them into custom analytic rules in Microsoft Sentinel or custom detection rules in M365 Defender. This automates the detection of future occurrences.

    • Reduced False Positives: By crafting precise KQL queries, you can fine-tune detection logic to minimize false positives and focus on genuine threats.

  4. Enhanced Visibility & Reporting:

    • Custom Dashboards & Workbooks: KQL queries can power custom dashboards and workbooks in Sentinel, providing tailored views of your security posture, trends, and key metrics (e.g., risky sign-ins by location, malware detections over time).

    • Compliance & Auditing: Extract specific data needed for compliance reporting or internal audits, such as administrator activity logs or access to sensitive data.

  5. Understanding Your Environment:

    • Baseline Activity: Use KQL to understand normal patterns of behavior in your tenant. This makes it easier to spot deviations that could indicate a security issue.

    • Configuration Audits: Query configurations (e.g., MFA status, conditional access policies, sharing settings) to ensure they align with security best practices.

  6. Speed and Scalability:

    • KQL is optimized for querying massive datasets very quickly, which is essential when dealing with the volume of telemetry generated by M365 services.

How to Get Started Using KQL for M365 Security:

  1. Access the Right Portals:

    • Microsoft 365 Defender Portal (security.microsoft.com):
      • Navigate to Hunting > Advanced Hunting. This is where you’ll query data from Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and Azure AD Identity Protection.
    • Microsoft Sentinel (via Azure Portal portal.azure.com):
      • Navigate to your Log Analytics Workspace connected to Sentinel, then select Logs. This is where you’ll query data ingested into Sentinel, which can include M365 logs, Azure activity, third-party logs, etc.

  2. Ensure Data Ingestion (Prerequisite):

    • For Microsoft 365 Defender Advanced Hunting: Most data from the Defender suite is automatically available.

    • For Microsoft Sentinel: You need to set up Data Connectors for the M365 services you want to query (e.g., Azure Active Directory, Office 365, Microsoft Defender for Cloud Apps).

  3. Learn Basic KQL Syntax:

    • KQL queries are a sequence of data transformation steps piped (|) together.

    • TableName: Start by specifying the table you want to query (e.g., SigninLogs, EmailEvents, DeviceEvents).

      • In Advanced Hunting, the schema is usually pre-loaded on the left.

      • In Sentinel (Logs), you can see available tables in the schema pane.
    • | where Condition: Filters rows based on a condition (e.g., | where ResultType == "50126" for failed logins due to MFA).

    • | project Column1, Column2: Selects specific columns.

    • | summarize Aggregation by GroupingColumn: Aggregates data (e.g., | summarize count() by UserPrincipalName).

    • | top N by Column [desc/asc]: Shows the top N results.

    • | extend NewColumn = Calculation: Creates a new column.

    • | join kind=inner (OtherTable) on CommonColumn: Combines rows from two tables.

    • Time Range: Use the time picker in the UI or specify in the query (e.g., | where TimeGenerated > ago(1d)).

  4. Explore Schemas and Tables:

    • In both Advanced Hunting and Sentinel Logs, there’s a schema explorer. Familiarize yourself with the available tables and their columns. Common tables include:

      • M365 Defender: IdentityLogonEvents, EmailEvents, UrlClickEvents, DeviceProcessEvents, CloudAppEvents.

      • Sentinel (often from Azure AD): SigninLogs, AuditLogs, OfficeActivity, SecurityAlert.

  5. Start with Simple Queries and Build Up:

    • Example: See the last 10 sign-ins. 
      SigninLogs // Or IdentityLogonEvents in M365 Defender
| top 10 by TimeGenerated desc
    • Example: Count failed sign-ins by user in the last day. 
      SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType != 0 and ResultType != 50140 // Filter for various failure codes, 0 and 50140 are common success/interrupts
| summarize FailureCount = count() by UserPrincipalName
| top 10 by FailureCount desc

  6. Use IntelliSense and Built-in Help:

    • The query editors in both portals have IntelliSense to help you with table names, column names, and operators.

    • Look for example queries or templates provided by Microsoft.

  7. Leverage Microsoft’s Learning Resources:

    • Microsoft Learn KQL Path: Search for “KQL” on Microsoft Learn. There are excellent modules.

    • Microsoft Sentinel Documentation: Full of KQL examples for security scenarios.

    • Microsoft 365 Defender Advanced Hunting Documentation: Similar to Sentinel docs but focused on Defender data.

    • GitHub Repositories: Microsoft and the community share many KQL queries for Sentinel and M365 Defender on GitHub.

  8. Practice, Practice, Practice:

    • Take an existing alert and try to find the related raw logs.

    • Think of a security question (e.g., “Has anyone downloaded an unusual number of files from SharePoint recently?”) and try to answer it with KQL.

Example KQL Queries for M365 Security:

  • Suspicious Sign-in Locations (Sentinel – SigninLogs):

    SigninLogs
| where TimeGenerated > ago(7d)
| where Location != "YourExpectedCountry" // Be more specific with IPs or city if possible
| summarize count() by UserPrincipalName, Location, IPAddress
| sort by count_ desc

  • New Email Inbox Forwarding Rule (M365 Defender – CloudAppEvents):

    CloudAppEvents
| where TimeGenerated > ago(1d)
| where Application == "Microsoft Exchange Online"
| where ActionType == "New-InboxRule"
| where RawEventData has "ForwardTo" or RawEventData has "RedirectTo"
| project Timestamp, AccountObjectId, UserAgent, RawEventData

  • Potentially Malicious File Downloads by a User (M365 Defender – CloudAppEvents for SharePoint/OneDrive):

    CloudAppEvents
| where TimeGenerated > ago(1d)
| where ActionType == "FileDownloaded"
| where Application in ("Microsoft SharePoint Online", "Microsoft OneDrive for Business")
// Optional: add filters for specific file types if known (e.g., | where FileName endswith ".exe" or FileName endswith ".ps1")
| summarize FilesDownloaded = dcount(FileName), TotalSize = sum(tolong(RawEventData.FileSize)) by Actor = UserPrincipalName, bin(TimeGenerated, 1h)
| where FilesDownloaded > 10 // Example threshold

Key Takeaway:

KQL is an indispensable skill for modern security operations in the Microsoft ecosystem. It empowers you to move from reactive alert chasing to proactive threat hunting and deep investigation, significantly improving your M365 tenant’s security posture. Start simple, leverage the available resources, and gradually build your expertise.

How effective is enabling Windows Attack Surface Reduction in preventing a Windows device from Malware?

image

Enabling Windows Attack Surface Reduction (ASR) rules is **highly effective** in preventing a Windows device from many common types of malware and attack techniques. It’s a crucial component of a defense-in-depth strategy.

However, it’s not a silver bullet and its effectiveness depends on several factors.

Here’s a breakdown of its effectiveness:

How ASR Works and Why It’s Effective:

  1. Targets Common Attack Vectors: ASR rules are specifically designed to block behaviors commonly used by malware to infect machines and execute malicious code. This includes:

    • Office Application Abuse: Blocking Office apps from creating executable content, injecting into other processes, creating child processes, or running macros deemed malicious.

    • Script-Based Attacks: Blocking obfuscated scripts (JavaScript, VBScript, PowerShell), or scripts that download/run payloads.

    • Email-Based Threats: Blocking executable content from email clients and webmail.

    • Exploitation Techniques: Preventing credential stealing (e.g., from LSASS), process hollowing, or unsigned/untrusted executables from running from USB drives.

    • Ransomware Behaviors: Some rules can help mitigate common ransomware tactics.

  2. Pre-Execution and Early-Execution Prevention: Many ASR rules intervene before malware fully executes or early in its execution chain, stopping the attack before significant damage occurs. This is more proactive than relying solely on detection of already-running malware.

  3. Reduces Reliance on Signatures: While traditional AV relies heavily on signatures for known malware, ASR focuses on behaviors. This makes it more effective against new or polymorphic malware that might not have a signature yet.

  4. Complements Antivirus: ASR works alongside Microsoft Defender Antivirus (or other AV solutions) and Endpoint Detection and Response (EDR) solutions like Microsoft Defender for Endpoint. It adds an extra layer of proactive defense.

Factors Influencing Effectiveness:

  1. Which Rules Are Enabled: There are many ASR rules. Not all may be suitable for every environment. Enabling more relevant rules increases protection. Some key high-impact rules include:

    • Block Office applications from creating child processes.

    • Block Adobe Reader from creating child processes.

    • Block execution of potentially obfuscated scripts.

    • Block credential stealing from the Windows local security authority subsystem (lsass.exe).

    • Block executable content from email client and webmail.

  2. Mode of Operation (Audit vs. Block):

    • Audit Mode: Logs what would have been blocked. Essential for testing and identifying potential legitimate application conflicts (false positives) before enabling block mode. Provides visibility but no active prevention.

    • Block Mode: Actively prevents the flagged behaviors. This is where the true preventative power lies.

  3. Exclusions: Properly configured exclusions are necessary for legitimate applications that might otherwise trigger ASR rules. Overly broad exclusions can reduce effectiveness.

  4. Configuration and Management: Consistent deployment and management (e.g., via Group Policy, Intune, MEMCM) ensure all devices are protected.

  5. Attacker Sophistication: While ASR stops many common TTPs (Tactics, Techniques, and Procedures), highly sophisticated attackers might find novel ways to bypass specific rules or use techniques not covered by ASR.

  6. Keeping Systems Updated: Microsoft continually updates ASR rules and the underlying Defender platform to address new threats and improve detection logic.

Limitations:

  • False Positives: The primary challenge. Some legitimate applications, especially older or custom-developed ones, might exhibit behaviors that trigger ASR rules. Thorough testing in audit mode is crucial.

  • Not a Complete Solution: ASR doesn’t cover every conceivable attack vector. It won’t stop zero-day exploits against unpatched vulnerabilities if the exploit doesn’t trigger a specific ASR rule behavior.

  • User Experience: If not carefully tuned, blocking legitimate actions can frustrate users.

Conclusion:

Enabling Windows Attack Surface Reduction rules is a very effective proactive measure to significantly reduce the likelihood of malware infection from common attack vectors. It raises the bar for attackers, forcing them to use less common or more sophisticated techniques.

For maximum effectiveness:

  • Start in Audit Mode: Understand the impact on your environment.

  • Gradually Enable Rules in Block Mode: Prioritize rules that block high-risk behaviors with low potential for false positives first.

  • Monitor and Tune: Continuously review ASR logs and adjust exclusions as needed.

  • Use in Conjunction with Other Security Layers: ASR should be part of a comprehensive security strategy that includes antivirus, EDR, firewalls, patching, and user education.

When implemented thoughtfully, ASR is a powerful, built-in tool that provides a substantial boost to Windows endpoint security.

Getting started with the Microsoft Power Platform

image

The goal is to empower you (and your colleagues) to build solutions *without* necessarily needing deep coding expertise, focusing on productivity boosts and automating those repetitive tasks.

What is the Power Platform?

Think of it as a suite of low-code/no-code tools that work seamlessly with Microsoft 365 (and many other services) to:

  1. Power Apps: Build custom applications (mobile or web) for specific tasks or processes.

  2. Power Automate: Automate workflows and repetitive tasks between different apps and services.

  3. Power BI: Analyze data and create interactive dashboards and reports (often used alongside the others, but slightly different focus).

  4. Power Virtual Agents: Build intelligent chatbots without code.

  5. (Underlying) Dataverse: A secure, scalable data platform to store and manage data used by your Power Platform solutions (think of it as a sophisticated database optimized for business apps).

For quick and easy productivity gains and automation, we’ll primarily focus on Power Apps and Power Automate.

Prerequisites & Access

  1. Microsoft 365 License: Most standard Microsoft 365 Business or Enterprise licenses (like E3, E5, Business Standard, Business Premium) include foundational Power Platform capabilities. This typically covers:

    • Running apps.

    • Creating flows with Standard connectors (like SharePoint, Outlook, Teams, OneDrive, Forms, Excel Online).

    • Limited Dataverse usage.

    • Important Note: Using Premium connectors (like SQL Server, Salesforce, custom APIs), AI Builder features, RPA (Robotic Process Automation), or extensive Dataverse capacity often requires additional standalone Power Apps or Power Automate licenses. Start with what’s included first!
  2. Accessing the Tools:
    • Go to Office.com and sign in with your work account.

    • Click the App Launcher (the “waffle” icon, 9 dots) in the top-left corner.

    • You should see icons for Power Apps and Power Automate. If not, click “All apps”.

    • Alternatively, go directly to:

Getting Started: The Strategy

The key is to start small and focus on a specific pain point. Don’t try to boil the ocean.

  1. Identify a Bottleneck or Repetitive Task: What’s something you or your team does regularly that is manual, time-consuming, or prone to errors?

    • Examples: Manually copying data from an email into a spreadsheet, chasing people for approvals, collecting information via long email chains, tracking simple requests on paper or a shared doc.
  2. Choose the Right Tool (Initially):
    • Need to automate a process that runs in the background? (e.g., save email attachments, notify a team when a file is updated, request approval) -> Power Automate is likely your best bet.

    • Need a user interface to interact with data or kick off a process? (e.g., a simple form to submit requests, a way to view and update items in a list, a checklist app) -> Power Apps is probably the way to go. Often, Power Apps and Power Automate work together.
  3. Leverage Templates: This is the ABSOLUTE EASIEST way to start. Both Power Apps and Power Automate have extensive template galleries based on common scenarios.

  4. Connect Your M365 Services: The real power comes from connecting the tools you already use (Outlook, Teams, SharePoint, OneDrive, Forms, Planner, etc.).

  5. Build, Test, Iterate: Your first attempt won’t be perfect. Build something simple, test it, get feedback, and refine it.

Detailed Steps with Examples:

Scenario 1: Automating Email Attachments to OneDrive (Using Power Automate)

  • Pain Point: You receive regular reports via email from a specific sender and have to manually save the attachments to a designated OneDrive folder.

  • Tool: Power Automate

  • Steps:

    1. Go to make.powerautomate.com.

    2. On the left menu, click Templates.

    3. Search for “Save email attachments to OneDrive”. You’ll find several variations. Select one like “Save Office 365 email attachments to a specified OneDrive for Business folder”.

    4. Review the flow description and the connections it needs (Office 365 Outlook, OneDrive for Business).

    5. Click Continue. Power Automate will check if you’re already signed into these services or prompt you to sign in.

    6. Configure the Trigger: The template likely starts with the “When a new email arrives (V3)” trigger. You need to customize it:

      • Folder: Usually Inbox.

      • From: Enter the specific email address of the sender.

      • Include Attachments: Set to Yes.

      • Subject Filter: (Optional but recommended) Enter keywords from the subject line to be more specific (e.g., “Weekly Report”).
    7. Configure the Action(s): The template will have actions like “Apply to each” (to handle multiple attachments) and “Create file” (for OneDrive).

      • In the “Create file” action:

        • Folder Path: Click the folder icon and navigate to the exact OneDrive folder where you want to save the files.

        • File Name: The template usually pre-fills this with Attachments Name (dynamic content from the trigger). This is good.

        • File Content: The template usually pre-fills this with Attachments Content. This is also good.
    8. Save the flow.

    9. Test the flow. You can use the “Test” button in the top-right. Choose “Manually” and then trigger the flow by having an email sent that matches your criteria (or use a recent email if available via automatic testing).

    10. Turn it On: Once saved, the flow is active and will run automatically whenever a new email matching your criteria arrives.

  • Productivity Gain: Saves you minutes every time that email arrives, reduces the chance of forgetting, and keeps files organized automatically.

Scenario 2: Creating a Simple Request Form/Tracker (Using Power Apps & SharePoint)

  • Pain Point: Your team uses email or chat to request small IT support items, making them hard to track and manage.

  • Tools: SharePoint (for data storage), Power Apps (for the user interface)

  • Steps:

    1. Create a SharePoint List:
      • Go to your team’s SharePoint site (or create a new one).

      • Click + New > List.

      • Choose Blank list. Name it something like “IT Support Requests”.

      • Add columns relevant to the request:

        • Title (Rename to “Short Description” – required by default)

        • Requester (Person or Group column, default to current user)

        • RequestDetails (Multiple lines of text)

        • Urgency (Choice column: High, Medium, Low)

        • Status (Choice column: New, In Progress, Completed, Cancelled – default to ‘New’)

        • AssignedTo (Person or Group column – optional initially)

        • CompletionDate (Date and Time column – optional)
    2. Create the Power App:
      • Go to make.powerapps.com.

      • Click Create > SharePoint.

      • It will ask you to select or enter a SharePoint site URL. Find your site.

      • Select the “IT Support Requests” list you just created.

      • Click Create.
    3. Automatic App Generation: Power Apps will automatically generate a basic 3-screen app (Browse, View Details, Edit/Create New) based on your SharePoint list columns!

    4. Customize (Optional but Recommended):
      • Browse Screen: Select the gallery (the list of items). In the right-hand pane (or top formula bar), you can change which fields are displayed. Maybe show Title, Requester, and Status.

      • Edit/New Screen: Select the form. In the right-hand pane, click “Edit fields”. You can reorder fields, change control types (e.g., make RequestDetails bigger), or remove fields you don’t want users filling in (like AssignedTo if only IT assigns). Set the default value for Status to “New”.

      • Theme/Colors: Use the “Theme” option on the Home tab to quickly change the look and feel.
    5. Save the app (give it a meaningful name like “IT Request App”).

    6. Publish the app.

    7. Share the app:

      • Click Share (top right or from the app list).

      • Enter the names or email addresses of the colleagues who need to submit requests.

      • Crucially: Make sure they also have permission to access the underlying SharePoint list! Grant them “Contribute” access to the list itself in SharePoint.

      • Decide if you want to send an email invitation.
    8. Accessing the App: Users can access the app via the Power Apps mobile client, directly from the web link you share, or you can even embed it within a SharePoint page or Microsoft Teams tab for easier access.

  • Productivity Gain: Centralized request tracking, standardized information collection, clear status visibility, replaces messy email/chat trails.

Further Steps & Learning:

  1. Explore More Templates: Both Power Apps and Power Automate have hundreds. Browse them for inspiration.

  2. Learn about Connectors: Understand the difference between Standard (included with M365) and Premium (require extra licenses). Explore the vast list of available connectors.

  3. Combine Power Apps and Power Automate:
    • Trigger a Power Automate flow from a Power App button (e.g., when a new IT request is submitted in the app, trigger a flow to post a notification in a Teams channel).

    • Use Power Automate to update data that your Power App displays.
  4. Microsoft Learn: This is your BEST resource for structured learning. Search for Power Apps and Power Automate paths and modules – many are beginner-focused. (learn.microsoft.com)

  5. Power Platform Community: Ask questions, see what others are building. (powerusers.microsoft.com)

  6. Experiment: The best way to learn is by doing. Pick another small task and try to build a solution! Don’t be afraid to try things out in the editor.

Key Mindset:

  • Low-Code, Not No-Effort: While you don’t need traditional coding, you do need to think logically about process steps (for Automate) and user interface design (for Apps).

  • Iterative Improvement: Your first version is just the start. Use it, get feedback, and make it better over time.

  • Focus on Value: Prioritize automating tasks or building apps that provide the most significant time savings or process improvements first.

By starting small, using templates, and focusing on your existing M365 tools, you can quickly begin leveraging the Power Platform to make a real difference in your daily productivity and reduce manual work. Good luck!