Here are 10 ready-to-use prompts you can ask your ASD-aligned security agent to tackle the most common SMB security issues in Microsoft 365 Business Premium tenants.
Each prompt is engineered to:
- Align with the ASD Secure Cloud Blueprint / Essential Eight and ACSC guidance
- Use only features available in M365 Business Premium
- Produce clear, step-by-step outcomes you can apply immediately
- Avoid E5-only capabilities (e.g., Entra ID P2, Defender for Cloud Apps, Insider Risk, Auto-labelling P2, PIM)
Tip for your agent: For each prompt, request outputs in this structure: (a) Current state → (b) Gaps vs ASD control → (c) Recommended configuration (Business Premium–only) → (d) Click-path + PowerShell → (e) Validation tests & KPIs → (f) Exceptions & rollback.
1) Identity & MFA Baseline (ASD: MFA, Restrict Privilege)
Prompt:
“Assess our tenant’s MFA and sign-in posture against ASD/ACSC guidance using only Microsoft 365 Business Premium features.
Return: (1) Conditional Access policies to enforce MFA for all users, admins, and high-risk scenarios (without Entra ID P2); (2) exact assignments, conditions, grant/ session controls; (3) block legacy authentication; (4) break-glass account pattern; (5) click-paths in Entra admin portal and Exchange admin centre; (6) PowerShell for disabling per-user MFA legacy and enabling CA-based MFA; (7) how to validate via Sign-in logs and audit; (8) exceptions for service accounts and safe rollback.”
2) Email Authentication & Anti-Phishing (ASD: Email/Spearphishing)
Prompt:
“Evaluate and harden our email domain against phishing using Business Premium capabilities.
Cover: (1) SPF/DKIM/DMARC status with alignment recommendations; (2) Defender for Office 365 (Plan 1) policies—anti-phishing, Safe Links, Safe Attachments, user and domain impersonation; (3) external sender tagging and first-contact safety tips; (4) recommended policies per ASD/ACSC; (5) step-by-step config in Security portal & Exchange admin centre; (6) test plans (simulated phish, header eval, URL detonation); (7) KPIs (phish delivered, click rate, auto-remediation success).”
3) Device Compliance & Encryption (ASD: Patch OS, Restrict Admin, Hardening)
Prompt:
“Create Intune compliance and configuration baselines for Windows/macOS/iOS/Android aligned to ASD/ACSC using Business Premium.
Include: (1) Windows BitLocker and macOS FileVault enforcement; (2) OS version minimums, secure boot, tamper protection, firewall, Defender AV; (3) jailbreak/root detection; (4) role-based scope (admins stricter); (5) conditional access ‘require compliant device’ for admins; (6) click-paths and JSON/OMA-URI where needed; (7) validation using device compliance reports and Security baselines; (8) exceptions for servers/VDI and rollback.”
4) BYOD Data Protection (App Protection / MAM-WE)
Prompt:
“Design BYOD app protection for iOS/Android using Intune App Protection Policies (without enrollment), aligned to ASD data protection guidance.
Deliver: (1) policy sets for Outlook/Teams/OneDrive/Office mobile; (2) cut/copy/save restrictions, PIN/biometrics, encryption-at-rest, wipe on sign-out; (3) Conditional Access ‘require approved client app’ and ‘require app protection policy’; (4) blocking downloads to unmanaged locations; (5) step-by-step in Intune & Entra; (6) user experience notes; (7) validation and KPIs (unenrolled device access, selective wipe success).”
5) Endpoint Security with Defender for Business (EDR/NGAV/ASR)
Prompt:
“Harden endpoints using Microsoft Defender for Business (included in Business Premium) to meet ASD controls.
Return: (1) Onboarding method (Intune) and coverage; (2) Next-Gen AV, cloud-delivered protection, network protection; (3) Attack Surface Reduction rules profile (Business Premium-supported), Controlled Folder Access; (4) EDR enablement and Automated Investigation & Response scope; (5) threat & vulnerability management (TVM) priorities; (6) validation via MDE portal; (7) KPIs (exposure score, ASR rule hits, mean time to remediate).”
6) Patch & Update Strategy (ASD: Patch Apps/OS)
Prompt:
“Produce a Windows Update for Business and Microsoft 365 Apps update strategy aligned to ASD Essential Eight for SMB.
Include: (1) Intune update rings and deadlines; (2) quality vs feature update cadence, deferrals, safeguards; (3) Microsoft 365 Apps channel selection (e.g., Monthly Enterprise); (4) TVM-aligned prioritisation for CVEs; (5) rollout waves and piloting; (6) click-paths, policies, and sample assignments; (7) validation dashboards and KPIs (patch latency, update compliance, CVE closure time).”
7) External Sharing, DLP & Sensitivity Labels (ASD: Data Protection)
Prompt:
“Lock down external sharing and implement Data Loss Prevention using Business Premium (no auto-labelling P2), aligned to ASD guidance.
Deliver: (1) SharePoint/OneDrive external sharing defaults, link types, expiration; (2) guest access policies for Teams; (3) Purview DLP for Exchange/SharePoint/OneDrive—PII templates, alerting thresholds; (4) user-driven sensitivity labels (manual) for email/files with recommended taxonomy; (5) transport rules for sensitive emails to external recipients; (6) step-by-step portals; (7) validation & KPIs (external sharing volume, DLP matches, label adoption).”
8) Least Privilege Admin & Tenant Hygiene (ASD: Restrict Admin)
Prompt:
“Review and remediate admin privileges and app consent using Business Premium-only controls.
Provide: (1) role-by-role least privilege mapping (Global Admin, Exchange Admin, Helpdesk, etc.); (2) emergency access (‘break-glass’) accounts with exclusions and monitoring; (3) enforcement of user consent settings and admin consent workflow; (4) risky legacy protocols and SMTP AUTH usage review; (5) audit logging and alert policies; (6) step-by-step remediation; (7) validation and KPIs (admin count, app consents, unused privileged roles).”
9) Secure Score → ASD Gap Analysis & Roadmap
Prompt:
“Map Microsoft Secure Score controls to ASD Essential Eight and generate a 90‑day remediation plan for Business Premium.
Return: (1) Top risk-reducing actions feasible with Business Premium; (2) control-to-ASD mapping; (3) effort vs impact matrix; (4) owner, dependency, and rollout sequence; (5) expected Secure Score lift; (6) weekly KPIs and reporting pack (including recommended dashboards). Avoid recommending E5-only features—offer Business Premium alternatives.”
10) Detection & Response Playbooks (SMB-ready)
Prompt:
“Create incident response playbooks using Defender for Business and Defender for Office 365 for common SMB threats (phishing, BEC, ransomware).
Include: (1) alert sources and severities; (2) triage steps, evidence to collect, where to click; (3) auto-investigation actions available in Business Premium; (4) rapid containment (isolate device, revoke sessions, reset tokens, mailbox rules sweep); (5) user comms templates and legal/escalation paths; (6) post-incident hardening steps; (7) validation drills and success criteria.”
Optional meta‑prompt you can prepend to any of the above
“You are my ASD Secure Cloud Blueprint agent. Only recommend configurations available in Microsoft 365 Business Premium. If a control typically needs E5/P2, propose a Business Premium‑compatible alternative and flag the limitation. Return exact portal click-paths, policy names, JSON samples/PowerShell, validation steps, and KPIs suitable for SMBs.”
CIAOPS 