Scribd
Upload
64 views

SC-900 2022

The document provides an overview of Microsoft security, compliance, and identity fundamentals. It describes key concepts related to security, compliance, and identity such as zero-trust methodology, encryption, hashing, authentication, and authorization. It also outlines some of the basic capabilities that exist in Azure and Microsoft 365 related to security, compliance, and identity.

Uploaded by

Sarthak Singh Chandel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
64 views

SC-900 2022

The document provides an overview of Microsoft security, compliance, and identity fundamentals. It describes key concepts related to security, compliance, and identity such as zero-trust methodology, encryption, hashing, authentication, and authorization. It also outlines some of the basic capabilities that exist in Azure and Microsoft 365 related to security, compliance, and identity.

Uploaded by

Sarthak Singh Chandel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 410

SC-900 Microsoft Security,

Compliance, and Identity


Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Exam Released May 2021
Latest Update November 2022
SCI -
Security,
Compliance,
Identity
Microsoft Azure SCI Fundamentals

“familiar with Microsoft Azure and Microsoft 365 and want to understand how
Microsoft security, compliance, and identity solutions can span across these
solution areas to provide a holistic and end-to-end solution”
Microsoft Azure SCI Fundamentals

● Business stakeholders

● New or existing IT professionals

● Students who have an interest in security, compliance


and identity solutions
Microsoft Azure SCI Fundamentals

● Describe the concepts of security, compliance, and identity

● Describe the capabilities of Microsoft identity and access management solutions

● Describe the capabilities of Microsoft security solutions

● Describe the capabilities of Microsoft compliance solutions


You’ll be prepared
to take and pass
the SC-900 exam
But you don’t have
to, if you just want
to learn security,
compliance, and
identity concepts
Security is a
fundamental design
requirement
Exam covers
both Azure and
Microsoft 365
What Basic Azure Security Capabilities Exist?
Network Security Group

Azure DDoS Protection

Azure Firewall

Azure Bastion

Web Application Firewall (WAF)


What Azure Security Management Services Exist?
Microsoft Defender for Cloud
(was Azure Defender & Azure Security Center)

Secure score in Microsoft Defender for Cloud

Enhanced security in Microsoft Defender for Cloud

Microsoft Sentinel (was Azure Sentinel)


What M365 Defender Capabilities Exist?
Microsoft 365 Defender

Microsoft Defender for Identity


(formerly Azure ATP)

Microsoft Defender for Office 365


(formerly Office 365 ATP)

Microsoft Defender for Endpoint


(formerly Microsoft Defender ATP)

Microsoft Defender for Cloud Apps


(formerly Cloud App Security)
What M365 Security Management Capabilities Exist?
Microsoft 365 Defender Portal

Microsoft Secure Score

Intune
What Basic Azure Compliance Capabilities Exist?
Azure Policy

Azure Blueprints

Resource Locks

Cloud adoption framework


What M365 Compliance Capabilities Exist?
Retention Policies and Retention Labels

Records Management

Data Loss Prevention

eDiscovery

Advanced Auditing
What Basic Azure Identity Capabilities Exist?
Active Directory

Azure Active Directory, part of Microsoft Entra

Windows Hello for Business

Azure AD Identity Protection

Privileged Identity Management (PIM)


SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Describe the Concepts of
Security, Compliance, and Identity
(10-15%)
Security Methodologies
Zero-Trust
Methodology
Don’t assume
everything behind
the firewall is safe
Zero Trust Principles
● Verify explicitly

● Use least privileged access

● Assume breach
Use every available
method to validate
identity and
authorization
Just-in-time (JIT)

Just-enough-access (JEA)
Security even inside
the network;
encryption,
segmentation,
threat detection
Identity: Verify and
secure each identity
Devices: ensure
compliance and
health status
Applications:
appropriate in-app
permissions,
monitor user
actions
Data: data-driven
protection, encrypt
and restrict access
Infrastructure:
robust monitoring
to detect attacks,
block and flag risky
behavior
Network: encrypt all
communications
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Security Concepts
Common Threats
● Data breach
● Dictionary attack
● Ransomware
● Denial of Service (Disruptive) attacks
Entry Points for Data Breach
Phishing attack

Spear phishing

Tech support scams

SQL injection

Malware, trojans, viruses


Dictionary Attack
Attempting to brute force gain entry into an account buy guessing passwords
from a large list of known popular passwords.
Ransomware
Locking a company from it’s computer and data resources, and demanding
payment in exchange for the key.
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Encryption and hashing
Encryption (n):
the process of converting
information or data into a code,
especially to prevent
unauthorized access.
“Hello.”

f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0
Types of Encryption
Symmetric and Asymmetric:

Symmetric - the same key is used for encryption and decryption

Asymmetric - the concept of a key pair - a public key and a private key; public
used to encrypt and private used to decrypt

Hashing - a method of creating a digital signature,


a one-way function, but is not technically encryption
A Brief Word on Hashing
A one-way function

Can take a long message, of any length, and make it a short code

32 or 64 characters

Hashes are not unique - hash collision

Rainbow tables

Should be used with a salt for passwords


Examples of Symmetric Encryption Algorithms
● AES (Advanced Encryption Standard)
○ The most commonly used symmetric encryption algo
● DES (Data Encryption Standard)
○ Considered too weak for modern powerful computers
● IDEA (International Data Encryption Algorithm)
● Blowfish (Drop-in replacement for DES or IDEA)
● RC4 (Rivest Cipher 4)
● RC5 (Rivest Cipher 5)
● RC6 (Rivest Cipher 6)
Examples of Asymmetric Encryption Algorithms
● RSA
○ Encryption used by HTTPS/SSL
● Diffie-Hellman
● ECC
○ Encryption used by Bitcoin
● ElGamal
○ Used in recent versions of PGP
● DSA
○ US Government FIPS standard for signing messages
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Identity as the
Primary Security Perimeter
Security Perimeters
The person is who they say they are

Company owned network

Company owned device

Services are provided only inside company data center


Security Perimeters
The person is who they say they are - Verified identity

Company owned network - Work from home

Company owned device - Using your own computers/mobile

Services are provided only inside company data center - Cloud computing
Identity is now the
primary security
perimeter
Identity is not just a “person”
Employees

Partners and customers

Cloud apps

On-prem apps

Devices
Zero trust model
Advances in
security focus on
ensuring identity is
trustable
Ways to verify identity
Beyond the simple user id/password

Single sign-on (using AD everywhere)

Multi-factor authentication

Just-in-time access requests


More granular security + logging
Intelligent monitoring that detects strange behavior

More granular security on data and documents

Restrict unrequired and unwanted lateral movement of traffic

Least privilege / default deny


SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Define Authentication
(AuthN)
How much proof do
you need for me to
prove my identity to
you?
“Modern
Authentication”
Server should use
an identity provider
to validate identity
The Old Way

Username , password

Client Server
The New Way

Identity
Username, Provider
password

token

Token, claims
Client Server
Single Sign On
Server
Identity
Provider

Server
Username,
password
token
Server

Client Server
Define Authorization
(AuthZ)
The level of access
an authenticated
person has
“Permissions”
Principle of least
privilege
A user
is granted a set of
permissions to
perform some
tasks
A user role
is granted a set of
permissions to
perform some
tasks
What role do you
have?
Users can have
multiple roles
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Identity Providers
The New Way

Identity
Username, Provider
password

token

Token, claims
Client Server
Creates, maintains
and manages
identity
information...
Plus offers
authentication,
authorization and
auditing services
Azure Active
Directory
(Azure AD)
Active Directory
Google
Facebook
Twitter
LinkedIn
GitHub
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Active Directory
A set of directory
services developed
by Microsoft as part
of Windows 2000
Managed on-prem
identity
“Domain controller”
Uses protocols that
do not work over
the Internet
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Federation
The use of multiple
identity providers
The identity
providers have a
trust relationship
between each other
Company A AD
trusts
Company B AD
User from
Company B
can log in to
Company A app
Trust isn’t always
bi-directional
Azure AD B2C
can be configured
to use social media
sites for identity
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Azure Active Directory,
part of Microsoft Entra
Identity as a Service
in Azure
Azure AD

Azure AD
Username,
password

token

Token, claims
User Your
Web Browser Application
A Tenant =
An Organization
A tenant can have a
subscription to
enable compute
resources to be
created
Applications can
register with
Azure AD
Demo of Azure AD
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Azure AD Password
Protection
Global Banned
Password List
Custom Banned
Password List
Bad password
attempts and
lockout duration
Can also protect
Windows Server
Active Directory
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Something you are
Something you have
Something you know
Authenticator app
OATH Hardware token
SMS
Voice call
Enabled by
administrators
Signed up by users
Conditional access
Session lifetime
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Passwordless
Gestures to sign in
Sign in using a PIN
or biometric
recognition (facial,
iris, or fingerprint)
with Windows
devices.
Your phone:
“Are you attempting
to sign in to this
app?”
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Conditional Access
Using signals to
make decisions and
enforce policies
User and location
Device
Application
Risk
Allow access
Require MFA
Deny access
Require MFA for all
Admin users
Require MFA signup
from trusted
locations
Some minimum
standard for device,
location, or risk
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Identity Governance
Balance the need
for security...
… and employee
productivity
Identity Lifecycle
From the time you start your first day with the company, to the time you retire

Integration with the HR system

Your role is managed by HR

And access is granted or revoked based on that HR system


Access Lifecycle
How to request access to things you need to get access to?

Understanding the data handling policies for different regions of the world

Dynamic groups

Azure AD Access Reviews

Azure AD Entitlement Management

Conditional Access can enforce terms of use acceptance


Privileged Access Lifecycle
Azure AD Privileged Identity Management (PIM)

Just-in-time access

Access reviews
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Network Security Group
Simple, rules-based control that allows or denies traffic travelling over a network
boundary

Inbound and outbound can have separate rules

Two network boundaries - the subnet and a network interface card (NIC)

Deny by default
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
WAF Features
● SQL-injection attacks
● Cross-site scripting attacks
● Other common attacks, such as command injection, HTTP request
smuggling, HTTP response splitting, and remote file inclusion
● HTTP protocol violations
● HTTP protocol anomalies, such as missing host user-agent and accept
headers
● Bots, crawlers, and scanners
● Common application misconfigurations
(for example, Apache and IIS)
OWASP Rule Sets
Core Rule Sets 3.1, 3.0, and 2.2.9

Custom Rules

Geomatch Rules
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Data Encryption
Data at rest

Data in transit

Key management
Data At Rest
Server-Side Service-Managed Key - All Azure Database, Storage, AI, etc encrypted

Server-Side Customer-Managed Key - Using Azure Key Vault

Client-Side Client-Managed Key - SQL Server, SQL Database

Double Encrypted Option - VM managed disks


Data In Transit
SSL / HTTPS / TLS

Data encrypted internally between Azure datacenters (MACsec)

Option to enable for all data leaving Azure going to customers

You can force “HTTPS only” when accessing storage accounts

Can force “HTTPS only” for shared access signatures (SAS)


Azure Key Vault
Designed to securely store secrets, certifications and keys

Requires authenticated and authorized access to get key

Removes keys from common storage, code, source control

Can expire keys, generate new keys, etc.


SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Azure Security Center
Infrastructure
Security
Management
Security Center
Cloud Security Posture Management - assessments and recommendations

Cloud Workload Protection - protection

Supports PaaS Workloads like App Service Plans, Storage and SQL Servers
Free and paid
versions
Protects Azure and
non-Azure
resources
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
SIEM
SOAR
Collecting Data
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
United suite of
enterprise defense
services
Detection
Prevention
Investigation
Response
Not just network
protection...
… apps and services
that run on the
network, the
identities, devices,
M365, etc
Microsoft 365 Defender services
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Formerly Advanced
Threat Protection
(ATP)
Azure AD Signals
Microsoft 365 Defender for Identity
Monitor user behavior and activities

Protect users identities and reduce attack surface

Identify suspicious activities and attacks across the kill-chain

Alerts

License plans:

● EMS E5 or stand alone


Understanding what
is normal behavior
for each user?
Identify behavior
anomalies
Security reports and
user profile
analytics
Kill-chain: attacks
start with
low-hanging fruit
Then try to move
over (lateral) or
move up
Defender for Identity is designed to reduce
general alert noise, providing only relevant,
important security alerts in a simple,
real-time organizational attack timeline.
Identity Risks
Anonymous IP Address

Atypical travel

Malware linked IP address

Leaked credentials

Password spray

Inbox forwarding
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Formerly Office 365
Advanced Threat
Protection (ATP)
Microsoft 365 Defender for O365
E-mails

Links (URLs)

Collaboration tools (Teams, Sharepoint Online, OneDrive for Business, etc)

Licenses:

● O365 Plan 1, O365 Plan 2


● M365 E5, O365 E5/A5, and M365 Business Premium
Plan 1
● Safe Attachments
● Safe Links
● Protection for SharePoint, OneDrive, and Microsoft Teams
● Anti-phishing protection
● Real-time detections
Plan 2
All features of Plan 1 plus…

● Threat Trackers
● Threat Explorer
● Automated investigation and response (AIR)
● Attack Simulator
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Formerly Microsoft
Defender
Advanced Threat
Protection (ATP)
Microsoft 365 Defender for Endpoint
Endpoints are “devices”

Think of your laptop, phone, tablet - regardless of operating system


M365 Defender for Endpoint
● Threat and vulnerability management
● Attack surface reduction
● Next generation protection
● Endpoint detection and response
● Automated investigation and remediation
● Microsoft Threat Experts
● Management and APIs
Microsoft Secure
Score for Devices
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Microsoft Defender for Cloud Apps (CASB)
CAS Security Framework

O365 CAS

Enhanced Cloud App Discovery in AAD

CAS architecture
Discover Shadow IT
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Microsoft 365 Defender Portal
Manage security
across identities,
data, devices, apps,
and infrastructure
Microsoft 365 Defender Portal
● Protection
● Detection
● Investigation
● Response
● Email
● Collaboration
● Identity
● Device
● Cloud App
● Defender for Office 365
● Defender for Endpoint
● Defender for Identity
● Defender for Cloud Apps
A Set of Unified Experiences For…
● Incidents & alerts
● Hunting
● Actions & submissions
● Threat analytics
● Secure score
● Learning hub
● Trials
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Intune
Microsoft Intune - device management

How phones, tablets, laptops connect to your environment

● MDM (company-owned)
● MAM (personal devices)
Endpoint Security with Intune
Manage devices

Security baselines - predefined settings for applications

Policies - device security

Device compliance - when a device is allowed (or not allowed)

Conditional access - risk factors

Integration with Microsoft Defender for Endpoint - Android, iOS, Windows 10+

RBAC
Endpoint Security with admin center
Security tasks for at-risk devices
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Service Trust Portal
https://servicetrust.microsoft.com/

https://aka.ms/STP
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Privacy Principles
Microsoft’s Six Privacy Principles
● Control
● Transparency
● Security
● Strong legal protections
● No content-based targeting
● Benefits to you
You’re in control of
your privacy with
easy tools and clear
choices.
Transparent about
the data they
collect
Strong security and
the use of
encryption
Respecting local
privacy laws and
fighting for privacy
They won’t use the
content of
documents and
emails to target ads
They only collect
data to make your
experience better
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Microsoft Purview
“a unified data governance
service that helps you manage
your on-premises, multi-cloud,
and software-as-a-service
(SaaS) data.”
Purview Features:
● Up-to-date map of your data landscape
○ Data discovery
○ Sensitive data classification
○ End-to-end data lineage

● Enable data curators to manage and secure data


● Empower data consumers to find valuable, trustworthy data
Compliance Portal
Help understand
and manage an
organization’s
compliance needs
Compliance center
Compliance score

Solution catalog

Active alerts
https://compliance.microsoft.com/
Helps to manage an
organization’s
compliance
requirements
Compliance manager
Prebuilt assessments

Workflow capabilities

Step-by-step improvement actions

Compliance score
Compliance score
Helps an organizations:

Understand its current compliance posture

Prioritize actions based on their potential to reduce risk


Compliance score
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Data Classification
Data classification
Sensitive
information types
Trainable classifiers
Content explorer
Activity explorer
Content Explorer
A current snapshot of individual items that have been classified across the
organization
Activity Explorer
Provides visibility into what content has been discovered, labeled, and where that
content is
Activity Explorer
Some activity types that can be analyzed:

File copied to removable media

File copied to network share

Label applied

Label changed
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Sensitivity labels
Sensitivity labels
Customizable

Clear text

Persistent
Sensitivity label usage
Encrypt email or both email and documents

Mark content

Apply a label automatically

Protect content in containers (sites and groups)

Extend sensitivity labels (third-party apps and services)

Classify content without protection settings


Labels need to be
published to make
them available to
people and services
Sensitivity label policies
Choose the users and groups that can see labels

Apply a default label to all new emails and documents

Require justifications for label changes

Require users to apply a label (mandatory labeling)

Link users to custom help pages


SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Retention policies and labels
Ensuring content is kept only for a required time, and then permanently deleted

Works with:

Sharepoint, OneDrive, Teams, Yammer and Exchange


Comply proactively
with industry
regulations and
internal policies
Reduce risk when
there's litigation or
a security breach
Ensure users work
only with content
that's current and
relevant to them
Retention labels
Applied at item level (file, doc, email)

Only 1 label supported

Labels travel with content if moved to a different location within your M365 tenant

Applied manually/automatically

Support disposition review: review content before permanent deletion


Retention policies
Applied at site or mailbox level

Applied to multiple locations, specific locations or users

Items inherit the retention settings from their container

If an item is moved, the retention setting doesn’t travel to new location


SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Records Management
Used to look after your companies legal obligations and helps to demonstrate
compliance with regulations

Disposition of items that are:

No longer required to be kept, have no value or no business purpose


Three Types of Retention:
● Retention Label

● Record (locked / unlocked)

● Regulatory Record
Retention labels
enable admins to
mark items as
records
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Data Loss
Prevention: Protect
sensitive information
and prevent its
inadvertent
disclosure
Data Loss Prevention (DLP)
Identify, monitor, and automatically protect sensitive information across M365:

OneDrive for Business, SharePoint Online, Microsoft Teams, Exchange Online

Help users learn how compliance works

View DLP reports


Data Loss Prevention (DLP)
DLP policies protect information by identifying and automatically protecting
sensitive data, eg.:

Credit card number

Personal Information
Endpoint Data Loss Prevention
To audit and manage activities that users complete on sensitive content on
Windows 10 devices, eg.:

Creating an item

Renaming an item

Copying items to removable media


SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Insider Risk
Management is
used to minimize
internal risks
Leaks of sensitive
data and data
spillage
Confidentiality
violations
Intellectual property
(IP) theft
Four Insider Risk solutions in M365:
● Communication compliance

● Insider risk management

● Information barriers

● Privileged access management


SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Communication Compliance
Minimize communication risks by detecting, capturing, and take remediation
actions for inappropriate messages

● Microsoft Teams
● Exchange Online
● Yammer
● Third-party communications
Monitoring email
and chat for
compliance risks
Inappropriate Communications
Profanity

Threats

Harassment

Sharing sensitive information inside and outside your organization


SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Information barriers
restrict
communications
among specific
groups of users
I.e. User in the day
trader group should
not communicate
or share files with
the marketing team
Information barriers
Only support two-way restrictions

Can prevent the following in Teams:

Searching for a user

Adding a member to a team

Starting a chat session with someone

And more..
SC-900 Microsoft Security,
Compliance, and Identity
Fundamentals
Scott Duffy, Instructor

© 2022-2023 Scott Duffy, getcloudskills.com… get the course for these slides at:
http://sjd.ca/sc900
Prevent resources
from being
accidentally deleted
or changed
Azure Resource Locks
Apply a lock at a parent scope, all resources within that scope inherit that lock

Apply only to operations that happen in the management plane

Changes to the actual resource are restricted, but resource operations aren't
restricted
CanNotDelete
ReadOnly
A way to define a
repeatable set of
Azure resources
Azure Blueprints
Always in line with the organization’s compliance requirements

Provision Azure resources across several subscriptions simultaneously

Blueprint objects are replicated to multiple Azure regions


Azure Blueprints
Declarative way to orchestrate the deployment of various resource templates and
artifacts, including:

● Role Assignments
● Policy Assignments
● ARM templates
● Resource Groups
Azure Policy is
designed to help
enforce standards
and assess
compliance
Azure Policy
evaluates all
resources in Azure
and Arc enabled
resources
Azure Policy uses cases
Implementing governance for resource consistency

Regulatory compliance

Security, cost, and management


Azure Policy responses
Deny a change to a resource

Log changes to a resource

Alter a resource before or after a change

Deploy related compliant resources


Thank you!

You might also like