SC-900 Study Guide
Advanced Auditing
1-year retention for Exchange, SharePoint and Azure AD audit records by default. Supports export to CSV file. Provides access to audit records for high-value, crucial events, used in forensic and compliance investigations.
Default Audit retention period for M365 E3 subscription
90 days, via Basic Audit as the default.
Microsoft Intune
A cloud-based management solution that allows you to manage devices using Mobile device Management (MDM) and Mobile Application management (MAM).
Azure Application Gateway
A web traffic load balancer that enables you to manage traffic to your web applications
Azure Graph API
Azure AD roles control access to Azure AD resources such as users, groups, and applications using this API.
Security Administrator, Exchange Administrator, Global Administrator, SharePoint Administrator
Azure AD roles that give you read and write access to Microsoft Secure Score.
Access Review
Azure Identity Governance feature that makes recommendations as to the need for continued access.
Security incident and event management (SIEM)
Consolidates data from an orgs IT environment, conducts real-time monitoring, establishes correlation between events, and generates security alerts and notifications.
Microsoft Privacy Principles on customer data
Control Transparency Security Strong Legal Protections No Content-based targeting benefits to the customer
Extended Detection and Response (XDR)
Designed to deliver enhanced security detection and response capabilities across an orgs domain.
Hybrid Azure AD joined devices
Devices in a hybrid environment with synced Active Directory Domain Services (AD DS) and Azure AD identities. Limited to devices owned by the org and running Win 7 or later,
Privileged Access Management
Enables granular access control over privileged admin tasks in O365. Helps replace constant admin access privileges with just-in-time elevated access permissions.
Azure AD Password Protection
Helps prevent the use of weak and easily guessed passwords. Enables custom banned passwords.
Privileged Access Management (PAM)
Helps restrict privileged access in on-premises AD environment.
Identity
How someone or something can be authenticated to prove that they are who they say they are. This is considered the primary security perimeter in modern hybrid network environment.
Report categories of M365 Security Center
Identities Data Devices Apps
Defense in Depth
Layered approach to providing security including: Physical security Identity and access Perimeter controls Network Segmentation and controls Application security Data security
Azure Firewall
Managed service that protects resources deployed in your Azure VNet. Integration with MTI enables filtering to alert and deny traffic that is organized from or destined to know malicious IP addresses and web domains.
Azure Blueprints
Orchestrate deployment of various resources and preserve a relationship between what should be deployed & what is deployed, supporting tracking and auditing of deployments.
Azure Bastion
Paas Service provides secure RDP/SSH connectivity through the Azure Portal, without exposing RDP/SSH ports to the internet. Secured over the internet using Transport Layer Security (TLS).
Microsoft Cloud App Security (MCAS)
Process of identifying cloud apps, IaaS and PaaS services not authorized by organizations IT department (Shadow IT).
eDiscovery
Process of identifying, holding, and exporting electronic content to support your organization's internal or external investigations. Part of M365.
Microsoft Defender for Identity
Protects on-premises AD users as well as AD users synced to Azure AD. Able to detect advanced threats and protect user identities and credentials. can detect on-prem attacks on AD federation services
Data Loss Prevention (DLP)
Protects sensitive data and minimizes the risk of inappropriate sharing with others. Part of M365, implement through DLP policies.
Federated Services
Provide access across orgs or domain boundaries. Identity provider provides authentication services and passes authentication credentials to other organizations or domains. requires one-way trust. Can use 3rd party sites as identity providers.
Privileged Identity Management (PIM)
Provides time-based privileges access to resources in Azure AD, Microsoft Intune, M365, and other Microsoft cloud services.
Azure Security Center (ASC)
Provides unified security management and advanced threat protection across hybrid cloud and on-premises workloads.
Security orchestration automated response (SOAR)
Receives input from an orgs security monitoring systems to define and drive specific response activities.
Azure Sentinel
SOAR system that takes alerts from many SIEM sources then triggers action-driven automated workflows and processes to run security tasks that mitigate the issue.
Microsoft Defender for Office 365 tools that require Office 365 Plan 2
Threat Trackers, Attack Simulator, Threat Explorer, Automated investigation & response (AIR)
Records Management
Tracks the usage of certain documents and emails and ensures that these documents and emails are not deleted until they are no longer required.
Information Barriers
Used to define and apply information barrier policies to prevent unauthorized communication & collaboration between certain user groups via Teams, SharePoint Online, and OneDrive to avoid conflict of interest.
Insider Risk Management
Used to minimize internal risk through detection, investigation, & mitigation of intentional and unintentional breaches of your orgs. insider policies. Helps minimize/avoid risks of sensitive data leaks, intellectual property theft, insider trading, & fraud.
Azure AD joined devices
Win 10 and virtual machines running Windows Server 19 that users can sign in to with Azure AD or synced AD work or school accounts only.
DLP Policies
allow you to identify, monitor, and protect sensitive data across your cloud and on-premises solutions.
eDiscovery Export Tool
allows you to download the search results of an eDiscovery content search. limited to 100,000 mailboxes per download.
Protocol DDoS Attack
attack designed to overwhelm a target server and make it inaccessible by flooding it with SYN packets.
Volumetric DDoS Attack
attack floods the network with high levels of seemingly legitimate traffic, such as UDP packets, that target random ports.
Resource (application) layer DDoS Attack
attack uses HTTP protocol violations to target web app packet and disrupt data transmissions between hosts.
Basic Auditing
audit records retained for 90 days. Supports export to CSV file.
Azure Arc
deployed to extend Azure Defender capabilities to hybrid environment, including 3rd party cloud environments like AWS. enabled servers become Azure resources and can therefore be monitored and protected by the Azure Defender service.
Privileged access management (PAM)
designed to provide just-in-time and just-enough access defined and scoped at the task level.
eDiscovery hold
feature of Core eDiscovery placing M365 resources/containers on hold indefinitely until removed or deleted.
Azure Policies
help enforce standards and assess compliance of Azure resources across your organization.
Password Hash Synchronization (PHS)
hybrid identity sing-in method that syncs a hash of the end user's password to Azure AD. enables user authentication directly in Azure AD without the involvement of on-premises components.
System assigned managed identity
identity that acts as a service principal, is linked to an azure resource, and is automatically deleted when the resource is deleted.
Microsoft Secure Score
in M365 security center, centralized dashboard that gives you a view of your company's security posture.
Azure AD registered devices
include win 10 and mobile devices, typically personal devices, use a personal Microsoft account or other account to sign in. Enables a company to use tools like Microsoft Intune to ensure standards for security and compliance on the devices.
Attack Simulator
lets you identify vulnerabilities by running realistic attack scenarios.
Sensitivity Labels
part of Microsoft Information Protection (MIP) solution that lets you classify and protect your data. Each item can only have one of these, and they can be configured in a label policy. Can include multiple of these in a single label policy.
Microsoft Endpoint Manager admin center
portal to define and deploy policies for Android, iOS, and Windows devices.
Zero Trust Methodology
principle of verify explicitly, least privileged access, and assume breach.
Threat Trackers
provide most recent info on cybersecurity issues.
Network Map
provided with Azure Security Center as a way to continuously monitor your network security status including network topology, node connections, and node configuration.
Microsoft 365 Defender
provides XDR capabilities for identities, endpoints, cloud apps, email, and documents. Includes self-healing technology that automates remediation activities more than 70% of the time.
Hybrid Identity
provides a common user identity for authentication and authorization to all resources, irrespective of their location (on-prem or cloud-based).
ExpressRoute
provides a way to create and maintain secure connections between Microsoft datacenters and your on-premises infrastructure. Connections do not go over public internet.
Activity Explorer
provides detailed historical view of what is being done with sensitivity label activities, retention label activities, Azure Information Protection activity, and Data Loss Prevention policy matches events.
Azure AD Connect
provides identity synchronization between on-premises AD and Azure AD in a hybrid network environment.
Azure Security Benchmark (ASB)
provides recommendations for best practices and recommendations developed by Microsoft's cybersecurity group and Center for Internet Security (CIS) to help improve the security of data, services, and workloads.
Multifactor Authentication (MFA)
requires more than one for of verification, improving security of an identity.
eDiscovery Content Search
search for or delete content in unlimited number of Exchange mailboxes and SharePoint sites.
Azure Monitor
security tool designed to collect, analyze, and act on telemetry from your cloud and on-premises environments. Info collected used to help you determine how well your apps are performing and proactively identify potential issues.
Azure Defender
security tool that supports security alerts and advanced threat protection for cloud-based and on-premises networks, data, servers, and other resources.
Pass-through Authentication (PTA)
sign-in method that enables hybrid identity, requires installation of a lightweight on-premises agent that reacts to sign-in requests in the cloud and validates username/password against on-premises AD.
Authorization
the process of granting an identity the permission to do something.
Authentication
the process through which you prove who you say you are.
Encryption
the secure encoding of data used to protect data confidentiality.
Microsoft Defender for Endpoint & Microsoft Defender for Office 365
two services who's information is consolidated in Microsoft 365 security center
Windows Hello for Business
use a PIN or biometric data that is tied to a device to authenticate users and does not transmit data to an external server.
Azure Network Security Group (NSG)
used to filter traffic to or from Azure resources in your VNet.
Customer Lockbox
used to provide access to customer data when Microsoft engineers are needed to help troubleshoot and fix reported issues. Prevents access to user data without explicit approval.
Azure Disk Encryption for Windows VMs
uses Windows Bitlocker feature for volume encryption of Azure VMs. Requires Azure key vault for key storage.
Conditional Access
uses signals from the user and their device to control access to your org's resources.