Playbook

Implement a security model that assumes breach and requires verification for every request.

→Adopt the Zero Trust security model.

Why: Operates on three core principles: Verify explicitly, use least privilege access, and assume breach. It is a strategic approach, not a single product.

Reference↗

Define security ownership boundaries for cloud services.

→Apply the Shared Responsibility Model. Customer is always responsible for: Information & data, Devices (endpoints), Accounts & identities.

Why: Cloud provider responsibility increases from IaaS to PaaS to SaaS, but the customer always retains responsibility for their data and access management.

Protect against the failure of a single security layer.

→Implement a multi-layered security strategy (Defense in Depth) across physical, identity, perimeter, network, compute, app, and data layers.

Why: A breach in one layer is slowed or contained by subsequent layers, reducing the overall risk and impact of an attack.

Differentiate between verifying a user's identity and granting them permissions.

→Use Authentication (AuthN) to verify identity (prove you are who you say you are). Use Authorization (AuthZ) to determine an authenticated identity's access rights (what you are allowed to do).

Why: Authentication must always happen before authorization. A user can be authenticated but not authorized to access a specific resource.

Protect data confidentiality when it is stored and when it is being transmitted.

→Use Encryption at Rest for stored data (e.g., on disks, in databases). Use Encryption in Transit for data moving over a network (e.g., TLS/SSL).

Why: Protects against different threat vectors. Encryption at rest mitigates physical theft of storage media, while encryption in transit prevents eavesdropping.

Manage user identities and access for cloud and on-premises resources from a single control plane.

→Use Microsoft Entra ID as the centralized identity provider.

Why: Provides a single source of truth for identity, enabling Single Sign-On (SSO), multi-factor authentication (MFA), and consistent access policies across the hybrid environment.

Enforce dynamic, risk-based access controls for applications and data.

→Configure Microsoft Entra Conditional Access policies.

Why: This is the Zero Trust policy engine. It evaluates signals (user, location, device health, risk) to enforce decisions like requiring MFA, limiting session access, or blocking access.

Reference↗

Minimize security risks associated with standing administrative privileges.

→Implement Microsoft Entra Privileged Identity Management (PIM) for Azure and Microsoft 365 roles.

Why: Provides Just-In-Time (JIT) access, requiring users to activate roles when needed. Activation can require MFA, justification, and/or approval, drastically reducing the attack surface. Requires Entra ID P2.

Eliminate password-based attack vectors like phishing and password spray.

→Implement passwordless authentication methods such as Windows Hello for Business, FIDO2 security keys, or the Microsoft Authenticator app.

Why: Offers a more secure and user-friendly alternative to passwords by relying on biometrics or cryptographic keys tied to a physical device.

Provide users with a single identity for both on-premises and cloud resources.

→Synchronize on-premises Active Directory with Microsoft Entra ID using Microsoft Entra Connect.

Why: Creates a common user identity, enabling seamless Single Sign-On (SSO) and consistent access management across the hybrid environment.

Allow external partners to access company resources without creating and managing accounts for them.

→Use Microsoft Entra B2B (Business-to-Business) collaboration.

Why: Invites external users as guests who use their own corporate or social identities to authenticate, reducing administrative overhead and security risks.

Proactively detect and automatically respond to identity-based threats.

→Enable Microsoft Entra ID Protection.

Why: Uses machine learning to detect identity risks (e.g., leaked credentials, sign-ins from anonymous IPs). Risk signals can be used in Conditional Access to trigger automated responses like forcing a password reset or MFA.

Enable Azure-hosted applications to access other Azure resources without managing credentials in code.

→Assign a Managed Identity to the Azure resource (e.g., VM, App Service).

Why: Eliminates the need for developers to handle secrets, connection strings, or certificates. Azure automatically manages the lifecycle of the identity.

Reduce helpdesk workload and empower users to resolve their own account lockouts or forgotten passwords.

→Configure Self-Service Password Reset (SSPR) in Microsoft Entra ID.

Why: Allows users to securely reset their passwords after verifying their identity using pre-registered methods (e.g., phone, authenticator app, security questions).

Periodically validate that user access to applications and privileged roles is still necessary.

→Schedule recurring Microsoft Entra Access Reviews.

Why: Automates the access review process, ensuring that the principle of least privilege is maintained over time by removing unnecessary access rights.

Aggregate security data from across the enterprise for threat detection and automate incident response.

→Deploy Microsoft Sentinel.

Why: Acts as a cloud-native Security Information and Event Management (SIEM) for data collection and analysis, and a Security Orchestration, Automation, and Response (SOAR) platform using Playbooks for automated actions.

Reference↗

Continuously assess and harden the security configuration of cloud resources.

→Use Microsoft Defender for Cloud for its Cloud Security Posture Management (CSPM) capabilities.

Why: Provides a Secure Score, actionable security recommendations, and tracks compliance against regulatory standards to improve the overall security posture.

Protect cloud and hybrid workloads like VMs, containers, and databases from advanced threats.

→Enable the specific Defender plans (Cloud Workload Protection - CWP) within Microsoft Defender for Cloud.

Why: Provides advanced, workload-specific threat detection and protection capabilities, such as endpoint detection for servers and vulnerability scanning for container registries.

Investigate and respond to complex attacks that span endpoints, email, identities, and cloud apps.

→Use Microsoft 365 Defender.

Why: Provides an Extended Detection and Response (XDR) solution that correlates alerts from multiple Microsoft Defender products into a single incident, offering a unified investigation and response experience.

Protect user devices (endpoints) from malware, ransomware, and other sophisticated attacks.

→Deploy Microsoft Defender for Endpoint.

Why: Provides preventative protection, post-breach detection (EDR), automated investigation, and response capabilities to secure endpoints.

Protect against phishing, business email compromise, and malicious attachments in email and collaboration tools.

→Implement Microsoft Defender for Office 365.

Why: Offers advanced threat protection features like Safe Attachments (detonation chamber) and Safe Links (URL rewriting and scanning) for Microsoft 365 services.

Detect attacks targeting on-premises Active Directory infrastructure.

→Deploy Microsoft Defender for Identity.

Why: Monitors on-premises AD signals to detect advanced threats, compromised identities, and malicious insider actions that are often precursors to major breaches.

Discover unauthorized cloud applications ("shadow IT") used by employees and control data flow to sanctioned apps.

→Use Microsoft Defender for Cloud Apps.

Why: Functions as a Cloud Access Security Broker (CASB) to provide visibility into cloud app usage, assess risk, enforce policies, and protect against threats in the cloud.

Control network traffic between Azure resources within a virtual network.

→Apply Network Security Groups (NSGs) to subnets and/or network interfaces.

Why: Acts as a basic, stateful packet-filtering firewall to allow or deny traffic based on IP address, port, and protocol. It is a fundamental network security control.

Centrally protect all virtual network resources with an intelligent, managed firewall service.

→Deploy Azure Firewall in a hub VNet.

Why: A fully managed, cloud-native firewall as a service that provides threat intelligence-based filtering, high availability, and unrestricted scalability.

Protect public-facing applications in Azure from being overwhelmed by Distributed Denial of Service attacks.

→Enable Azure DDoS Protection Standard on the virtual network.

Why: Provides enhanced mitigation capabilities, including adaptive tuning, attack analytics, and cost protection, beyond the default infrastructure-level protection.

Provide secure RDP and SSH access to Azure VMs without exposing management ports to the public internet.

→Deploy Azure Bastion in the virtual network.

Why: Provides a secure, browser-based connection to VMs via the Azure portal over TLS, eliminating the need for public IP addresses on the VMs and reducing the attack surface.

Classify and protect sensitive documents and emails based on their content, regardless of where they are stored or sent.

→Use Microsoft Purview Information Protection with Sensitivity Labels.

Why: The labels apply persistent protection (encryption, content marking, access restrictions) that travels with the data, ensuring it remains protected throughout its lifecycle.

Reference↗

Prevent users from accidentally or intentionally sharing sensitive information (e.g., credit card numbers, PII) outside the organization.

→Configure Microsoft Purview Data Loss Prevention (DLP) policies.

Why: DLP policies identify, monitor, and automatically apply protective actions to sensitive content across Microsoft 365 services, endpoints, and cloud apps.

Assess, manage, and track compliance with industry regulations and standards like GDPR, HIPAA, and ISO 27001.

→Use Microsoft Purview Compliance Manager.

Why: Provides a centralized dashboard with a compliance score, pre-built assessment templates, and recommended improvement actions to simplify compliance management.

Automatically retain content for a required period and delete it when it's no longer needed for business or regulatory reasons.

→Implement Microsoft Purview Data Lifecycle Management using retention policies and retention labels.

Why: Enforces data governance policies across Microsoft 365 to manage the content lifecycle, reduce risk, and comply with regulations.

A legal matter requires identifying, preserving, and collecting electronic data from Microsoft 365.

→Use Microsoft Purview eDiscovery (Standard or Premium).

Why: Provides the tools to search for relevant content, place it on legal hold to prevent modification or deletion, and export it for legal review.

Detect and investigate potential data theft or security policy violations by employees.

→Configure Microsoft Purview Insider Risk Management.

Why: Correlates various signals from Microsoft 365 to identify potentially risky insider activities and provides workflows to investigate and act upon them.

A regulated company needs to prevent communication between specific departments (e.g., traders and analysts) to avoid conflicts of interest.

→Implement Microsoft Purview Information Barriers.

Why: Enforces policies that restrict communication and collaboration between defined user groups in Microsoft Teams, SharePoint, and OneDrive.

Create a comprehensive, up-to-date map of all data assets across on-premises, multicloud, and SaaS environments.

→Use the Microsoft Purview Data Map and Data Catalog.

Why: Automates data discovery, sensitive data classification, and lineage tracking to provide a holistic view of the data estate for effective governance.

Detect, capture, and act on inappropriate messages (e.g., harassment, sharing of secrets) in company communications.

→Deploy Microsoft Purview Communication Compliance.

Why: Helps minimize communication risks by using machine learning to detect policy violations in email, Teams, and other channels for review.

Ensure that Microsoft support engineers cannot access your organization's data without your explicit, auditable approval.

→Enable Customer Lockbox for Microsoft 365 or Azure.

Why: Provides an interface for customers to approve or reject data access requests from Microsoft engineers, giving you final control in rare support scenarios.

Investigate a security incident or compliance issue by reviewing user and administrator activities across Microsoft 365.

→Search the Microsoft Purview Audit (Standard or Premium) log.

Why: Provides a unified audit trail of activities across services like Exchange Online, SharePoint Online, OneDrive, and Entra ID for forensic investigation.