NJIT Public KB

Cheatsheet Overview

Mon, 01 Jan 0001 00:00:00 +0000

1. M365 Core Services & Architecture

1.1. Exchange Online: Mail flow troubleshooting, shared mailboxes, hybrid concepts.
1.2. SharePoint Online & OneDrive: External sharing configurations, site architecture, sync client troubleshooting.
1.3. Microsoft Teams: Meeting policies, app governance, and standardizing team creation.
1.4. Service-Wide: Troubleshooting issues and data consistency across the ecosystem.

2. Identity & Access (Entra ID)

2.1. Identity Lifecycle: Understanding the flow from HR systems to Active Directory to Entra ID (JML - Joiners, Movers, Leavers).
2.2. Conditional Access (CA): Best practices for CA policies, troubleshooting sign-in logs, and managing exclusions securely.
2.3. Authentication: MFA enforcement, Self-Service Password Reset (SSPR), and modern authentication protocols.

3. Governance & Compliance (Purview)

Intro to ITIL

Mon, 01 Jan 0001 00:00:00 +0000

ITIL 4 is a globally recognized framework for IT Service Management (ITSM) that focuses on co-creating value with the business through a Service Value System, guiding principles, and continual improvement. It is the most widely adopted guidance for IT Service Management (ITSM) worldwide. In its current iteration, ITIL 4, the framework provides a practical and flexible approach to support organizations in their digital transformation journeys. It shifts the focus from managing isolated IT processes to adopting a holistic, systems-thinking approach that emphasizes the co-creation of value between IT service providers, customers, and other stakeholders.

Intro to PRINCE2

Mon, 01 Jan 0001 00:00:00 +0000

PRINCE2 is a widely used project management method that provides a structured approach to managing projects by dividing it into seven processes. It emphasizes the importance of clear objectives, defined roles and responsibilities, and a focus on progress monitoring and control throughout the project lifecycle.

PRINCE2, an acronym for PRojects IN Controlled Environments, is a globally recognized, structured project management methodology. It provides a process-based approach designed to enhance organization and control within projects, focusing on the effective management of resources and risks. Central to PRINCE2 is its emphasis on product-based planning, meaning the methodology centres on the definition, delivery, and quality of specific project outputs or ‘products’. These products must meet clearly defined quality criteria and contribute to achieving a justified business case, ensuring the project delivers tangible value.

Intro to Scrum

Mon, 01 Jan 0001 00:00:00 +0000

From the official Scrum guide the definition of Scrum is:

…a lightweight framework that helps people, teams and organizations generate value through adaptive solutions for complex problems.

A guide to Scrum

Mon, 01 Jan 0001 00:00:00 +0000

If you would like to, you can read the official Scrum guide here:

Scrum is a lightweight framework to help teams develop a Product of value via a lean and adaptable approach. The theory behind it is based on the following fundamentals of Scrum:

Intro to ISO 19011

Mon, 01 Jan 0001 00:00:00 +0000

ISO 19011 is an international standard that offers guidelines for auditing management systems. We use these guidelines to audit clients’ information security management systems (like ISO 27001 and other similar frameworks).

Additionally, ISO 19011 can be applied to a variety of other systems, such as quality management systems (ISO 9001) and environmental management systems (ISO 14001). These guidelines are designed to ensure that audits are conducted consistently and effectively, and include:

Intro to ISO 27001

Mon, 01 Jan 0001 00:00:00 +0000

ISO 27001 is an international standard that provides guidelines for establishing, implementing, maintaining, and continually improving an information security management system (ISMS)

ISO 27001 is designed to help organisations manage the security of assets such as financial information, intellectual property, employee details, and information entrusted by third parties. The requirements for aligning to this standard are seperated into two components:

Clauses: The ideas/framework for an organisation to follow when managing risks.
Controls: Specific measures an organisation can implement to manage and reduce risks.

When assessing an organisation on their alignment with this standard, the ISO 19011 methodology of Management Systems auditing should be followed.

The 7 Guiding Principles

Mon, 01 Jan 0001 00:00:00 +0000

The 7 Guiding Principles are recommendations that can guide an organization in all circumstances, regardless of changes in its goals, strategies, type of work, or management structure. They are the core messages of ITIL and of service management in general.

1. Focus on value

Explanation: Everything the organization does should link back, directly or indirectly, to value for itself, its customers, and other stakeholders. Value is not just financial; it includes customer experience and user experience.
Application: Understand who the consumers of the service are and what they consider valuable. Map value streams and ruthlessly eliminate activities that do not contribute to value creation. Continuously evaluate whether an action or process is actively delivering or supporting value.

2. Start where you are

Explanation: Do not start from scratch and build something new without considering what is already available to be leveraged. There is often a great deal of value in existing services, processes, programs, projects, and people.
Application: Objectively assess the current state using direct observation and measurement. Identify what works well and can be reused or improved, rather than discarding everything to build from the ground up.

3. Progress iteratively with feedback

Explanation: Resist the temptation to do everything at once. Organize work into smaller, manageable sections that can be executed and completed in a timely manner, making it easier to maintain a sharp focus on each effort.
Application: Use agile methodologies to deliver work in iterations. Continuously gather and respond to feedback from stakeholders before, during, and after each iteration to ensure the work remains focused, relevant, and adaptable to changing circumstances.

4. Collaborate and promote visibility

Explanation: When initiatives involve the right people in the right roles, efforts benefit from better buy-in, more relevance, and increased likelihood of long-term success. Hidden work leads to duplication of effort, risks going unmanaged, and creates a lack of trust.
Application: Break down silos. Ensure that work, progress, and even failures are shared transparently across the organization. Communicate clearly and involve stakeholders at all levels to build trust, share understanding, and make better decisions.

5. Think and work holistically

Explanation: No service, practice, process, department, or supplier stands alone. The outcomes achieved by the service provider and service consumer will suffer unless the organization works on the whole rather than just its individual parts.
Application: Recognize the complexity of the systems involved. Ensure that all Four Dimensions of Service Management are considered in any initiative. Understand how different parts of the organization and external partners interact to co-create value along the entire service value chain.

6. Keep it simple and practical

Explanation: Always use the minimum number of steps needed to accomplish an objective. Outcome-based thinking should be used to produce practical solutions that deliver results without unnecessary bureaucracy.
Application: Eliminate processes, services, actions, or metrics that fail to provide value or produce a useful outcome. If a process, service, action, or metric provides no value, eliminate it. Focus on doing the essentials very well rather than overcomplicating procedures.

7. Optimize and automate

Explanation: Organizations must maximize the value of the work carried out by their human and technical resources. Technology can help organizations scale up and take on frequent, repetitive tasks, freeing human resources for more complex work.
Application: Streamline and optimize processes to make them as efficient as possible before applying automation. Attempting to automate a flawed process will only result in flawed outcomes happening faster. Use human intervention only where it truly adds value, such as in complex decision-making, strategic thinking, or empathetic customer interactions.

In closing

These principles are universally applicable and intended to guide decisions and actions at all levels of the organization. They do not prescribe specific tasks, but rather provide a mindset and culture to support successful service management, agile operations, and the continuous realization of value. When faced with a challenge or decision, practitioners should refer back to these principles to ensure they remain aligned with the core philosophy of ITIL 4.

The 7 Principles

Mon, 01 Jan 0001 00:00:00 +0000

The 7 Principle’s are:

1. Continued Business Justification

Explanation: This principle mandates that a valid, justifiable reason must exist for initiating a project, and this justification must remain valid throughout the project’s entire lifecycle. The core of this justification lies in the project being desirable (benefits outweigh costs and risks), viable (capable of being delivered), and achievable. This rationale is formally documented and maintained in the Business Case.

1.1) Exchange Online

Mon, 01 Jan 0001 00:00:00 +0000

1. Mail Flow & Routing Troubleshooting

Message Trace: The primary diagnostic tool for mail delivery issues. Use the Exchange Admin Center (EAC) for messages within the last 10 days; use Historical Search for up to 90 days.
Mail Flow Rules (Transport Rules):
- Always verify rule execution order (Priority).
- Ensure “Stop processing more rules” is used deliberately to prevent conflicting actions.
- Test new rules in “Test with Policy Tips” or “Test without Policy Tips” mode before enforcement.
Connectors:
- Validate inbound/outbound connectors for third-party filtering services (e.g., Mimecast, Proofpoint) or on-premises environments.
- Check TLS certificate requirements and IP whitelisting.
Accepted Domains: Verify authoritative vs. internal relay configurations to prevent routing loops.

2. Recipient Management & Governance

Shared Mailboxes:
- Governance: Do not apply licenses to shared mailboxes unless they exceed 50GB or require a continuous In-Place Archive.
- Permissions: Distinguish between FullAccess (read/manage) and SendAs / SendOnBehalf rights. Note that FullAccess does not automatically grant sending rights.
- Automapping: Managed via PowerShell (Add-MailboxPermission -AutoMapping $false if users complain about Outlook client performance issues due to too many shared mailboxes).
Group Types:
- Distribution Lists (DLs): Legacy broadcast communication. Ensure message approval or sender restrictions are applied to large DLs.
- Microsoft 365 Groups: Modern collaboration (tied to SharePoint/Teams). Enforce naming policies and expiration policies via Entra ID.
Resource (Room/Equipment) Mailboxes:
- Manage automated booking via Set-CalendarProcessing.
- Configure capacity, booking windows, and delegate approval for restricted rooms.

3. Security, Protection & Authentication

Email Authentication Standards:
- SPF (Sender Policy Framework): Validates outbound sending IPs. Keep DNS lookups under the 10-limit threshold.
- DKIM (DomainKeys Identified Mail): Cryptographic signing of outbound emails. Ensure CNAME records are published and DKIM is actively enabled in Microsoft 365 Defender.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance): Policy enforcement (p=none, quarantine, reject). Review DMARC aggregate reports before moving to strict enforcement.
Access Control:
- Verify Basic Authentication is permanently disabled across the tenant.
- Control client access (e.g., restricting POP/IMAP) via Client Access Rules or CAS Mailbox settings.
Protection Policies (EOP & Defender for Office 365):
- Review Anti-Spam, Anti-Phishing, and Anti-Malware policies.
- Manage Safe Links and Safe Attachments policies (ensure they do not conflict with third-party security gateways).

4. Hybrid Environment Considerations (Enterprise)

Attribute Authority: In an AD-synced environment, Exchange attributes (e.g., proxyAddresses, targetAddress, mailNickname) must be managed on-premises via ADUC or an on-premises Exchange Management Server.
Routing in Hybrid: Understand the role of the targetAddress (typically alias@tenant.mail.onmicrosoft.com) for routing mail from on-premises to cloud mailboxes.
Cross-Premises Permissions: SendAs and ReceiveAs permissions do not reliably span across on-premises and Exchange Online boundaries; migrations of delegates and shared mailboxes must be batched together.

5. Essential PowerShell Cmdlets (ExchangeOnlineManagement Module)

Connection: Connect-ExchangeOnline
Diagnostics:
- Get-MessageTrace -SenderAddress user@domain.com -StartDate (Get-Date).AddDays(-2)
Permissions:
- Get-MailboxPermission -Identity "Shared Mailbox"
- Add-RecipientPermission -Identity "Mailbox" -Trustee "User" -AccessRights SendAs
Mailbox Configuration:
- Set-Mailbox -Identity user@domain.com -HiddenFromAddressListsEnabled $true
- Set-CASMailbox -Identity user@domain.com -ImapEnabled $false -PopEnabled $false

1.2) SharePoint Online and OneDrive

Mon, 01 Jan 0001 00:00:00 +0000

1. Architecture & Site Governance

Flat Architecture: Modern SharePoint relies on a “flat” structure using Hub Sites rather than legacy subsites.
- Hub Sites: Used to logically connect related sites (e.g., all “HR” sites) for shared navigation, branding, and search scope. Sites can only belong to one Hub at a time.
Site Types:
- Team Sites: Backed by an M365 Group (includes shared inbox, calendar, Planner, Teams integration). Best for internal team collaboration.
- Communication Sites: No M365 Group. Best for broad broadcasting (e.g., Intranet homepage, company-wide news).
Storage Management: Manage tenant-level storage limits. Configure site-level storage quotas to prevent single sites from consuming the entire tenant allocation.

Tenant vs. Site Limits: The tenant-level sharing setting acts as a ceiling. A site-level setting cannot be more permissive than the tenant-level setting.
- Hierarchy: Anyone (Anonymous) > New and Existing Guests > Existing Guests > Only People in Your Organization.
Entra External ID (B2B collaboration) Integration: Ensure SharePoint and OneDrive integration with Entra External ID (B2B collaboration) is enabled so guests get a seamless authentication experience via Entra ID rather than legacy SharePoint guest accounts.
Access Expiration: Configure guest access expiration policies at the tenant level (e.g., guests must be renewed every 90 days).

3. Permissions & Access Control

M365 Group Permissions vs. SharePoint Permissions:
- Team sites rely on the underlying M365 Group (Owners/Members) for primary access.
- Avoid using legacy SharePoint Groups (Visitors/Members/Owners) on group-connected Team Sites unless specifically required for granular, non-group access.
Item-Level Permissions (Broken Inheritance):
- Discourage breaking inheritance at the folder/file level at scale, as it creates massive administrative overhead and impacts performance.
- If a sub-folder requires different permissions, it usually warrants a separate Document Library or a separate Site.
Access Requests: Ensure the “Access Request” email is routed to active site owners, not an orphaned user account.

4. OneDrive for Business (Enterprise Management)

Known Folder Move (KFM): Deployed via Intune/Group Policy to silently redirect Desktop, Documents, and Pictures to OneDrive. Essential for device backup and seamless hardware replacements.
Sync Client Troubleshooting:
- Common issues involve file path limits (256/400 characters), invalid characters, or conflicting file locks.
- Use the OneDrive admin center (now merged into the SharePoint admin center) to track sync health across the organization.
User Offboarding:
- When an Entra ID account is deleted, the OneDrive retention period begins (default is 30 days, often increased to 93 or 3650 days via retention policies).
- Manager access: By default, the user’s manager (defined in Entra ID) is granted a link to the OneDrive data to salvage files before deletion.

5. Essential PowerShell Cmdlets (PnP PowerShell)

PnP PowerShell is the industry standard for SharePoint Online management, preferred over the native SharePoint Online Management Shell.

1.3) Microsoft Teams

Mon, 01 Jan 0001 00:00:00 +0000

1. Governance & Lifecycle Management

Provisioning Strategy: In an enterprise, self-service Team creation is often disabled to prevent sprawl. If disabled, ensure the provisioning workflow (usually via Power Automate, ServiceNow, or a custom app) is documented and functional.
Naming Conventions: Enforced via Entra ID (e.g., [Department] - [Project Name]). Ensure blocked word lists are configured to prevent users from creating a team called “HR” or “Payroll”.
Lifecycle & Expiration: Backed by M365 Groups. Set expiration policies (e.g., 365 days) that trigger renewal emails to Team owners. Orphaned Teams (owners have left the company) must have an escalation path for reassignment or archiving.
Archiving: Archiving a Team makes the SharePoint site read-only and freezes the chat. This is preferred over deletion for compliance purposes unless governed by a strict retention policy.

2. External Collaboration & Access Types

External Access (Federation): * Allows users to find, call, and chat with people in other Microsoft 365 domains.
- Does not grant access to Teams channels, files, or SharePoint.
- Configure allowed/blocked domains via the Teams Admin Center to prevent data leakage via chat.
Guest Access:
- Grants external users access to specific Teams, channels, and files via Entra External ID (B2B collaboration).
- Must be enabled at the Tenant level (Teams Admin Center), Group level (M365 Groups), and Site level (SharePoint).
Shared Channels (B2B Direct Connect):
- Allows sharing a single channel with external organizations without adding them as guests to the tenant.
- Requires configuring cross-tenant access settings in Entra ID (both inbound and outbound) for specific partner organizations.

3. Meeting, Calling, & Device Policies

Meeting Policies:
- Lobby Management: Crucial for security. Ensure external users and guests bypass the lobby only if explicitly desired; the safest default is “People in my organization.”
- Recording & Transcription: Determine who can record (e.g., organizers and presenters only). Recordings now save to OneDrive (for 1:1/group chats) or SharePoint (for channel meetings). Configure auto-expiration for recordings to save storage.
Telephony / Voice (Enterprise):
- Understand their PSTN connectivity model: Calling Plans (Microsoft provides numbers), Operator Connect (managed third-party carrier), or Direct Routing (on-premises/cloud SBCs).
- Voice Routing: For Direct Routing, trace the path from the user’s Dial Plan -> Voice Routing Policy -> PSTN Usage -> Voice Route.
Resource Accounts: Used for Auto Attendants and Call Queues. They require a “Microsoft Teams Shared Devices” license or a free “Microsoft Teams Phone Resource Account” license to function.

4. App Governance & Management

Permission Policies: Controls who can install specific apps. The enterprise standard is usually to block all third-party apps by default and require a security/compliance review before adding them to an Allow list.
Setup Policies: Controls the “Left Rail” (app bar) in the Teams client. Use this to pin critical company apps (e.g., Viva Connections, ServiceNow) and define the default layout for different departments.
Custom Apps: Manage the catalog of line-of-business (LOB) apps uploaded by developers.

5. Troubleshooting & Diagnostics

Call Quality Dashboard (CQD): The primary tool for investigating dropped calls, jitter, and poor audio. Link building subnets to the CQD to isolate network issues to specific office locations.
The “New Teams” Client (v2):
- Architecture is now WebView2 (no longer Electron).
- Cache Clearing: The path has changed. Delete contents in %localappdata%\Packages\MSTeams_8wekyb3d8bbwe\LocalCache\Microsoft\MSTeams.
Presence Issues: Usually caused by calendar sync delays with Exchange Online or stale cache. Verify the user’s status isn’t manually locked (e.g., set to “Duration”).
Teams Web App: Always use the web app https://teams.microsoft.com/v2/ as the first troubleshooting step to isolate client-side vs. tenant-side issues.

6. Essential PowerShell Cmdlets (MicrosoftTeams Module)

Connection: Connect-MicrosoftTeams
Team Management:
- Get-Team -User user@domain.com (Find all Teams a user belongs to).
- Set-Team -GroupId <ObjectID> -Visibility Private
Policy Assignment:
- Grant-CsTeamsMeetingPolicy -Identity user@domain.com -PolicyName "Restricted Meetings"
Voice Configuration (Direct Routing):
- Get-CsOnlineUser -Identity user@domain.com | Format-List LineURI, EnterpriseVoiceEnabled, VoiceRoutingPolicy

1.4) Service-wide

Mon, 01 Jan 0001 00:00:00 +0000

1. The M365 Group (The Connective Tissue)

The Blast Radius: M365 Groups are the underlying identity and access framework for modern collaboration. Creating a Group automatically provisions an Exchange Mailbox/Calendar, a SharePoint Team Site, a OneNote notebook, and a Planner plan. Adding Teams is an optional overlay.
Deletion & Recovery: Deleting a Team or a Group-connected SharePoint site deletes the entire M365 Group and all associated data across every workload.
- Soft-deleted groups can be restored within 30 days via the Entra ID portal or Exchange Admin Center.
Naming & Expiration Policies: Administered centrally in Entra ID, these policies cascade down. If an M365 Group expires and is not renewed by the owner, all connected services (Teams, SharePoint, Exchange) are deleted.

2. Data Sync & Propagation Delays (The “Wait 24 Hours” Rule)

Identity Sync (Entra ID to M365): Changes to user attributes (UPN, Name, Title) or Group memberships in Entra ID often take time to reflect across the ecosystem.
- Exchange Online and SharePoint usually update within 15–60 minutes.
- The Microsoft Teams client relies heavily on local caching and can take up to 24–48 hours to fully reflect profile changes or new group access.
Search Indexing: Newly uploaded files in SharePoint/OneDrive or newly created Teams channels are not instantly searchable. Microsoft Search relies on continuous background crawling. If an entire site is missing from search, you can request a re-index via SharePoint Site Settings, but execution time is governed by Microsoft’s backend load.
Offline Address Book (OAB): For users running Outlook in Cached Exchange Mode, new hires or deleted users will not show up in the Global Address List immediately. Force an OAB download via the Outlook Send/Receive tab to isolate sync issues.

3. Microsoft Search & Information Architecture

Security Trimming: Microsoft Search (across Bing for Business, SharePoint, and Teams) is strictly security-trimmed. Users will only see results for files and sites they have explicit permission to access. If a user complains they can’t find a document, it is almost always a permissions issue, not a search engine failure.
Oversharing Risks: Because Search aggregates data across the tenant, poorly permissioned SharePoint sites or over-permissioned Teams channels (e.g., using “Everyone except external users”) will surface sensitive documents in routine employee searches.
Bookmarks & Q&A: Managed via the M365 Admin Center (Search & Intelligence). Use these to promote official company resources (e.g., HR portals, IT Helpdesk) to the top of search results.

4. Licensing & Service Plans

License Composition: Enterprise licenses (E3/E5) are not monolithic; they are bundles of individual “Service Plans” (e.g., Exchange Online Plan 2, SharePoint Plan 2, Sway, Planner, Viva Insights).
Granular Troubleshooting: If a user has an E3 license but cannot access Planner or Stream, check their specific license assignment in Entra ID or the M365 Admin Center. Individual service plans can be toggled off by administrators or group-based licensing policies.
Group-Based Licensing: In an enterprise environment, licenses should never be assigned manually. They must be managed via Entra ID Security Groups. Troubleshooting missing licenses requires checking the user’s group membership and the licensing group’s assignment logs.

5. Essential PowerShell Cmdlets (Microsoft Graph)

The MSOnline and AzureAD modules are deprecated. Microsoft Graph PowerShell is the required standard for cross-platform and identity management.

Key concepts of ISO 19011:2018 video

Mon, 01 Jan 0001 00:00:00 +0000

If you prefer a visual breakdown over reading through documentation, this 10-minute video is the fastest way to get up to speed. It covers the core pillars of ISO 19011:2018, including audit principles and program management, in a concise, easy-to-digest format.

Overview of the ISO 27001 Clauses

Mon, 01 Jan 0001 00:00:00 +0000

The requirements for an organization’s Information Security Management System (ISMS) in ISO 27001 are outlined in Clauses 4 to 10. These clauses are:

Context of the organization
Leadership
Planning
Support
Operation
Performance evaluation
Improvement

The following is a brief description of each of these clauses.

Clause 4: Context of the organization

An organization’s ISMS needs to document its purpose. It states requirements like:

4.1) The organization needs to identify internal and exteral issues relevant to it and it’s ability to have a successful ISMS.
4.2 a) The organization needs to identify stakeholders.
4.2 b) The organization needs to identify each stakeholder’s needs.
4.3) The scope of the ISMS needs to be defined based on the above and made available as documented information.

Clause 5: Leadership

For an ISMS to be effective it needs support and commitment from top management. It states requirements like:

Scrum Table of Terms

Mon, 01 Jan 0001 00:00:00 +0000

Term	Definition
Product	The output of the project, it is something of value that has clearly defined stakeholders, users and boundaries
Product Goal	The future state of the Product, illustrating what the long-term goal of the Product is
Product Backlog	An evolving and prioritised list of work items that need to be done on to fulfill the Product Goal
Definition of Done	The set of standards that the work on a Product Backlog item must meet to be considered complete
Scrum Team	A small team of people working together on building the Product, working towards the Product Goal
Product Owner	The person accountable for the Product Backlog and ensuring the Product Goal is worked towards
Scrum Master	The person who acting as the coach for the team helps makes sure everyone is working effectively under Scrum
Developers	The people in the Scrum Team completing the work in the Product Backlog
Sprints	Fixed-length blocks of work done on the Product to complete items from the Product Backlog
Sprint Goal	A statement on why the current Sprint is valuable to stakeholders
Sprint Backlog	The selected Product Backlog items for a given Sprint along with the Sprint Goal and the plan for getting the work done within the Sprint
Increment	One or more “Done” work items that are a usable step towards the Product Goal
Scrum Events	Formal Scrum events that happen during every Sprint
Sprint Planning	The first Scrum Event where the Scrum Team establishes the Sprint Goal and Sprint Backlog for the current Sprint
Daily Scrum	A daily Scrum Event where the developers meet to review progress on the Sprint Goal and adapt the Sprint Backlog if required
Sprint Review	The second last Scrum Event where the Scrum Team and the Product stakeholders meet to review Sprint outcomes and the progress towards Product Goal
Sprint Retrospective	The last Scrum Event where the Scrum Team meet and review how the Sprint went

The 4 Dimensions of Service Management

Mon, 01 Jan 0001 00:00:00 +0000

The objective of an organization is to create value for its stakeholders, and this is achieved through the provisioning and consumption of services. To ensure that the Service Value System (SVS) functions properly and efficiently, organizations must consider all aspects of their behavior. In ITIL 4, these are represented by the Four Dimensions of Service Management.

Failing to address all four dimensions adequately can result in services becoming undeliverable, or failing to meet expectations of quality or efficiency.

The 7 Practices

Mon, 01 Jan 0001 00:00:00 +0000

The seven practices provide detailed guidance on how the PRINCE2 principles should be put into practice. In earlier versions they were referred to as ‘Themes’ but have been renamed to ‘Practices’ to better reflect the need for their consistent application rather than being viewed as static topics. Like other elements of PRINCE2, the application of these practices should be tailored to the specific context and complexity of the project.

These practices collectively form the control framework of PRINCE2. They are not merely areas of interest but active management disciplines through which the project manager and the Project Board ensure the project remains aligned with its objectives (Business Case, Quality, Plans), effectively manages uncertainty (Risk, Change), monitors performance against baselines (Progress), and maintains the necessary structure for governance (Organisation). They are the mechanisms that operationalize the principles and enable the structured control central to the PRINCE2 philosophy.

2.1) Identity Lifecycle

Mon, 01 Jan 0001 00:00:00 +0000

1. Source of Authority (SoA) & Synchronization

The Golden Rule of Hybrid: In a directory-synchronized environment Active Directory (On-Premises) is the Source of Authority.
- You cannot edit synced attributes (Name, Manager, Department, ProxyAddresses) directly in Entra ID or the M365 Admin Center. You must modify them on-premises and wait for the sync (or force it).
Sync Engines:
- Entra Connect Sync (formerly AAD Connect): The legacy/standard engine. Syncs every 30 minutes. Requires an on-premises server.
- Entra Cloud Sync: The modern, lightweight agent. Syncs every 2 minutes. Used for disconnected forests or simpler topologies.
Hard vs. Soft Match: When resolving duplicate accounts, understand how Entra ID matches on-premises AD users to cloud users.
- Soft Match: Matches based on UserPrincipalName or Primary SMTP Address.
- Hard Match: Matches based on SourceAnchor (usually the on-premises ObjectGUID converted to a Base64 string called ImmutableID in Entra).

2. The JML Process (Joiners, Movers, Leavers)

Joiners (Onboarding):
- Flow: HR System -> Active Directory -> Entra ID -> Licensing Group -> Mailbox/OneDrive Provisioned.
- Licensing: Never assign licenses directly to the user. Add the user to an Entra ID Security Group configured for Group-Based Licensing.
- Pre-Provisioning: M365 services (like Exchange and OneDrive) do not fully provision until the user is licensed and the backend service registers the license. Do not panic if a mailbox isn’t instantly available after sync.
Movers (Transitions):
- Access Accumulation: The biggest security risk. When users change departments, they often retain their old access.
- Mitigation: Rely on Dynamic Security Groups based on the Department or Title attribute so access is automatically revoked when HR updates the title.
Leavers (Offboarding):
- Standard Enterprise Workflow:
  1. Reset password / scramble on-premises.
  2. Block Sign-in (Entra ID).
  3. Revoke active refresh tokens (Force Sign-out).
  4. Wipe corporate data from personal devices (Intune App Protection) or wipe corporate devices.
  5. Convert to Shared Mailbox and remove M365 license (to free up the license pool while retaining data).
  6. Move user to a disabled OU on-premises (which either syncs as disabled or drops them from sync, depending on scoping rules).

3. Identity Governance & Entitlement Management (Requires Entra ID P2)

Access Packages: Used to bundle resources (SharePoint sites, Teams, Entra Groups, Enterprise Apps) into a single requestable package.
Access Reviews: Automated campaigns asking managers or resource owners to attest to whether users still need access to a specific group or application. Crucial for auditing privileged access.
Privileged Identity Management (PIM):
- Standard users should have zero standing access to admin roles (e.g., Global Admin, Exchange Admin).
- PIM requires admins to “elevate” their access just-in-time (JIT) for a set duration (e.g., 4 hours), requiring MFA and a ticket number for auditing.

4. Dynamic Groups & Attributes

Rule Syntax: Used heavily for automated licensing and app deployment.
- Example: (user.department -eq "Sales") -and (user.accountEnabled -eq true)
Processing Delay: Dynamic group membership is not instant. In a large tenant, it can take anywhere from a few minutes to several hours to recalculate after an attribute change.

5. Essential PowerShell Cmdlets (Microsoft Graph)

Connection: Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All"
Troubleshooting Sync/Attributes:
- Get-MgUser -UserId user@domain.com -Property OnPremisesSyncEnabled, OnPremisesImmutableId, UserPrincipalName
Offboarding Actions:
- Update-MgUser -UserId user@domain.com -AccountEnabled:$false (Block Sign-in)
- Revoke-MgUserSignInSession -UserId user@domain.com (Kills active sessions across all devices/apps)
Group Management:
- Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" (Lists all dynamic groups)

2.2) Conditional Access

Mon, 01 Jan 0001 00:00:00 +0000

1. Architecture & Core Concepts

The CA Engine: Conditional Access is the zero-trust policy engine of Entra ID. It evaluates Signals (Who, What, Where, Risk), makes a Decision (Block, Grant, Require MFA/Compliance), and applies Enforcement.
Evaluation Logic:
- Policies are evaluated simultaneously, not hierarchically.
- Block trumps all. If Policy A grants access and Policy B blocks access, the user is blocked.
Licensing: Requires Entra ID P1 (minimum) or P2 (for risk-based policies like Identity Protection).

2. Enterprise Baseline Policies (The “Must-Haves”)

Block Legacy Authentication: Blocks protocols that cannot prompt for MFA (e.g., POP, IMAP, older Office clients). This is the single most critical security policy.
Require MFA for All Users: Targets “All Users” and “All Cloud Apps.” (Always utilize exclusions for break-glass accounts).
Require MFA for Azure Management: Specifically targets the “Microsoft Azure Management” app to protect the Azure Portal and PowerShell interfaces.
Device Compliance / Hybrid Joined: For accessing sensitive apps (or all of M365), require the device to be marked as compliant in Intune OR be Hybrid Entra ID Joined.
Risk-Based Policies (If Entra ID P2 is active): Require MFA or password change when User Risk or Sign-in Risk is detected as Medium/High.

3. Governance, Exclusions & Safety Nets

Emergency Access (“Break-Glass”) Accounts:
- Create at least two cloud-only, highly privileged accounts (e.g., bg-admin1@tenant.onmicrosoft.com).
- Exclude these accounts from all Conditional Access policies to prevent tenant-wide lockouts if MFA or federation fails.
- Monitor these accounts aggressively via Log Analytics / Sentinel alerts.
Service Accounts & Exclusions:
- Never use “All Users” without a dedicated exclusion group (e.g., CA-Exclusions-MFA).
- Service accounts that cannot perform MFA must be excluded but should be locked down via other signals (e.g., Named Locations / Trusted IPs).
Report-Only Mode:
- Always deploy new CA policies in Report-Only mode first.
- Let it run for 7-14 days to monitor the Sign-in logs and ensure it doesn’t break legitimate business processes before flipping to “On.”

4. Session Controls & Granular Security

Sign-in Frequency: Forces a user to re-authenticate after a specified period (e.g., 90 days for standard users, 1 hour for risky sign-ins or specific portal access).
Persistent Browser Session: Controls whether users can remain signed in after closing and reopening their browser. Often set to “Never persistent” for shared devices.
App Enforced Restrictions: Integrates with SharePoint Online and Exchange Online to provide limited, web-only access (blocking downloads) when users log in from unmanaged (BYOD) devices.

5. Troubleshooting & Diagnostics

The “What If” Tool: Your primary testing sandbox. Input a specific user, app, IP address, and device state to see exactly which policies would apply and why.
Entra ID Sign-in Logs:
- Navigate to the specific failed sign-in event, click the Conditional Access tab.
- Look for the policy marked Failure.
- Drill down into the “Show Details” pane to see exactly which signal (e.g., missing MFA, non-compliant device, blocked location) triggered the failure.
Continuous Access Evaluation (CAE): Understand that CAE allows Entra ID to revoke access tokens in near real-time (e.g., within minutes of a password reset or location change) rather than waiting for the standard 1-hour token expiration.

6. Essential PowerShell Cmdlets (Microsoft Graph)

Connection: Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"
Policy Management:
- Get-MgIdentityConditionalAccessPolicy (Lists all CA policies and their states)
- Get-MgIdentityConditionalAccessPolicy -ConditionalAccessPolicyId <ObjectID> (View specific policy configurations, useful for backing up policy JSONs)

2.3) Authentication

Mon, 01 Jan 0001 00:00:00 +0000

1. Hybrid Authentication Topologies

Password Hash Synchronization (PHS) + Seamless SSO: The Microsoft-recommended standard for 90% of enterprises. Syncs a hash of the on-premises AD password hash to Entra ID. Provides cloud-auth resilience even if on-premises domain controllers go down.
Pass-Through Authentication (PTA): Validates passwords directly against on-premises Active Directory via lightweight agents. Used when strict security policies prohibit any form of password hash leaving the on-premises network.
Federation (e.g., AD FS, Ping, Okta): Entra ID redirects the authentication request to a third-party Identity Provider (IdP).
- Consultant Note: Many large organizations are actively migrating away from AD FS to PHS/Seamless SSO to reduce infrastructure overhead and mitigate on-premises vulnerabilities.

2. MFA & Modern Authentication Methods

The Authentication Methods Policy: Microsoft has deprecated the legacy per-user MFA portal and legacy SSPR policies. All authentication methods must be managed centrally via the Entra ID > Security > Authentication methods blade.
Method Hierarchy (Weakest to Strongest):
1. SMS / Voice Call: Highly susceptible to SIM swapping. Strongly advocate for deprecation.
2. Microsoft Authenticator (Push): Number Matching is now mandatory globally to prevent MFA fatigue attacks.
3. Phishing-Resistant MFA: FIDO2 Security Keys (YubiKey) and Windows Hello for Business (WHfB). The gold standard for privileged administrative accounts.
System-Preferred Multifactor Authentication: Enable this tenant-wide. If a user has both SMS and the Authenticator app registered, Entra ID will automatically prompt them with the most secure method available.

3. Self-Service Password Reset (SSPR) & Registration

Combined Registration: Users register for both MFA and SSPR in a single workflow (aka.ms/mfasetup).
SSPR Configuration:
- Targeting: Target a specific Entra ID Security Group before rolling out to “All Users.”
- Methods Required: The enterprise standard is requiring 2 methods to reset a password (e.g., Authenticator App + Mobile App Code).
Password Writeback: If the organization is hybrid (using Entra Connect), Password Writeback must be enabled in the sync engine so cloud resets are written back to on-premises Active Directory.

4. Legacy Authentication (A Prime Attack Vector)

What it is: Older protocols (POP3, IMAP4, SMTP Auth, older Office 2013 clients) that cannot interpret Modern Authentication (OAuth 2.0) and therefore bypass MFA.
Remediation:
- Exchange Online has disabled Basic Auth at the tenant level, but it can still be a risk in other areas.
- Explicitly block legacy auth via Conditional Access.
- Exception: SMTP Auth is often still required for on-premises multi-function printers or legacy application relay. Restrict SMTP Auth to specific service accounts and lock those accounts down by IP address in Conditional Access.

5. Troubleshooting & Diagnostics

Sign-in Logs (The Source of Truth):
- Interactive vs. Non-Interactive: Interactive means the user physically typed a password or clicked an MFA prompt. Non-interactive means a client app used a refresh token to get a new access token seamlessly.
Common Error Codes to Memorize:
- 50126: Invalid username or password (Check if the password recently changed on-premises and hasn’t synced, or if PTA agents are down).
- 500121: User didn’t complete the MFA prompt (This error can appear if the user hasn’t completed setting up MFA).
- 50074: Strong authentication is required and the user did not pass the MFA challenge (A Conditional Access policy may have blocked the seamless token and forced an interactive MFA prompt).
- For more: https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes.
Entra ID Protection (Risk-Based Auth): If the tenant has Entra ID P2, users flagged with “High User Risk” (e.g., leaked credentials found on the dark web) can be forced to securely reset their password via SSPR before logging in.

6. Essential PowerShell Cmdlets (Microsoft Graph)

Connection: Connect-MgGraph -Scopes "UserAuthenticationMethod.ReadWrite.All", "AuditLog.Read.All"
Manage User Authentication Methods:
- Get-MgUserAuthenticationMethod -UserId user@domain.com (Lists registered methods)
- New-MgUserAuthenticationPhoneMethod -UserId user@domain.com -phoneType "mobile" -phoneNumber "+1 5555555555" (Pre-populate phone numbers for users, though Authenticator app is preferred).
Troubleshooting Password Sync:
- Get-MgUser -UserId user@domain.com -Property LastPasswordChangeDateTime (Check when Entra ID thinks the password was last changed).

Overview of the ISO 27001 Controls

Mon, 01 Jan 0001 00:00:00 +0000

The Controls, listed in Annex A of ISO 27001 fall into the four groups which are derived from and aligned with Clauses 5 to 8. They are:

Organisational controls
People controls
Physical controls
Technological controls

The following is a brief overview of controls in these groups.

5) Organisational controls

This group consists of 37 controls designed to enable effective management of information security risks. It includes controls related to risk management, incident response planning, information security policies, and the clear definition and assignment of roles and responsibilities.

Scrum in relation to Agile

Mon, 01 Jan 0001 00:00:00 +0000

It is important to know that Scrum is an implementation of Agile principles. While Scrum is indeed a framework (a structured approach with defined roles, artifacts, and processes) Agile however is not. Agile is more of an ideology to adopt and as such, it’s not something that you “do”, but instead Agile shapes the way that you “do”.

Here’s a link to the official Agile Manifesto. There is not much to it, just 4 values and 12 principles.

The 7 Processes

Mon, 01 Jan 0001 00:00:00 +0000

Each process is designed to achieve a specific objective, taking defined inputs (information or products) and transforming them through a series of activities into defined outputs. These processes provide the framework within which the PRINCE2 principles are upheld and the themes are actively applied. There are seven distinct processes in the PRINCE2 model.

The flow between these processes follows a logical progression, often visualized in process model diagrams. A typical project starts pre-project, moves into Starting Up a Project (SU), which triggers Directing a Project (DP) by the Project Board. DP authorizes Initiating a Project (IP). Once initiated, the project moves into delivery stages, cycling between Controlling a Stage (CS) and Managing Product Delivery (MP), with Managing a Stage Boundary (SB) occurring between stages. Finally, Closing a Project (CP) concludes the lifecycle. Detailed diagrams sometimes use color-coding to indicate frequency: blue for processes run once per project (like SU, IP, CP), green for once per stage (like SB), and orange/red for processes run multiple times within a stage (like CS, MP, DP activities).

The Service Value System (SVS)

Mon, 01 Jan 0001 00:00:00 +0000

The ITIL Service Value System (SVS) represents how the various components and activities of the organization work together to facilitate value creation through IT-enabled services. It maps how demand and opportunity are transformed into tangible value for stakeholders.

The SVS ensures that the organization continually co-creates value with all stakeholders through the use and management of products and services. The key inputs to the SVS are opportunity and demand, and the output of the SVS is value.

The seven principles of auditing

Mon, 01 Jan 0001 00:00:00 +0000

The seven principles of auditing are:

Integrity: the foundation of professionalism.

Auditors and those managing audit programmes should perform their work ethically, honestly and responsibly. They should only undertake activities if competent to do so. They should work in an impartial manner and be on the look out for influences that may affect their judgement.

Fair presentation: the obligation to report truthfully and accurately.

The findings of an audit should truthfully and accurately represent what was witnessed during the audit. When a bad example was witnessed, was that in contrast to 10 good examples or 100? Significant obstacles and diverging opinions between the audit team and the entity being audited should be reported.

3.1) Data Loss Prevention

Mon, 01 Jan 0001 00:00:00 +0000

1. Deployment Strategy (The “Crawl, Walk, Run” Approach)

Never Start in Enforcement: Implementing a block policy on day one will halt business operations and generate immediate escalations. Always follow the phased rollout:
1. Test it out (Audit Only): Silently gathers data to show you the baseline of what users are sharing.
2. Test it out with Policy Tips: Audits the data but displays a warning to the user (e.g., “This email contains sensitive data”), educating them without blocking the action.
3. Turn it on right away (Enforcement): Actively blocks or encrypts the data.
Scoping: Policies should ideally be scoped to specific locations (Exchange, SharePoint, OneDrive, Teams, Endpoints). Avoid massive “All Locations” policies with complex rules, as they are notoriously difficult to troubleshoot.

2. Classifying the Data (What are we protecting?)

Sensitive Information Types (SITs): Microsoft provides hundreds of out-of-the-box SITs.
- Local Contexts: For example, if you are Australian, familiarize yourself with Australia Tax File Number (TFN), Australia Medicare Number, and Australia Passport Number.
- Custom SITs: Built using Regular Expressions (Regex) + Keywords + Proximity (e.g., finding a 9-digit number within 50 characters of the word “Account”).
Exact Data Match (EDM): Used to prevent false positives. Instead of looking for any credit card, EDM hashes an export of your actual customer database and only triggers a block if it sees a credit card belonging to a known customer.
Trainable Classifiers: Machine learning models trained on hundreds of sample documents to recognize a type of document (e.g., Source Code, Resumes, Legal Agreements) regardless of specific keywords.

3. Policy Rules & The User Experience

Conditions & Exceptions: The most common enterprise condition is: Content contains [SIT] AND Content is shared [Outside my organization].
Confidence Levels & Instance Counts:
- High Confidence: Requires the data pattern, a keyword, and validation (like a checksum).
- Instance Count: Set thresholds. (e.g., 1-4 credit cards = send a warning. 5+ credit cards = hard block and alert the security team).
User Overrides & Business Justifications: When moving to enforcement, configuring “Allow user to override” is critical. It shifts the liability to the user. They must type a reason (e.g., “Approved by client”) which is logged for the compliance team, preventing the IT Helpdesk from becoming a bottleneck.

4. Endpoint DLP (Securing the Local Device)

Onboarding: Devices must be onboarded to Microsoft Purview (usually done silently via Intune configuration profiles) to read endpoint signals.
Capabilities: Endpoint DLP extends protection beyond the browser. It allows you to block users from:
- Copying sensitive files to USB drives.
- Printing sensitive documents.
- Copying sensitive text to the clipboard.
- Uploading files to unsanctioned cloud storage (e.g., blocking upload to personal Google Drive via Edge/Chrome).

5. Alerts, Triage & Permissions

Role-Based Access Control (RBAC): Being a Global Admin or SharePoint Admin does not grant you access to read the contents of a DLP violation. You must be explicitly assigned the Compliance Data Administrator or Information Protection Investigator role to view the source item in the Content Explorer.
Alert Fatigue: Bundle alerts to prevent overwhelming the SOC. Configure rules to send an alert only when a specific volume is reached (e.g., “Send an alert when 5 activities occur within 60 minutes”).

6. Essential PowerShell Cmdlets (ExchangeOnlineManagement / Security & Compliance)

Note: You must connect to the Security & Compliance center specifically, which is nested within the Exchange module.
Connection: Connect-IPPSSession
Policy Management:
- Get-DlpCompliancePolicy (Lists the high-level policies)
- Get-DlpComplianceRule (Lists the granular rules nested inside the policies)
- Get-DlpSensitiveInformationType -Identity "Australia Tax File Number (TFN)" (View the configuration of a specific SIT)

3.2) Information Protection

Mon, 01 Jan 0001 00:00:00 +0000

1. Taxonomy & Deployment Strategy

The Taxonomy: An enterprise should have a simple, universally understood taxonomy. The industry standard is usually four to five tiers: Public, General/Internal, Confidential, and Highly Confidential (often with sub-labels for specific departments or projects).
Publishing vs. Creating: Creating a label defines what it does (encrypts, watermarks). Publishing a label via a Label Policy determines who can see it and use it.
Default Labels: Applying a default label (e.g., General/Internal) to all new emails and documents is the most effective way to baseline tenant security. Ensure this is deployed via policy to a pilot group before tenant-wide enforcement.
Mandatory Labeling: Forcing users to choose a label before saving a document or sending an email. Often paired with a default label, but requires users to actively downgrade or upgrade the classification.

2. Item-Level vs. Container-Level Labels

This is the most common point of confusion for stakeholders. You must clearly differentiate these.

3.3) Data Lifecycle

Mon, 01 Jan 0001 00:00:00 +0000

1. The Core Mechanisms: Policies vs. Labels

This is another critical distinction to explain to stakeholders, similar to Information Protection.

Retention Policies:
- Applied at the container level (e.g., an entire Exchange mailbox, a SharePoint site, all Teams chats).
- Broad and invisible to the end user.
- Example: “Retain all employee OneDrive data for 7 years after they leave, then silently delete it.”
Retention Labels:
- Applied at the item level (a specific Word document or email).
- Visible to the user (can be selected from a dropdown in Office apps).
- Records Management: Labels can declare a document as a “Record.” Once marked as a Record, the document is locked and cannot be edited or deleted by anyone (including Global Admins) until the retention period expires.

2. The Principles of Retention (The Conflict Engine)

In an enterprise, a single document might be subject to multiple conflicting policies (e.g., a 7-year HR retain policy, but a 3-year IT auto-delete policy). Microsoft uses a strict hierarchy to resolve this:

Documented information requirements for ISO 27001

Mon, 01 Jan 0001 00:00:00 +0000

The term "Documented information" is used within ISO 27001:2022 27 times. There is no one correct way to manage your documented information but the following are some key documents you would be expected to maintain.

Document Description Notes

ISMS Manual

A document for defining the scope of the ISMS, who relevant stakeholders are, their needs, and who is responsible for what within the ISMS.

Document	Description	Notes
ISMS Manual	A document for defining the scope of the ISMS, who relevant stakeholders are, their needs, and who is responsible for what within the ISMS.	This is ideal for holding documented information pertaining to: Project Roles and Responsibilities Mon, 01 Jan 0001 00:00:00 +0000 In PRINCE2 a single individual might hold multiple roles (especially in smaller projects), or a single role might be shared by several people, provided accountability is clear and conflicts of interest are avoided. The primary goal is absolute clarity on who is responsible for what, ensuring effective decision-making and communication within a structured framework. Project Management Team Structure PRINCE2 typically defines four levels within and around the project management structure: The 34 Management Practices Mon, 01 Jan 0001 00:00:00 +0000 In previous versions of ITIL, the framework heavily emphasized “processes.” ITIL 4 shifted this focus to Management Practices. A practice is defined as a set of organizational resources designed for performing work or accomplishing an objective. This change reflects the fact that delivering services requires more than just a process flow; it requires considering all Four Dimensions of Service Management (People, Information/Technology, Partners, and Value Streams/Processes). The 34 ITIL management practices are grouped into three distinct categories: The audit process for ISO 19011 Mon, 01 Jan 0001 00:00:00 +0000 Stage 1: Initiate the audit Before doing anything else a team leader needs to be appointed to own and run the audit process. With the team leader chosen the audit team needs to reach out to the client to understand the context of the auditee. At a minimum the following needs to be established: The objective: Why is the audit being done? The scope: What are the boundaries of the audit? (e.g. are only specific locations or specific activities being audited?) The criteria: What requirements are the team auditing against? Before starting the audit get confirmation in writing that the above has been approved by upper management. 4.1) Defender for Office 365 Mon, 01 Jan 0001 00:00:00 +0000 1. Safe Links & Safe Attachments (The Core Shields) Safe Links: Provides time-of-click verification of URLs in emails, Teams messages, and Office apps. URL Rewriting: URLs are wrapped in a Microsoft prefix. If a site is later identified as malicious, the user is blocked from visiting even if they click the link hours or days after receipt. Advanced Settings: Ensure “Wait for URL scanning to complete before delivering the message” is enabled for high-security environments. Safe Attachments: Uses a virtual sandbox environment (detonation chamber) to open attachments and check for malicious behavior before delivery. Dynamic Delivery: The recommended setting for user experience. It delivers the body of the email immediately with a placeholder attachment while scanning occurs, replacing the placeholder once the file is cleared. Block vs. Replace: Avoid “Monitor” in production; use “Block” to prevent delivery entirely or “Replace” to deliver the message without the malicious file. 2. Anti-Phishing & Impersonation Protection Impersonation Detection: Specifically protects high-profile users (C-Suite) and internal domains. User Impersonation: Protects against look-alike names (e.g., “John Doe” using a personal Gmail account). Domain Impersonation: Protects against look-alike domains (e.g., `cont0so.com` vs `contoso.com`). Mailbox Intelligence: Uses AI to learn a user’s frequent contacts. It triggers alerts if an email arrives from a sender who looks like a frequent contact but is not. Safety Tips: Enable visual cues in Outlook (e.g., “This sender is new to you” or impersonation warnings) to provide real-time user education. 3. Automated Investigation and Response (AIR) The Playbook: When a high-confidence phish or malware is detected, Defender can trigger an automated investigation. Investigation Steps: The system automatically analyzes the message, identifies other recipients of the same “campaign,” and checks if the user clicked the link or downloaded the file. Remediation Actions: Pending Approval: AIR will suggest actions (e.g., “Soft delete 15 messages,” “Block the sender,” “Reset user’s password”). 4. Threat Explorer & Campaign Discovery Threat Explorer: The primary hunting tool. Use it to search for all emails from a specific sender IP, sender domain, or containing a specific URL/File Hash. Campaign Views: Aggregates individual phishing attempts into “Campaigns.” This allows you to see the scope of an attack and determine if it was targeted (spear-phishing) or a broad broadcast. Message Header Analysis: Accessible directly within the portal. Check the `X-MS-Exchange-Organization-PCL` (Probability Level) and `SCL` (Spam Confidence Level) to determine why a message was or wasn’t blocked. 5. Attack Simulation Training Purpose: Proactively test user vulnerability to phishing. Templates: Use real-world harvested payloads (e.g., “Password Reset,” “HR Policy Update”) to simulate attacks. Outcome-Based Learning: Automatically assign mandatory training modules (e.g., “How to spot a phish”) to users who fail the simulation by clicking or providing credentials. 6. Essential PowerShell Cmdlets (Security & Compliance) Connection: `Connect-IPPSSession` Safe Links Management: `Get-SafeLinksPolicy` (Lists policies) `Get-SafeLinksRule` (Lists the scoping/priorities of the rules) Safe Attachment Management: `Get-SafeAttachmentPolicy` `Get-SafeAttachmentRule` Investigative Cmdlets: `Get-MalwareFilterPolicy` (Review the anti-malware settings) `Get-PhishFilterPolicy` (Review impersonation and anti-phish settings) 4.2) Defender for Endpoint (MDE) Mon, 01 Jan 0001 00:00:00 +0000 1. Onboarding & Sensor Health Onboarding Methods: In an enterprise environment, use Intune (Configuration Profiles) or Group Policy for automated deployment. Local scripts are available for testing but should be avoided for production scale. Sensor Health Monitoring: Regularly check the “Device Inventory” for devices in an “Inactive” or “No sensor data” state. This usually indicates connectivity blocks to MDE backend URLs or the `SENSE` service being disabled. Offboarding Governance: When a device is decommissioned, it must be offboarded to prevent it from negatively impacting the organization’s exposure score. Note that offboarding scripts have a 30-day expiration period for security reasons. 2. Attack Surface Reduction (ASR) ASR Rules: Implement rules to close common entry points for malware (e.g., “Block credential stealing from the Windows local security authority subsystem”). Phased Rollout: Always deploy ASR rules in Audit Mode first. Use the “Attack Surface Reduction” report in the Defender portal to identify potential business-critical software that would be blocked before switching to Enforcement Mode. Exclusions: Manage ASR exclusions at the policy level rather than globally to maintain a tight security posture. 3. Vulnerability Management (TVM) Exposure Score: Monitor this real-time metric to understand the organization’s current risk level relative to the threat landscape. Security Recommendations: Focus on “Top Security Recommendations” which are prioritized based on active exploits in the wild and the business impact on the tenant. Software Inventory: Use the inventory to track end-of-life (EOL) software and missing patches across Windows, macOS, and Linux endpoints. 4. Detection & Response (EDR) Alert Triage: MDE correlates related alerts into a single Incident, providing a full story of the attack chain. Prioritize incidents over individual alerts. Live Response: A command-line console used to remotely collect forensic data, run scripts, or remediate threats on a compromised endpoint in real-time. Automation Levels: Configure “Device Groups” with specific automation levels (e.g., “Full - remediate threats automatically”) to allow AIR (Automated Investigation and Response) to resolve known threats without manual intervention. 5. Next-Generation Protection (Antivirus) Cloud-Delivered Protection: Must be enabled to provide near-instant protection against new and emerging malware that hasn’t been seen by local signatures yet. Tamper Protection: A critical tenant-wide setting that prevents malicious apps (or local admins) from disabling Microsoft Defender antivirus or EDR sensors. 6. Essential PowerShell Cmdlets (Windows Defender Module) Client Status: `Get-MpComputerStatus` (Verify if real-time protection and MDE sensor are active) Configuration Review: `Get-MpPreference` (View current exclusions and scan schedules) Diagnostic Logging: `Get-MpThreatDetection` (Review a history of threats detected on the local machine) Connectivity Troubleshooting: `Start-Process "C:\Program Files\Windows Defender\MpCmdRun.exe" -ArgumentList "-ValidateEdgeConnectivity"` (Validates that the device can reach MDE cloud service endpoints) 4.3) Defender for Cloud Apps (CASB) Mon, 01 Jan 0001 00:00:00 +0000 1. Cloud Discovery & Shadow IT Discovery Logs: Ingest traffic logs from network firewalls, proxies, or Defender for Endpoint to identify which cloud apps are being used across the organization. Risk Score: Each discovered app is assigned a score (1–10) based on over 90 risk factors (e.g., regulatory compliance like GDPR/HIPAA, data encryption at rest, and legal terms). Sanctioning vs. Unsanctioning: Sanctioned: Apps approved for corporate use; often integrated via API for deeper visibility. Unsanctioned: Apps explicitly blocked. Integration with Defender for Endpoint allows for automatic blocking of these URLs on managed devices. 2. Conditional Access App Control (Session Controls) The Reverse Proxy: Redirects user traffic through Defender for Cloud Apps in real-time when accessing web applications. This is triggered via a Conditional Access policy with the “Use Conditional Access App Control” session setting. Real-Time Actions: Block Download: Allow users to view sensitive data in the browser but prevent them from downloading it to an unmanaged device. Protect on Download: Automatically apply a Purview sensitivity label (encryption) to a file as it is downloaded from a cloud app. Monitor Activity: Log every action taken within a third-party app (e.g., Salesforce, AWS, or Slack) for audit purposes. 3. App Governance & OAuth Permissions OAuth App Inventory: Tracks which third-party applications have been granted permissions to access M365 data (e.g., “Read your mail” or “Access your files”). Permission Triage: Identify “high-privilege” apps that have not been used in 90 days or apps from unverified publishers. App Governance Add-on: Provides advanced machine learning to detect anomalous app behavior, such as an app suddenly downloading a massive volume of data or sending thousands of emails. 4. Information Protection & DLP Integration API Connectors: Connect Defender for Cloud Apps directly to third-party clouds (Google Workspace, Box, Dropbox) to scan for sensitive data at rest. File Policies: Create policies to automatically apply sensitivity labels or remove public sharing links if a file containing PII is detected in a non-Microsoft cloud environment. Unified Labels: Defender for Cloud Apps natively reads Microsoft Purview sensitivity labels, ensuring a consistent data protection policy regardless of where the file is stored. 5. Threat Detection & Anomaly Policies Impossible Travel: Detects when a user signs in from two geographically distant locations in a timeframe that is physically impossible. Ransomware Detection: Identifies patterns of high-volume file deletions or encryptions within cloud storage. Activity Policies: Custom alerts for specific administrative actions, such as “Multiple failed login attempts to a sanctioned app” or “Creation of a new global admin in a third-party cloud.” 6. Essential PowerShell Cmdlets (Microsoft Graph & API) Note: Most CASB management is performed via the portal or the Cloud App Security API. Management via the Microsoft Graph PowerShell SDK is the modern standard for automation. 4.4) Defender for Identity & XDR Mon, 01 Jan 0001 00:00:00 +0000 1. Defender for Identity (MDI) & On-Premises Security The Sensor: Installed directly on Domain Controllers and AD FS servers. It parses network traffic (RPC, LDAP, Kerberos) and Windows Events to detect threats that bypass traditional logs. Detection Categories: Reconnaissance: Enumeration of users/groups, DNS reconnaissance, and SMB session enumeration. Lateral Movement: Pass-the-Ticket, Pass-the-Hash, and malicious service creation. Domain Dominance: Skeleton Key, Golden Ticket, and Malicious Data Protection API (DPAPI) requests. Identity Security Posture (ISPM): Integrated into Microsoft Secure Score to identify legacy protocols (NTLMv1), unsecure account attributes, and clear-text password exposures. 2. Microsoft Defender XDR (Unified Correlation) The Incident View: Automatically correlates isolated alerts from Defender for Endpoint, Office 365, Identity, and Cloud Apps into a single Incident. This reduces alert fatigue by grouping the “story” of an attack (e.g., Phish -> Compromised User -> Lateral Movement -> Data Exfiltration). Signal Sharing: Enabling “Microsoft Defender XDR integration” allows different workloads to share signals. For example, if a device is marked as “High Risk” by MDE, Entra ID can automatically block that user’s sign-in via Conditional Access. The Unified Portal: Centralizes all security operations (security.microsoft.com), replacing the legacy per-product admin centers. 3. Automated Investigation and Response (AIR) Cross-Product Playbooks: When an incident triggers, AIR executes playbooks that span workloads. It can simultaneously quarantine an email (O365), isolate a device (Endpoint), and disable a compromised user (Identity). Evidence & Entity Center: Provides a unified list of all files, processes, URLs, and accounts involved in an investigation, allowing for a “one-click” remediation across the entire environment. Action Center: The single pane of glass for approving or auditing all automated remediation actions. 4. Advanced Hunting (KQL) The Schema: Use Kusto Query Language (KQL) to query raw data across all Defender workloads. `IdentityLogonEvents`: Tracks all authentication attempts across on-prem and cloud. `IdentityDirectoryEvents`: Tracks changes to AD objects (e.g., group membership changes, password resets). Proactive Hunting: Go beyond alerts by searching for “Indicators of Attack” (IoA) that haven’t triggered a formal alert yet, such as suspicious PowerShell execution patterns or unusual cross-domain traffic. 5. Microsoft Sentinel Integration The SIEM/SOAR Connection: While Defender XDR handles the Microsoft stack, Sentinel provides the broader view (firewalls, third-party clouds, multi-vendor logs). Defender XDR Connector: Use the bi-directional sync connector to ensure that closing an incident in Sentinel also closes it in the Defender portal, and vice versa. 6. Essential PowerShell & Diagnostic Tools MDI Sensor Management: `Test-MdiSensorApiConnection.ps1`: (Bundled with the sensor) Validates that the Domain Controller can reach the MDI cloud service. KQL Query Example (Advanced Hunting Portal): `// Find users who had a failed logon followed by a successful one from a different IP IdentityLogonEvents \| where ActionType == "LogonFailed" \| join kind=inner (IdentityLogonEvents \| where ActionType == "LogonSuccess") on AccountObjectId \| where IPAddress != IPAddress1` Microsoft Defender for Identity Health: Monitor the “Health Issues” tab in the portal specifically for “Packet fragmentation” or “Dropped events” which indicate the DC is overloaded or the sensor is misconfigured. Continual Improvement Mon, 01 Jan 0001 00:00:00 +0000 Just as project management frameworks require tailoring to fit the environment, ITIL 4 recognizes that IT service management cannot be static. Organizations must continually adopt and adapt the framework, their services, and their operating models to meet evolving business demands, technological advancements, and external pressures. This adaptability is driven by the concept of Continual Improvement. Continual Improvement happens at all levels of the organization, from strategic executive decisions down to the operational activities of individual teams. It applies to all Four Dimensions of Service Management and all activities within the Service Value Chain. Tailoring PRINCE2 Mon, 01 Jan 0001 00:00:00 +0000 Why Tailor? The primary reason for tailoring is to ensure that the project management method applied is appropriate for the project’s specific circumstances. Applying the full PRINCE2 methodology rigidly, without adaptation (‘robotically’), can lead to unnecessary bureaucracy, especially for smaller or simpler projects. Conversely, insufficient application on complex or high-risk projects can lead to a loss of control. Tailoring aims to strike the right balance, providing adequate governance and control without overburdening the project team, thus making the application of PRINCE2 efficient and relevant. 5.1) Microsoft Intune (Endpoint Management) Mon, 01 Jan 0001 00:00:00 +0000 1. Compliance vs. Configuration Policies Compliance Policies: Define the “security floor” for a device (e.g., “Must have BitLocker enabled,” “Must be at a specific OS version”). The Signal: Compliance status is the primary signal sent to Entra ID. Conditional Access Integration: If a device fails a compliance check, Conditional Access can instantly block access to M365 data until the user remediates the issue. Configuration Profiles: The primary tool for managing settings (the “GPO of the cloud”). Settings Catalog: The modern, preferred interface for finding and configuring thousands of Windows, macOS, and iOS settings. Administrative Templates: Familiar ADMX-backed settings for Windows and Office. Conflict Resolution: If two profiles configure the same setting with different values, the setting enters a “Conflict” state and is not applied. Compliance policies, however, do not “conflict”—if any policy marks a device non-compliant, it is non-compliant. 2. Device Enrollment & Windows Autopilot The Enrollment Spectrum: BYOD (Registered): Users add a “Work or School account.” Best for Mobile Application Management (MAM). Corporate (Joined): Device is fully managed by the organization. Windows Autopilot: A collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. Hardware Hash: The unique identifier required to register a device for Autopilot. Deployment Profiles: Control the Out-of-Box Experience (OOBE), such as skipping privacy settings or forcing a “Standard” vs. “Administrator” user account. Enrollment Status Page (ESP): Displays the installation progress of critical apps and profiles before the user reaches the desktop. 3. Mobile Application Management (MAM) vs. MDM MAM-WE (Without Enrollment): Allows IT to protect corporate data inside specific apps (Outlook, Teams, OneDrive) without managing the entire personal device. App Protection Policies (APP): The core of MAM. Use these to: Prevent “Save As” to personal storage (local phone or personal Dropbox). Restrict “Copy/Paste” between corporate and personal apps. Require a separate PIN or biometric to open corporate apps. App Configuration Policies: Pre-configure app settings (e.g., the corporate mail server URL) so the user doesn’t have to enter them manually. 4. Endpoint Security Integration The Security Baseline: Pre-configured groups of Windows settings recommended by Microsoft security teams. Use these as a starting point rather than building from scratch. Defender for Endpoint Plug-in: Intune is the primary deployment engine for the MDE sensor. Use the “Endpoint Security” blade to manage Antivirus, Firewall, and EDR settings centrally. Remote Actions: Essential for incident response. Use the Intune portal to: Retire: Removes corporate data and management (best for BYOD offboarding). Wipe: Factory resets the device (best for lost/stolen corporate hardware). Sync: Forces the device to check in immediately for new policies. 5. Troubleshooting & Lifecycle The “Company Portal” App: The user-facing side of Intune. Users go here to install optional apps and check their device’s compliance status. Intune Management Extension (IME): A background service on Windows that handles the execution of PowerShell scripts and the installation of Win32 apps. Log Analysis: Local Logs: Check `C:\ProgramData\Microsoft\IntuneManagementExtension\Logs` for Win32 app and script failures. Portal Logs: Use “Troubleshooting + support” to see a per-user view of every policy and app deployment status. 6. Essential PowerShell Cmdlets (Microsoft.Graph.Intune) Connection: `Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All"` Inventory & Discovery: Get all devices for a user: `Get-MgUserManagedDevice -UserId user@domain.com` Find devices by OS: `Get-MgDeviceManagementManagedDevice -Filter "contains(osVersion, '10.0.19041')"` Management Actions: Trigger a Sync: `Invoke-MgDeviceManagementManagedDeviceSyncDevice -ManagedDeviceId <ID>` Retire a Device: `Invoke-MgDeviceManagementManagedDeviceRetire -ManagedDeviceId <ID>` Autopilot Management: `Get-MgDeviceManagementWindowsAutopilotDeviceIdentity` (Lists registered Autopilot devices) 5.2) Microsoft Copilot Mon, 01 Jan 0001 00:00:00 +0000 1. Architecture & The “Oversharing” Risk (The #1 Priority) The Golden Rule of Copilot: Copilot never bypasses existing permissions. It utilizes the Microsoft Graph and Semantic Index to surface data, meaning it can only read what the user executing the prompt explicitly has access to. The Oversharing Crisis: If a tenant has historically relied on “security by obscurity” (e.g., HR files stored on a public SharePoint site but the link was never shared), Copilot will find them and use them to answer user prompts. Remediation Strategy: Before deploying Copilot, you must execute a “Data Readiness” assessment. Use SharePoint Advanced Management (SAM) or Purview Data Access reports to identify and lock down sites with excessive “Everyone except external users” permissions or broad sharing links. 2. Licensing & Versions Microsoft Copilot (formerly Bing Chat Enterprise): Free with E3/E5 licenses. Provides AI chat grounded in the public web, but with Commercial Data Protection (prompts are not saved, data is not used to train the model, Microsoft cannot see the data). Microsoft 365 Copilot: The paid enterprise add-on. This version is grounded in the tenant’s Microsoft Graph data (emails, chats, SharePoint files) and integrates directly into the M365 desktop apps (Word, Excel, PowerPoint, Teams). Prerequisites: Users must be on the “Current Channel” or “Monthly Enterprise Channel” for M365 Apps. Copilot relies heavily on OneDrive; if a user does not have OneDrive provisioned or enabled, their Copilot experience in desktop apps will break. 3. Administration & Governance Controls Web Grounding Toggle: In the M365 Admin Center, you can control whether Microsoft 365 Copilot is allowed to query the public web (Bing) to supplement its answers, or if it must only use internal Graph data. (Highly regulated industries often disable web grounding). Plugin & Extension Management: Copilot’s capabilities can be extended via Microsoft Teams apps and custom plugins. The enterprise standard is to block all third-party plugins by default via the Integrated Apps portal, requiring a security review before enabling them for Copilot. Semantic Index: A backend capability that maps relationships between users and data. It is enabled at the tenant level. Without it, Copilot’s ability to find relevant internal documents drops significantly. 4. Security & Purview Integration Sensitivity Labels (Information Protection): Copilot natively respects Purview Sensitivity Labels. If a user prompts Copilot to summarize a Word document labeled “Highly Confidential,” the generated response in the chat will also be marked as “Highly Confidential.” If a document’s label restricts the “Extract” usage right, Copilot will refuse to summarize or read that document. Data Loss Prevention (DLP): Copilot interactions are audited. You can configure Endpoint DLP policies to prevent users from copying/pasting sensitive Copilot responses into unsanctioned applications. 5. Adoption & Stakeholder Management Managing Expectations: Stakeholders often treat Copilot like a search engine. A Consultant must educate them that it is a reasoning engine. It hallucinates, and its outputs require human verification. Prompt Engineering Framework (The 4 Pillars): Teach users how to structure requests. A good prompt requires: Goal: What do you want? (e.g., “Draft an email”) Context: Why do you need it? (e.g., “To update the marketing team on the Q3 delays”) Expectation: How should it look? (e.g., “Make it a bulleted list and keep the tone professional”) Source: What data should it use? (e.g., “Based on the attached /ProjectStatus.docx”) High-Value Quick Wins: Point delivery teams to the highest ROI features first: Teams Meeting Recap (summarizing action items from a transcript), drafting Word documents based on PowerPoint presentations, and summarizing unread email threads in Outlook. 5.3) Power Platform Mon, 01 Jan 0001 00:00:00 +0000 1. Environment Strategy The Default Environment: Every tenant has one. It cannot be deleted or disabled. Every user with a license is an Environment Maker. Best Practice: Rename it (e.g., “[Company Name] - Personal Productivity”) and set the expectation that this is for personal non-critical apps. Shared Environment, Private Items: Everyone has “entry” to the environment and the permission to create their own resources, however, for other standard users to see an item, you must explicitly share it with them. Dedicated Environments (Prod/Dev/Test): Create dedicated environments for departmental or enterprise-grade solutions. Managed Environments: Provides extra governance features (e.g., sharing limits, usage insights, data policies) but requires every user accessing an app in that environment to have a Premium license. Dataverse: The underlying database. Environments can be created with or without a Dataverse database. Enterprise apps usually require Dataverse for relational data storage and granular security roles. 2. Power Platform Data Loss Prevention (DLP) Connector Categorization: Connectors are grouped into three buckets within a DLP policy: Business: Data can be shared between these connectors (e.g., SharePoint, Outlook, Dataverse). Non-Business (General): Data can be shared between these, but not with connectors in the Business bucket. Blocked: Connectors that are entirely disabled for use (e.g., Twitter, Facebook, personal Dropbox). Policy Scoping: Policies can be applied to “All Environments,” “Multiple Environments,” or “Exclude Specific Environments.” Strategy: Apply a highly restrictive “Tenant-Wide” policy and create less restrictive policies for specific, sanctioned “Project” environments. 3. Licensing & Capacity Standard vs. Premium: Standard: Included with M365 E3/E5. Covers basic connectors (SharePoint, OneDrive, Excel, Outlook). Premium: Required for “Premium” connectors (SQL, HTTP, Azure DevOps), On-premises Gateways, and Dataverse. License Types: Per User: User can run unlimited apps. Per App: User can run one specific app in one environment (assigned to the environment’s capacity). Capacity: Power Platform storage is shared across the tenant and split into Database (Dataverse tables), File (attachments/images), and Log (audit trails). 4. The Center of Excellence (CoE) Starter Kit Purpose: A Microsoft-provided collection of components (Power Apps, Flows, and Power BI) designed to help admins move beyond reactive management. Inventory: Automatically crawls the tenant to identify every App and Flow, who created them, and how often they are used. Compliance Flow: Can automatically email makers of “orphaned” apps (where the owner has left the company) or apps that violate naming conventions, asking them to provide a business justification or the app will be deleted. 5. On-Premises Data Gateways Function: Allows Power Apps and Power Automate to securely access data residing on-premises (e.g., SQL Server, File Shares, SAP). Management: Gateways are installed on an on-premises server. Admins must manage the “Gateway Cluster” to ensure high availability. Security: Users must have their own credentials to the data source; the gateway does not bypass the underlying data source’s permissions. 6. Essential PowerShell Cmdlets (Microsoft.PowerApps.Administration.PowerShell) Connection: `Add-PowerAppsAccount` Environment Discovery: `Get-AdminPowerAppEnvironment` (Lists all environments) `Get-AdminPowerApp -EnvironmentName <ID>` (Lists all apps in a specific environment) DLP Management: `Get-AdminDlpPolicy` Ownership Reassignment: `Set-AdminPowerAppOwner -AppId <AppID> -EnvironmentName <EnvID> -NewOwner <UserUPN>` (Critical for offboarding/orphaned apps) 6.1) ITIL Fundamentals Mon, 01 Jan 0001 00:00:00 +0000 1. Incident vs. Problem Management (The Break-Fix Boundary) Do not treat every recurring outage as a standalone emergency. As a Consultant, you are expected to elevate the operation from reactive firefighting to proactive root-cause resolution. Incident Management: The goal is to restore normal service operations as quickly as possible. Workarounds are entirely acceptable here. (e.g., “The user’s Teams desktop app is crashing; clear the cache and have them use Teams on the Web so they can join their current meeting.”) Problem Management: The goal is to identify the root cause of one or more Incidents to prevent them from happening again. (e.g., “Why are 50 users experiencing Teams desktop crashes after the latest Intune deployment? We need to analyze the deployment logs and correct the packaging.”) The Consultant Pivot: When you see Helpdesk logging the same Incident multiple times, step in, declare a “Problem,” and lead the root cause analysis. 2. Navigating Change Management (The CAB) Never walk into a Change Advisory Board (CAB) meeting with a “we’ll figure it out” attitude. You are dealing with business-critical M365 infrastructure. You must accurately classify your changes and prepare the necessary documentation. 6.2) Issue Ownership Mon, 01 Jan 0001 00:00:00 +0000 1. The Definition of “Ownership” In a senior role, “owning” an issue does not mean you have to personally execute every fix. It means you own the resolution lifecycle. You are the primary shield protecting the role owner from operational noise. The Consultant Mindset: You are the investigator, the communicator, and the triage engineer. You only pass the baton when a definitive architectural or financial boundary is hit. The “Black Hole” Avoidance: Stakeholders escalate when they feel ignored. Ownership means proactively communicating the status (“I have reproduced the issue and am analyzing the Entra logs”) even if you don’t have the fix yet. 2. The Triage Boundary (Own vs. Escalate) Establish clear rules of engagement for what you resolve independently versus what requires the role owner. 6.3) The Escalation Framework Mon, 01 Jan 0001 00:00:00 +0000 1. The Trigger Conditions Do not escalate simply because a problem is difficult; escalate because a boundary has been crossed. The four definitive triggers for escalating to the role owner are: Architecture/Security Boundary: The solution requires bypassing a baseline Conditional Access policy, changing a tenant-wide sharing setting, or modifying global identity sync rules. Financial Boundary: The solution requires purchasing net-new licenses (e.g., Entra ID P2, Teams Premium, Power Apps Premium) or Azure consumption resources. Systemic Outage: A core service degradation affecting a significant portion of the environment (after verifying the Microsoft Service Health Dashboard). Political Deadlock: A highly-ranked stakeholder refuses the compliant alternative after you have clearly documented the technical and compliance risks. 2. The Standardized Escalation Template Never forward a messy, 15-reply email chain to the role owner with a note saying “Thoughts?” Package the escalation into a concise, easily digestible format that forces a decision. 6.4) Managing Ambiguity Mon, 01 Jan 0001 00:00:00 +0000 1. The Consultant’s Mindset In an enterprise, “lack of documentation” can be the default state, not an exception. You are being paid for your ability to operate in the gray. The Rule of Assumption: Assume every bizarre, seemingly illogical configuration was put there for a specific, urgent business reason at the time. Do not tear down a fence until you know why it was built, see Chesterton’s Fence. Investigation over Escalation: Never escalate a ticket to the role owner stating, “I don’t know what this does.” Escalate by stating, “I have traced this undocumented configuration to X, and it appears to impact Y. Should we decommission it?” 2. Forensic Discovery (Your “Hidden” Documentation) When SharePoint wikis and IT portals are empty, the Microsoft 365 backend logs become your source of truth. 7.1) The Consultant Muscle Mon, 01 Jan 0001 00:00:00 +0000 1. The Intake Framework (Uncovering the “Why”) The Golden Rule: Users ask for solutions (e.g., “I need a custom Power Automate flow to break inheritance on 500 folders”). A good Consultant must uncover the requirement (e.g., “We need to securely share specific documents with different external vendors”). The Triage Questions: Before reviewing any technical solution, establish: Data Classification: What is the sensitivity of the data being handled? (Dictates the required Purview labels and sharing restrictions). Audience & Lifecycle: Who is the audience (Internal vs. B2B Guests), and when does this project end? (Dictates identity lifecycle and M365 Group expiration). Supportability: Who owns this when the project is over? If it requires custom code (e.g., SPFx, complex Power Apps), is there an internal developer team to maintain it? 2. Evaluating Requests Against Existing Governance The Strategy Alignment Check: You are there to enforce the existing strategy, not invent a new one. Filter requests through these baseline questions: Is this out-of-the-box (OOTB)? Always default to native M365 capabilities before approving third-party apps or custom development. Does it bypass security controls? (e.g., Requests for service accounts that bypass MFA, or requests to disable DLP for a specific executive). Does it scale? (e.g., Manually managing item-level permissions works for 10 files, but fails for 10,000. Pivot the user to a metadata-driven approach or separate Document Libraries). 3. Constructive Pushback (The Art of the Compliant “No”) The Framework (Acknowledge -> State Risk -> Provide Alternative): Never issue a flat “No.” Example Request: “We need a shared mailbox for 50 people.” Acknowledge: “I understand the team needs a central place to receive and manage these generic inquiries.” State Risk: “However, adding 50 people to a single shared mailbox will cause severe Outlook performance issues, sync delays, and lacks an audit trail of who replied to what.” Provide Alternative: “To align with our M365 standards, we should set this up as a Microsoft Teams shared channel or a Group-connected Team site, which is designed for large-scale collaboration.” Depersonalize the Decision: Reference the policy, not your personal opinion. Use phrases like, “To align with the organization’s Zero Trust framework…” or “Based on the enterprise M365 architectural guardrails…” 4. Practical Translation for Delivery Teams Avoid “Policy Parroting”: Do not just send delivery teams a link to a 50-page governance PDF. Provide the “How-To”: Translate the governance into actionable, step-by-step configurations. Bad: “Ensure your new SharePoint site complies with the external sharing policy.” Good: “When provisioning this site, you must run `Set-PnPTenantSite -SharingCapability ExistingExternalUserSharingOnly` and assign the ‘Confidential’ sensitivity label to the connected M365 Group.” Standardized Templates: If you notice delivery teams repeatedly asking the same questions, create a 1-page standard operating procedure (SOP) or a PowerShell snippet they can reuse. 7.2) Constructive Pushback Mon, 01 Jan 0001 00:00:00 +0000 1. The Core Framework (ARA) When pushing back against a misaligned request, never use a flat “No” or cite personal preference. Rely on the Acknowledge -> Risk -> Alternative (ARA) framework to remain collaborative while strictly enforcing governance. Acknowledge: Validate the underlying business requirement. Users don’t want to break the rules; they just want to solve a workflow problem. Risk (Objective): Cite the specific enterprise constraint (Security, Governance, Scale, or Cost) that blocks their proposed solution. Depersonalize it (“The framework requires…” not “I won’t let you…”). Alternative (Compliant): Pivot immediately to the native Microsoft 365 solution that solves their business problem within the guardrails. 2. Common M365 Scenarios & Phrasing Templates Scenario A: The “VIP Exemption” Request 7.3) Advising Mon, 01 Jan 0001 00:00:00 +0000 1. The Translation Framework (Policy vs. Practice) Delivery teams (Project Managers, Business Analysts, Developers) often view governance as a roadblock because it is written in abstract compliance terms. Your role is to serve as the translator. The Anti-Pattern: “Your proposed solution violates the Data Handling Standard v2.4. Please revise.” The Consultant Pattern: “Because this project handles PII, the Data Handling Standard requires us to use a dedicated SharePoint site with the external sharing slider set to ‘New and Existing Guests,’ combined with a 90-day access review policy. Here is how we configure that.” The Goal: Never make the delivery team guess what the compliant solution looks like. 2. Building the “Pre-Approved Menu” (Architectural Patterns) To avoid designing bespoke solutions for every request, mentally categorize M365 collaboration needs into standardized, pre-approved patterns. When advising, you are simply helping them select the right pattern from the menu. 7.4) RAID/RAAIDD Logs Mon, 01 Jan 0001 00:00:00 +0000 1. The Definitions RAID (Project Baseline): Risk: Potential future events that could negatively impact the project (e.g., “The upcoming Microsoft API deprecation might break the custom script”). Action: Immediate tasks or activities required to maintain momentum. Issue: Current, active blockers that are preventing progress (e.g., “The production sync is currently failing”). Decision: Formal choices made by stakeholders (e.g., “The Steering Committee approved the use of PHS over PTA”). RAAIDD (The Enterprise Expansion): Assumption: Facts or conditions taken as true without immediate proof (e.g., “Assuming all user devices are already Hybrid-Joined”). Dependency: External factors the project requires to succeed (e.g., “The Intune rollout depends on the network team opening firewall port 443”). 2. RAID Logs as a Consultant’s “Shield” Decision Tracking: Every time a stakeholder chooses a non-standard or “Option B” path (see 6.3), it must be logged. This creates an audit trail that prevents the Consultant from being held liable for security or performance issues resulting from that choice. Managing Assumptions: As a contractor, you often operate with limited initial data. Explicitly logging Assumptions (e.g., “Assuming the client has E5 licenses for this Purview feature”) allows you to immediately flag a Risk or Issue if that assumption is later proven false. Impact of Dependencies: In the M365 ecosystem, dependencies are often external (e.g., the Microsoft roadmap or third-party IdPs). Highlighting these early ensures the project timeline reflects reality, not just the delivery team’s optimism. 3. M365 Specific RAID Examples Risk: “Users might experience Outlook sync delays during the first 48 hours of the shared mailbox migration.” Issue: “Conditional Access Policy ‘CA001’ is blocking legitimate logins from the New York office.” Assumption: “Assuming the on-premises Active Directory schema is at the minimum required version for Entra Connect.” Dependency: “Completion of the Exchange Hybrid setup is dependent on the firewall team publishing the on-premises EWS endpoint.” 4. Best Practices for Maintenance Centralization: Never keep the log in a private document. Use a Microsoft List within the project’s Team site to ensure real-time visibility and collaborative ownership. Weekly Rhythm: Review the log during every status meeting. Focus on converting Risks into Actions (mitigation) and closing Issues to prevent them from becoming Decisions (accepting the status quo). The Handover Value: A comprehensive RAID log is the single most important artifact for a clean offboarding. It ensures the role owner understands not just what is configured, but the historical context of the risks that were identified and the decisions that were made. 5. Essential Tools for RAID Management Microsoft Lists: The industry standard for RAID logs. Use the “Issue Tracker” template as a baseline and customize it with “Decision” and “Risk” columns. Microsoft Planner: Ideal for the Action and Issue portions of the log to assign specific tasks to delivery team members with due dates. Power BI: For large-scale enterprise projects, use Power BI to visualize the “Risk Heatmap” and “Issue Aging” to report to executive stakeholders.

This is ideal for holding documented information pertaining to:

Project Roles and Responsibilities

Mon, 01 Jan 0001 00:00:00 +0000

In PRINCE2 a single individual might hold multiple roles (especially in smaller projects), or a single role might be shared by several people, provided accountability is clear and conflicts of interest are avoided. The primary goal is absolute clarity on who is responsible for what, ensuring effective decision-making and communication within a structured framework.

Project Management Team Structure

PRINCE2 typically defines four levels within and around the project management structure:

The 34 Management Practices

Mon, 01 Jan 0001 00:00:00 +0000

In previous versions of ITIL, the framework heavily emphasized “processes.” ITIL 4 shifted this focus to Management Practices. A practice is defined as a set of organizational resources designed for performing work or accomplishing an objective. This change reflects the fact that delivering services requires more than just a process flow; it requires considering all Four Dimensions of Service Management (People, Information/Technology, Partners, and Value Streams/Processes).

The 34 ITIL management practices are grouped into three distinct categories:

The audit process for ISO 19011

Mon, 01 Jan 0001 00:00:00 +0000

Stage 1: Initiate the audit

Before doing anything else a team leader needs to be appointed to own and run the audit process. With the team leader chosen the audit team needs to reach out to the client to understand the context of the auditee. At a minimum the following needs to be established:

The objective: Why is the audit being done?
The scope: What are the boundaries of the audit? (e.g. are only specific locations or specific activities being audited?)
The criteria: What requirements are the team auditing against?

Before starting the audit get confirmation in writing that the above has been approved by upper management.

4.1) Defender for Office 365

Mon, 01 Jan 0001 00:00:00 +0000

1. Safe Links & Safe Attachments (The Core Shields)

Safe Links: Provides time-of-click verification of URLs in emails, Teams messages, and Office apps.
- URL Rewriting: URLs are wrapped in a Microsoft prefix. If a site is later identified as malicious, the user is blocked from visiting even if they click the link hours or days after receipt.
- Advanced Settings: Ensure “Wait for URL scanning to complete before delivering the message” is enabled for high-security environments.
Safe Attachments: Uses a virtual sandbox environment (detonation chamber) to open attachments and check for malicious behavior before delivery.
- Dynamic Delivery: The recommended setting for user experience. It delivers the body of the email immediately with a placeholder attachment while scanning occurs, replacing the placeholder once the file is cleared.
- Block vs. Replace: Avoid “Monitor” in production; use “Block” to prevent delivery entirely or “Replace” to deliver the message without the malicious file.

2. Anti-Phishing & Impersonation Protection

Impersonation Detection: Specifically protects high-profile users (C-Suite) and internal domains.
- User Impersonation: Protects against look-alike names (e.g., “John Doe” using a personal Gmail account).
- Domain Impersonation: Protects against look-alike domains (e.g., cont0so.com vs contoso.com).
Mailbox Intelligence: Uses AI to learn a user’s frequent contacts. It triggers alerts if an email arrives from a sender who looks like a frequent contact but is not.
Safety Tips: Enable visual cues in Outlook (e.g., “This sender is new to you” or impersonation warnings) to provide real-time user education.

3. Automated Investigation and Response (AIR)

The Playbook: When a high-confidence phish or malware is detected, Defender can trigger an automated investigation.
Investigation Steps: The system automatically analyzes the message, identifies other recipients of the same “campaign,” and checks if the user clicked the link or downloaded the file.
Remediation Actions:
- Pending Approval: AIR will suggest actions (e.g., “Soft delete 15 messages,” “Block the sender,” “Reset user’s password”).

4. Threat Explorer & Campaign Discovery

Threat Explorer: The primary hunting tool. Use it to search for all emails from a specific sender IP, sender domain, or containing a specific URL/File Hash.
Campaign Views: Aggregates individual phishing attempts into “Campaigns.” This allows you to see the scope of an attack and determine if it was targeted (spear-phishing) or a broad broadcast.
Message Header Analysis: Accessible directly within the portal. Check the X-MS-Exchange-Organization-PCL (Probability Level) and SCL (Spam Confidence Level) to determine why a message was or wasn’t blocked.

5. Attack Simulation Training

Purpose: Proactively test user vulnerability to phishing.
Templates: Use real-world harvested payloads (e.g., “Password Reset,” “HR Policy Update”) to simulate attacks.
Outcome-Based Learning: Automatically assign mandatory training modules (e.g., “How to spot a phish”) to users who fail the simulation by clicking or providing credentials.

6. Essential PowerShell Cmdlets (Security & Compliance)

Connection: Connect-IPPSSession
Safe Links Management:
- Get-SafeLinksPolicy (Lists policies)
- Get-SafeLinksRule (Lists the scoping/priorities of the rules)
Safe Attachment Management:
- Get-SafeAttachmentPolicy
- Get-SafeAttachmentRule
Investigative Cmdlets:
- Get-MalwareFilterPolicy (Review the anti-malware settings)
- Get-PhishFilterPolicy (Review impersonation and anti-phish settings)

4.2) Defender for Endpoint (MDE)

Mon, 01 Jan 0001 00:00:00 +0000

1. Onboarding & Sensor Health

Onboarding Methods: In an enterprise environment, use Intune (Configuration Profiles) or Group Policy for automated deployment. Local scripts are available for testing but should be avoided for production scale.
Sensor Health Monitoring: Regularly check the “Device Inventory” for devices in an “Inactive” or “No sensor data” state. This usually indicates connectivity blocks to MDE backend URLs or the SENSE service being disabled.
Offboarding Governance: When a device is decommissioned, it must be offboarded to prevent it from negatively impacting the organization’s exposure score. Note that offboarding scripts have a 30-day expiration period for security reasons.

2. Attack Surface Reduction (ASR)

ASR Rules: Implement rules to close common entry points for malware (e.g., “Block credential stealing from the Windows local security authority subsystem”).
Phased Rollout: Always deploy ASR rules in Audit Mode first. Use the “Attack Surface Reduction” report in the Defender portal to identify potential business-critical software that would be blocked before switching to Enforcement Mode.
Exclusions: Manage ASR exclusions at the policy level rather than globally to maintain a tight security posture.

3. Vulnerability Management (TVM)

Exposure Score: Monitor this real-time metric to understand the organization’s current risk level relative to the threat landscape.
Security Recommendations: Focus on “Top Security Recommendations” which are prioritized based on active exploits in the wild and the business impact on the tenant.
Software Inventory: Use the inventory to track end-of-life (EOL) software and missing patches across Windows, macOS, and Linux endpoints.

4. Detection & Response (EDR)

Alert Triage: MDE correlates related alerts into a single Incident, providing a full story of the attack chain. Prioritize incidents over individual alerts.
Live Response: A command-line console used to remotely collect forensic data, run scripts, or remediate threats on a compromised endpoint in real-time.
Automation Levels: Configure “Device Groups” with specific automation levels (e.g., “Full - remediate threats automatically”) to allow AIR (Automated Investigation and Response) to resolve known threats without manual intervention.

5. Next-Generation Protection (Antivirus)

Cloud-Delivered Protection: Must be enabled to provide near-instant protection against new and emerging malware that hasn’t been seen by local signatures yet.
Tamper Protection: A critical tenant-wide setting that prevents malicious apps (or local admins) from disabling Microsoft Defender antivirus or EDR sensors.

6. Essential PowerShell Cmdlets (Windows Defender Module)

Client Status:
- Get-MpComputerStatus (Verify if real-time protection and MDE sensor are active)
Configuration Review:
- Get-MpPreference (View current exclusions and scan schedules)
Diagnostic Logging:
- Get-MpThreatDetection (Review a history of threats detected on the local machine)
Connectivity Troubleshooting:
- Start-Process "C:\Program Files\Windows Defender\MpCmdRun.exe" -ArgumentList "-ValidateEdgeConnectivity" (Validates that the device can reach MDE cloud service endpoints)

4.3) Defender for Cloud Apps (CASB)

Mon, 01 Jan 0001 00:00:00 +0000

1. Cloud Discovery & Shadow IT

Discovery Logs: Ingest traffic logs from network firewalls, proxies, or Defender for Endpoint to identify which cloud apps are being used across the organization.
Risk Score: Each discovered app is assigned a score (1–10) based on over 90 risk factors (e.g., regulatory compliance like GDPR/HIPAA, data encryption at rest, and legal terms).
Sanctioning vs. Unsanctioning:
- Sanctioned: Apps approved for corporate use; often integrated via API for deeper visibility.
- Unsanctioned: Apps explicitly blocked. Integration with Defender for Endpoint allows for automatic blocking of these URLs on managed devices.

2. Conditional Access App Control (Session Controls)

The Reverse Proxy: Redirects user traffic through Defender for Cloud Apps in real-time when accessing web applications. This is triggered via a Conditional Access policy with the “Use Conditional Access App Control” session setting.
Real-Time Actions:
- Block Download: Allow users to view sensitive data in the browser but prevent them from downloading it to an unmanaged device.
- Protect on Download: Automatically apply a Purview sensitivity label (encryption) to a file as it is downloaded from a cloud app.
- Monitor Activity: Log every action taken within a third-party app (e.g., Salesforce, AWS, or Slack) for audit purposes.

3. App Governance & OAuth Permissions

OAuth App Inventory: Tracks which third-party applications have been granted permissions to access M365 data (e.g., “Read your mail” or “Access your files”).
Permission Triage: Identify “high-privilege” apps that have not been used in 90 days or apps from unverified publishers.
App Governance Add-on: Provides advanced machine learning to detect anomalous app behavior, such as an app suddenly downloading a massive volume of data or sending thousands of emails.

4. Information Protection & DLP Integration

API Connectors: Connect Defender for Cloud Apps directly to third-party clouds (Google Workspace, Box, Dropbox) to scan for sensitive data at rest.
File Policies: Create policies to automatically apply sensitivity labels or remove public sharing links if a file containing PII is detected in a non-Microsoft cloud environment.
Unified Labels: Defender for Cloud Apps natively reads Microsoft Purview sensitivity labels, ensuring a consistent data protection policy regardless of where the file is stored.

5. Threat Detection & Anomaly Policies

Impossible Travel: Detects when a user signs in from two geographically distant locations in a timeframe that is physically impossible.
Ransomware Detection: Identifies patterns of high-volume file deletions or encryptions within cloud storage.
Activity Policies: Custom alerts for specific administrative actions, such as “Multiple failed login attempts to a sanctioned app” or “Creation of a new global admin in a third-party cloud.”

6. Essential PowerShell Cmdlets (Microsoft Graph & API)

Note: Most CASB management is performed via the portal or the Cloud App Security API. Management via the Microsoft Graph PowerShell SDK is the modern standard for automation.

4.4) Defender for Identity & XDR

Mon, 01 Jan 0001 00:00:00 +0000

1. Defender for Identity (MDI) & On-Premises Security

The Sensor: Installed directly on Domain Controllers and AD FS servers. It parses network traffic (RPC, LDAP, Kerberos) and Windows Events to detect threats that bypass traditional logs.
Detection Categories:
- Reconnaissance: Enumeration of users/groups, DNS reconnaissance, and SMB session enumeration.
- Lateral Movement: Pass-the-Ticket, Pass-the-Hash, and malicious service creation.
- Domain Dominance: Skeleton Key, Golden Ticket, and Malicious Data Protection API (DPAPI) requests.
Identity Security Posture (ISPM): Integrated into Microsoft Secure Score to identify legacy protocols (NTLMv1), unsecure account attributes, and clear-text password exposures.

2. Microsoft Defender XDR (Unified Correlation)

The Incident View: Automatically correlates isolated alerts from Defender for Endpoint, Office 365, Identity, and Cloud Apps into a single Incident. This reduces alert fatigue by grouping the “story” of an attack (e.g., Phish -> Compromised User -> Lateral Movement -> Data Exfiltration).
Signal Sharing: Enabling “Microsoft Defender XDR integration” allows different workloads to share signals. For example, if a device is marked as “High Risk” by MDE, Entra ID can automatically block that user’s sign-in via Conditional Access.
The Unified Portal: Centralizes all security operations (security.microsoft.com), replacing the legacy per-product admin centers.

3. Automated Investigation and Response (AIR)

Cross-Product Playbooks: When an incident triggers, AIR executes playbooks that span workloads. It can simultaneously quarantine an email (O365), isolate a device (Endpoint), and disable a compromised user (Identity).
Evidence & Entity Center: Provides a unified list of all files, processes, URLs, and accounts involved in an investigation, allowing for a “one-click” remediation across the entire environment.
Action Center: The single pane of glass for approving or auditing all automated remediation actions.

4. Advanced Hunting (KQL)

The Schema: Use Kusto Query Language (KQL) to query raw data across all Defender workloads.
- IdentityLogonEvents: Tracks all authentication attempts across on-prem and cloud.
- IdentityDirectoryEvents: Tracks changes to AD objects (e.g., group membership changes, password resets).
Proactive Hunting: Go beyond alerts by searching for “Indicators of Attack” (IoA) that haven’t triggered a formal alert yet, such as suspicious PowerShell execution patterns or unusual cross-domain traffic.

5. Microsoft Sentinel Integration

The SIEM/SOAR Connection: While Defender XDR handles the Microsoft stack, Sentinel provides the broader view (firewalls, third-party clouds, multi-vendor logs).
Defender XDR Connector: Use the bi-directional sync connector to ensure that closing an incident in Sentinel also closes it in the Defender portal, and vice versa.

6. Essential PowerShell & Diagnostic Tools

MDI Sensor Management:
- Test-MdiSensorApiConnection.ps1: (Bundled with the sensor) Validates that the Domain Controller can reach the MDI cloud service.

KQL Query Example (Advanced Hunting Portal):

// Find users who had a failed logon followed by a successful one from a different IP
IdentityLogonEvents
| where ActionType == "LogonFailed"
| join kind=inner (IdentityLogonEvents | where ActionType == "LogonSuccess") on AccountObjectId
| where IPAddress != IPAddress1

Microsoft Defender for Identity Health: Monitor the “Health Issues” tab in the portal specifically for “Packet fragmentation” or “Dropped events” which indicate the DC is overloaded or the sensor is misconfigured.

Continual Improvement

Mon, 01 Jan 0001 00:00:00 +0000

Just as project management frameworks require tailoring to fit the environment, ITIL 4 recognizes that IT service management cannot be static. Organizations must continually adopt and adapt the framework, their services, and their operating models to meet evolving business demands, technological advancements, and external pressures. This adaptability is driven by the concept of Continual Improvement.

Continual Improvement happens at all levels of the organization, from strategic executive decisions down to the operational activities of individual teams. It applies to all Four Dimensions of Service Management and all activities within the Service Value Chain.

Tailoring PRINCE2

Mon, 01 Jan 0001 00:00:00 +0000

Why Tailor?

The primary reason for tailoring is to ensure that the project management method applied is appropriate for the project’s specific circumstances. Applying the full PRINCE2 methodology rigidly, without adaptation (‘robotically’), can lead to unnecessary bureaucracy, especially for smaller or simpler projects. Conversely, insufficient application on complex or high-risk projects can lead to a loss of control. Tailoring aims to strike the right balance, providing adequate governance and control without overburdening the project team, thus making the application of PRINCE2 efficient and relevant.

5.1) Microsoft Intune (Endpoint Management)

Mon, 01 Jan 0001 00:00:00 +0000

1. Compliance vs. Configuration Policies

Compliance Policies: Define the “security floor” for a device (e.g., “Must have BitLocker enabled,” “Must be at a specific OS version”).
- The Signal: Compliance status is the primary signal sent to Entra ID.
- Conditional Access Integration: If a device fails a compliance check, Conditional Access can instantly block access to M365 data until the user remediates the issue.
Configuration Profiles: The primary tool for managing settings (the “GPO of the cloud”).
- Settings Catalog: The modern, preferred interface for finding and configuring thousands of Windows, macOS, and iOS settings.
- Administrative Templates: Familiar ADMX-backed settings for Windows and Office.
- Conflict Resolution: If two profiles configure the same setting with different values, the setting enters a “Conflict” state and is not applied. Compliance policies, however, do not “conflict”—if any policy marks a device non-compliant, it is non-compliant.

2. Device Enrollment & Windows Autopilot

The Enrollment Spectrum:
- BYOD (Registered): Users add a “Work or School account.” Best for Mobile Application Management (MAM).
- Corporate (Joined): Device is fully managed by the organization.
Windows Autopilot: A collection of technologies used to set up and pre-configure new devices, getting them ready for productive use.
- Hardware Hash: The unique identifier required to register a device for Autopilot.
- Deployment Profiles: Control the Out-of-Box Experience (OOBE), such as skipping privacy settings or forcing a “Standard” vs. “Administrator” user account.
- Enrollment Status Page (ESP): Displays the installation progress of critical apps and profiles before the user reaches the desktop.

3. Mobile Application Management (MAM) vs. MDM

MAM-WE (Without Enrollment): Allows IT to protect corporate data inside specific apps (Outlook, Teams, OneDrive) without managing the entire personal device.
App Protection Policies (APP): The core of MAM. Use these to:
- Prevent “Save As” to personal storage (local phone or personal Dropbox).
- Restrict “Copy/Paste” between corporate and personal apps.
- Require a separate PIN or biometric to open corporate apps.
App Configuration Policies: Pre-configure app settings (e.g., the corporate mail server URL) so the user doesn’t have to enter them manually.

4. Endpoint Security Integration

The Security Baseline: Pre-configured groups of Windows settings recommended by Microsoft security teams. Use these as a starting point rather than building from scratch.
Defender for Endpoint Plug-in: Intune is the primary deployment engine for the MDE sensor. Use the “Endpoint Security” blade to manage Antivirus, Firewall, and EDR settings centrally.
Remote Actions: Essential for incident response. Use the Intune portal to:
- Retire: Removes corporate data and management (best for BYOD offboarding).
- Wipe: Factory resets the device (best for lost/stolen corporate hardware).
- Sync: Forces the device to check in immediately for new policies.

5. Troubleshooting & Lifecycle

The “Company Portal” App: The user-facing side of Intune. Users go here to install optional apps and check their device’s compliance status.
Intune Management Extension (IME): A background service on Windows that handles the execution of PowerShell scripts and the installation of Win32 apps.
Log Analysis:
- Local Logs: Check C:\ProgramData\Microsoft\IntuneManagementExtension\Logs for Win32 app and script failures.
- Portal Logs: Use “Troubleshooting + support” to see a per-user view of every policy and app deployment status.

6. Essential PowerShell Cmdlets (Microsoft.Graph.Intune)

Connection: Connect-MgGraph -Scopes "DeviceManagementManagedDevices.ReadWrite.All", "DeviceManagementConfiguration.ReadWrite.All"
Inventory & Discovery:
- Get all devices for a user: Get-MgUserManagedDevice -UserId user@domain.com
- Find devices by OS: Get-MgDeviceManagementManagedDevice -Filter "contains(osVersion, '10.0.19041')"
Management Actions:
- Trigger a Sync: Invoke-MgDeviceManagementManagedDeviceSyncDevice -ManagedDeviceId <ID>
- Retire a Device: Invoke-MgDeviceManagementManagedDeviceRetire -ManagedDeviceId <ID>
Autopilot Management:
- Get-MgDeviceManagementWindowsAutopilotDeviceIdentity (Lists registered Autopilot devices)

5.2) Microsoft Copilot

Mon, 01 Jan 0001 00:00:00 +0000

1. Architecture & The “Oversharing” Risk (The #1 Priority)

The Golden Rule of Copilot: Copilot never bypasses existing permissions. It utilizes the Microsoft Graph and Semantic Index to surface data, meaning it can only read what the user executing the prompt explicitly has access to.
The Oversharing Crisis: If a tenant has historically relied on “security by obscurity” (e.g., HR files stored on a public SharePoint site but the link was never shared), Copilot will find them and use them to answer user prompts.
Remediation Strategy: Before deploying Copilot, you must execute a “Data Readiness” assessment. Use SharePoint Advanced Management (SAM) or Purview Data Access reports to identify and lock down sites with excessive “Everyone except external users” permissions or broad sharing links.

2. Licensing & Versions

Microsoft Copilot (formerly Bing Chat Enterprise): Free with E3/E5 licenses. Provides AI chat grounded in the public web, but with Commercial Data Protection (prompts are not saved, data is not used to train the model, Microsoft cannot see the data).
Microsoft 365 Copilot: The paid enterprise add-on. This version is grounded in the tenant’s Microsoft Graph data (emails, chats, SharePoint files) and integrates directly into the M365 desktop apps (Word, Excel, PowerPoint, Teams).
Prerequisites: Users must be on the “Current Channel” or “Monthly Enterprise Channel” for M365 Apps. Copilot relies heavily on OneDrive; if a user does not have OneDrive provisioned or enabled, their Copilot experience in desktop apps will break.

3. Administration & Governance Controls

Web Grounding Toggle: In the M365 Admin Center, you can control whether Microsoft 365 Copilot is allowed to query the public web (Bing) to supplement its answers, or if it must only use internal Graph data. (Highly regulated industries often disable web grounding).
Plugin & Extension Management: Copilot’s capabilities can be extended via Microsoft Teams apps and custom plugins. The enterprise standard is to block all third-party plugins by default via the Integrated Apps portal, requiring a security review before enabling them for Copilot.
Semantic Index: A backend capability that maps relationships between users and data. It is enabled at the tenant level. Without it, Copilot’s ability to find relevant internal documents drops significantly.

4. Security & Purview Integration

Sensitivity Labels (Information Protection): Copilot natively respects Purview Sensitivity Labels.
- If a user prompts Copilot to summarize a Word document labeled “Highly Confidential,” the generated response in the chat will also be marked as “Highly Confidential.”
- If a document’s label restricts the “Extract” usage right, Copilot will refuse to summarize or read that document.
Data Loss Prevention (DLP): Copilot interactions are audited. You can configure Endpoint DLP policies to prevent users from copying/pasting sensitive Copilot responses into unsanctioned applications.

5. Adoption & Stakeholder Management

Managing Expectations: Stakeholders often treat Copilot like a search engine. A Consultant must educate them that it is a reasoning engine. It hallucinates, and its outputs require human verification.
Prompt Engineering Framework (The 4 Pillars): Teach users how to structure requests. A good prompt requires:
1. Goal: What do you want? (e.g., “Draft an email”)
2. Context: Why do you need it? (e.g., “To update the marketing team on the Q3 delays”)
3. Expectation: How should it look? (e.g., “Make it a bulleted list and keep the tone professional”)
4. Source: What data should it use? (e.g., “Based on the attached /ProjectStatus.docx”)
High-Value Quick Wins: Point delivery teams to the highest ROI features first: Teams Meeting Recap (summarizing action items from a transcript), drafting Word documents based on PowerPoint presentations, and summarizing unread email threads in Outlook.

5.3) Power Platform

Mon, 01 Jan 0001 00:00:00 +0000

1. Environment Strategy

The Default Environment: Every tenant has one. It cannot be deleted or disabled. Every user with a license is an Environment Maker.
- Best Practice: Rename it (e.g., “[Company Name] - Personal Productivity”) and set the expectation that this is for personal non-critical apps.
- Shared Environment, Private Items: Everyone has “entry” to the environment and the permission to create their own resources, however, for other standard users to see an item, you must explicitly share it with them.
Dedicated Environments (Prod/Dev/Test): Create dedicated environments for departmental or enterprise-grade solutions.
- Managed Environments: Provides extra governance features (e.g., sharing limits, usage insights, data policies) but requires every user accessing an app in that environment to have a Premium license.
Dataverse: The underlying database. Environments can be created with or without a Dataverse database. Enterprise apps usually require Dataverse for relational data storage and granular security roles.

2. Power Platform Data Loss Prevention (DLP)

Connector Categorization: Connectors are grouped into three buckets within a DLP policy:
1. Business: Data can be shared between these connectors (e.g., SharePoint, Outlook, Dataverse).
2. Non-Business (General): Data can be shared between these, but not with connectors in the Business bucket.
3. Blocked: Connectors that are entirely disabled for use (e.g., Twitter, Facebook, personal Dropbox).
Policy Scoping: Policies can be applied to “All Environments,” “Multiple Environments,” or “Exclude Specific Environments.”
- Strategy: Apply a highly restrictive “Tenant-Wide” policy and create less restrictive policies for specific, sanctioned “Project” environments.

3. Licensing & Capacity

Standard vs. Premium:
- Standard: Included with M365 E3/E5. Covers basic connectors (SharePoint, OneDrive, Excel, Outlook).
- Premium: Required for “Premium” connectors (SQL, HTTP, Azure DevOps), On-premises Gateways, and Dataverse.
License Types:
- Per User: User can run unlimited apps.
- Per App: User can run one specific app in one environment (assigned to the environment’s capacity).
Capacity: Power Platform storage is shared across the tenant and split into Database (Dataverse tables), File (attachments/images), and Log (audit trails).

4. The Center of Excellence (CoE) Starter Kit

Purpose: A Microsoft-provided collection of components (Power Apps, Flows, and Power BI) designed to help admins move beyond reactive management.
Inventory: Automatically crawls the tenant to identify every App and Flow, who created them, and how often they are used.
Compliance Flow: Can automatically email makers of “orphaned” apps (where the owner has left the company) or apps that violate naming conventions, asking them to provide a business justification or the app will be deleted.

5. On-Premises Data Gateways

Function: Allows Power Apps and Power Automate to securely access data residing on-premises (e.g., SQL Server, File Shares, SAP).
Management: Gateways are installed on an on-premises server. Admins must manage the “Gateway Cluster” to ensure high availability.
Security: Users must have their own credentials to the data source; the gateway does not bypass the underlying data source’s permissions.

6. Essential PowerShell Cmdlets (Microsoft.PowerApps.Administration.PowerShell)

Connection: Add-PowerAppsAccount
Environment Discovery:
- Get-AdminPowerAppEnvironment (Lists all environments)
- Get-AdminPowerApp -EnvironmentName <ID> (Lists all apps in a specific environment)
DLP Management:
- Get-AdminDlpPolicy
Ownership Reassignment:
- Set-AdminPowerAppOwner -AppId <AppID> -EnvironmentName <EnvID> -NewOwner <UserUPN> (Critical for offboarding/orphaned apps)

6.1) ITIL Fundamentals

Mon, 01 Jan 0001 00:00:00 +0000

1. Incident vs. Problem Management (The Break-Fix Boundary)

Do not treat every recurring outage as a standalone emergency. As a Consultant, you are expected to elevate the operation from reactive firefighting to proactive root-cause resolution.

Incident Management: The goal is to restore normal service operations as quickly as possible. Workarounds are entirely acceptable here. (e.g., “The user’s Teams desktop app is crashing; clear the cache and have them use Teams on the Web so they can join their current meeting.”)
Problem Management: The goal is to identify the root cause of one or more Incidents to prevent them from happening again. (e.g., “Why are 50 users experiencing Teams desktop crashes after the latest Intune deployment? We need to analyze the deployment logs and correct the packaging.”)
The Consultant Pivot: When you see Helpdesk logging the same Incident multiple times, step in, declare a “Problem,” and lead the root cause analysis.

2. Navigating Change Management (The CAB)

Never walk into a Change Advisory Board (CAB) meeting with a “we’ll figure it out” attitude. You are dealing with business-critical M365 infrastructure. You must accurately classify your changes and prepare the necessary documentation.

6.2) Issue Ownership

Mon, 01 Jan 0001 00:00:00 +0000

1. The Definition of “Ownership”

In a senior role, “owning” an issue does not mean you have to personally execute every fix. It means you own the resolution lifecycle. You are the primary shield protecting the role owner from operational noise.

The Consultant Mindset: You are the investigator, the communicator, and the triage engineer. You only pass the baton when a definitive architectural or financial boundary is hit.
The “Black Hole” Avoidance: Stakeholders escalate when they feel ignored. Ownership means proactively communicating the status (“I have reproduced the issue and am analyzing the Entra logs”) even if you don’t have the fix yet.

2. The Triage Boundary (Own vs. Escalate)

Establish clear rules of engagement for what you resolve independently versus what requires the role owner.

6.3) The Escalation Framework

Mon, 01 Jan 0001 00:00:00 +0000

1. The Trigger Conditions

Do not escalate simply because a problem is difficult; escalate because a boundary has been crossed. The four definitive triggers for escalating to the role owner are:

Architecture/Security Boundary: The solution requires bypassing a baseline Conditional Access policy, changing a tenant-wide sharing setting, or modifying global identity sync rules.
Financial Boundary: The solution requires purchasing net-new licenses (e.g., Entra ID P2, Teams Premium, Power Apps Premium) or Azure consumption resources.
Systemic Outage: A core service degradation affecting a significant portion of the environment (after verifying the Microsoft Service Health Dashboard).
Political Deadlock: A highly-ranked stakeholder refuses the compliant alternative after you have clearly documented the technical and compliance risks.

2. The Standardized Escalation Template

Never forward a messy, 15-reply email chain to the role owner with a note saying “Thoughts?” Package the escalation into a concise, easily digestible format that forces a decision.

6.4) Managing Ambiguity

Mon, 01 Jan 0001 00:00:00 +0000

1. The Consultant’s Mindset

In an enterprise, “lack of documentation” can be the default state, not an exception. You are being paid for your ability to operate in the gray.

The Rule of Assumption: Assume every bizarre, seemingly illogical configuration was put there for a specific, urgent business reason at the time. Do not tear down a fence until you know why it was built, see Chesterton’s Fence.
Investigation over Escalation: Never escalate a ticket to the role owner stating, “I don’t know what this does.” Escalate by stating, “I have traced this undocumented configuration to X, and it appears to impact Y. Should we decommission it?”

2. Forensic Discovery (Your “Hidden” Documentation)

When SharePoint wikis and IT portals are empty, the Microsoft 365 backend logs become your source of truth.

7.1) The Consultant Muscle

Mon, 01 Jan 0001 00:00:00 +0000

1. The Intake Framework (Uncovering the “Why”)

The Golden Rule: Users ask for solutions (e.g., “I need a custom Power Automate flow to break inheritance on 500 folders”). A good Consultant must uncover the requirement (e.g., “We need to securely share specific documents with different external vendors”).
The Triage Questions: Before reviewing any technical solution, establish:
1. Data Classification: What is the sensitivity of the data being handled? (Dictates the required Purview labels and sharing restrictions).
2. Audience & Lifecycle: Who is the audience (Internal vs. B2B Guests), and when does this project end? (Dictates identity lifecycle and M365 Group expiration).
3. Supportability: Who owns this when the project is over? If it requires custom code (e.g., SPFx, complex Power Apps), is there an internal developer team to maintain it?

2. Evaluating Requests Against Existing Governance

The Strategy Alignment Check: You are there to enforce the existing strategy, not invent a new one. Filter requests through these baseline questions:
- Is this out-of-the-box (OOTB)? Always default to native M365 capabilities before approving third-party apps or custom development.
- Does it bypass security controls? (e.g., Requests for service accounts that bypass MFA, or requests to disable DLP for a specific executive).
- Does it scale? (e.g., Manually managing item-level permissions works for 10 files, but fails for 10,000. Pivot the user to a metadata-driven approach or separate Document Libraries).

3. Constructive Pushback (The Art of the Compliant “No”)

The Framework (Acknowledge -> State Risk -> Provide Alternative): Never issue a flat “No.”
- Example Request: “We need a shared mailbox for 50 people.”
- Acknowledge: “I understand the team needs a central place to receive and manage these generic inquiries.”
- State Risk: “However, adding 50 people to a single shared mailbox will cause severe Outlook performance issues, sync delays, and lacks an audit trail of who replied to what.”
- Provide Alternative: “To align with our M365 standards, we should set this up as a Microsoft Teams shared channel or a Group-connected Team site, which is designed for large-scale collaboration.”
Depersonalize the Decision: Reference the policy, not your personal opinion. Use phrases like, “To align with the organization’s Zero Trust framework…” or “Based on the enterprise M365 architectural guardrails…”

4. Practical Translation for Delivery Teams

Avoid “Policy Parroting”: Do not just send delivery teams a link to a 50-page governance PDF.
Provide the “How-To”: Translate the governance into actionable, step-by-step configurations.
- Bad: “Ensure your new SharePoint site complies with the external sharing policy.”
- Good: “When provisioning this site, you must run Set-PnPTenantSite -SharingCapability ExistingExternalUserSharingOnly and assign the ‘Confidential’ sensitivity label to the connected M365 Group.”
Standardized Templates: If you notice delivery teams repeatedly asking the same questions, create a 1-page standard operating procedure (SOP) or a PowerShell snippet they can reuse.

7.2) Constructive Pushback

Mon, 01 Jan 0001 00:00:00 +0000

1. The Core Framework (ARA)

When pushing back against a misaligned request, never use a flat “No” or cite personal preference. Rely on the Acknowledge -> Risk -> Alternative (ARA) framework to remain collaborative while strictly enforcing governance.

Acknowledge: Validate the underlying business requirement. Users don’t want to break the rules; they just want to solve a workflow problem.
Risk (Objective): Cite the specific enterprise constraint (Security, Governance, Scale, or Cost) that blocks their proposed solution. Depersonalize it (“The framework requires…” not “I won’t let you…”).
Alternative (Compliant): Pivot immediately to the native Microsoft 365 solution that solves their business problem within the guardrails.

2. Common M365 Scenarios & Phrasing Templates

Scenario A: The “VIP Exemption” Request

7.3) Advising

Mon, 01 Jan 0001 00:00:00 +0000

1. The Translation Framework (Policy vs. Practice)

Delivery teams (Project Managers, Business Analysts, Developers) often view governance as a roadblock because it is written in abstract compliance terms. Your role is to serve as the translator.

The Anti-Pattern: “Your proposed solution violates the Data Handling Standard v2.4. Please revise.”
The Consultant Pattern: “Because this project handles PII, the Data Handling Standard requires us to use a dedicated SharePoint site with the external sharing slider set to ‘New and Existing Guests,’ combined with a 90-day access review policy. Here is how we configure that.”
The Goal: Never make the delivery team guess what the compliant solution looks like.

To avoid designing bespoke solutions for every request, mentally categorize M365 collaboration needs into standardized, pre-approved patterns. When advising, you are simply helping them select the right pattern from the menu.

7.4) RAID/RAAIDD Logs

Mon, 01 Jan 0001 00:00:00 +0000

1. The Definitions

RAID (Project Baseline):
- Risk: Potential future events that could negatively impact the project (e.g., “The upcoming Microsoft API deprecation might break the custom script”).
- Action: Immediate tasks or activities required to maintain momentum.
- Issue: Current, active blockers that are preventing progress (e.g., “The production sync is currently failing”).
- Decision: Formal choices made by stakeholders (e.g., “The Steering Committee approved the use of PHS over PTA”).
RAAIDD (The Enterprise Expansion):
- Assumption: Facts or conditions taken as true without immediate proof (e.g., “Assuming all user devices are already Hybrid-Joined”).
- Dependency: External factors the project requires to succeed (e.g., “The Intune rollout depends on the network team opening firewall port 443”).

2. RAID Logs as a Consultant’s “Shield”

Decision Tracking: Every time a stakeholder chooses a non-standard or “Option B” path (see 6.3), it must be logged. This creates an audit trail that prevents the Consultant from being held liable for security or performance issues resulting from that choice.
Managing Assumptions: As a contractor, you often operate with limited initial data. Explicitly logging Assumptions (e.g., “Assuming the client has E5 licenses for this Purview feature”) allows you to immediately flag a Risk or Issue if that assumption is later proven false.
Impact of Dependencies: In the M365 ecosystem, dependencies are often external (e.g., the Microsoft roadmap or third-party IdPs). Highlighting these early ensures the project timeline reflects reality, not just the delivery team’s optimism.

3. M365 Specific RAID Examples

Risk: “Users might experience Outlook sync delays during the first 48 hours of the shared mailbox migration.”
Issue: “Conditional Access Policy ‘CA001’ is blocking legitimate logins from the New York office.”
Assumption: “Assuming the on-premises Active Directory schema is at the minimum required version for Entra Connect.”
Dependency: “Completion of the Exchange Hybrid setup is dependent on the firewall team publishing the on-premises EWS endpoint.”

4. Best Practices for Maintenance

Centralization: Never keep the log in a private document. Use a Microsoft List within the project’s Team site to ensure real-time visibility and collaborative ownership.
Weekly Rhythm: Review the log during every status meeting. Focus on converting Risks into Actions (mitigation) and closing Issues to prevent them from becoming Decisions (accepting the status quo).
The Handover Value: A comprehensive RAID log is the single most important artifact for a clean offboarding. It ensures the role owner understands not just what is configured, but the historical context of the risks that were identified and the decisions that were made.

5. Essential Tools for RAID Management

Microsoft Lists: The industry standard for RAID logs. Use the “Issue Tracker” template as a baseline and customize it with “Decision” and “Risk” columns.
Microsoft Planner: Ideal for the Action and Issue portions of the log to assign specific tasks to delivery team members with due dates.
Power BI: For large-scale enterprise projects, use Power BI to visualize the “Risk Heatmap” and “Issue Aging” to report to executive stakeholders.

NJIT Public KB

Cheatsheet Overview

Intro to ITIL

Intro to PRINCE2

Intro to Scrum

A guide to Scrum

Intro to ISO 19011

Intro to ISO 27001

The 7 Guiding Principles

1. Focus on value link

2. Start where you are link

3. Progress iteratively with feedback link

4. Collaborate and promote visibility link

5. Think and work holistically link

6. Keep it simple and practical link

7. Optimize and automate link

In closing link

The 7 Principles

1. Continued Business Justification link

1.1) Exchange Online

1. Mail Flow & Routing Troubleshooting link

2. Recipient Management & Governance link

3. Security, Protection & Authentication link

4. Hybrid Environment Considerations (Enterprise) link

5. Essential PowerShell Cmdlets (ExchangeOnlineManagement Module) link

1.2) SharePoint Online and OneDrive

1. Architecture & Site Governance link

2. External Sharing & Collaboration link

3. Permissions & Access Control link

4. OneDrive for Business (Enterprise Management) link

5. Essential PowerShell Cmdlets (PnP PowerShell) link

1.3) Microsoft Teams

1. Governance & Lifecycle Management link

2. External Collaboration & Access Types link

3. Meeting, Calling, & Device Policies link

4. App Governance & Management link

5. Troubleshooting & Diagnostics link

6. Essential PowerShell Cmdlets (MicrosoftTeams Module) link

1.4) Service-wide

1. The M365 Group (The Connective Tissue) link

2. Data Sync & Propagation Delays (The “Wait 24 Hours” Rule) link

3. Microsoft Search & Information Architecture link

4. Licensing & Service Plans link

5. Essential PowerShell Cmdlets (Microsoft Graph) link

Key concepts of ISO 19011:2018 video

Overview of the ISO 27001 Clauses

Clause 4: Context of the organization link

Clause 5: Leadership link

Scrum Table of Terms

The 4 Dimensions of Service Management

The 7 Practices

2.1) Identity Lifecycle

1. Source of Authority (SoA) & Synchronization link

2. The JML Process (Joiners, Movers, Leavers) link

3. Identity Governance & Entitlement Management (Requires Entra ID P2) link

4. Dynamic Groups & Attributes link

5. Essential PowerShell Cmdlets (Microsoft Graph) link

2.2) Conditional Access

1. Architecture & Core Concepts link

2. Enterprise Baseline Policies (The “Must-Haves”) link

3. Governance, Exclusions & Safety Nets link

4. Session Controls & Granular Security link

5. Troubleshooting & Diagnostics link

6. Essential PowerShell Cmdlets (Microsoft Graph) link

2.3) Authentication

1. Hybrid Authentication Topologies link

2. MFA & Modern Authentication Methods link

3. Self-Service Password Reset (SSPR) & Registration link

4. Legacy Authentication (A Prime Attack Vector) link

5. Troubleshooting & Diagnostics link

6. Essential PowerShell Cmdlets (Microsoft Graph) link

Overview of the ISO 27001 Controls

5) Organisational controls link

Scrum in relation to Agile

The 7 Processes

The Service Value System (SVS)

The seven principles of auditing

3.1) Data Loss Prevention

1. Deployment Strategy (The “Crawl, Walk, Run” Approach) link

2. Classifying the Data (What are we protecting?) link

1. Focus on value

2. Start where you are

3. Progress iteratively with feedback

4. Collaborate and promote visibility

5. Think and work holistically

6. Keep it simple and practical

7. Optimize and automate

In closing

1. Continued Business Justification

1. Mail Flow & Routing Troubleshooting

2. Recipient Management & Governance

3. Security, Protection & Authentication

4. Hybrid Environment Considerations (Enterprise)

5. Essential PowerShell Cmdlets (ExchangeOnlineManagement Module)

1. Architecture & Site Governance

2. External Sharing & Collaboration

3. Permissions & Access Control

4. OneDrive for Business (Enterprise Management)

5. Essential PowerShell Cmdlets (PnP PowerShell)

1. Governance & Lifecycle Management

2. External Collaboration & Access Types

3. Meeting, Calling, & Device Policies

4. App Governance & Management

5. Troubleshooting & Diagnostics

6. Essential PowerShell Cmdlets (MicrosoftTeams Module)

1. The M365 Group (The Connective Tissue)

2. Data Sync & Propagation Delays (The “Wait 24 Hours” Rule)

3. Microsoft Search & Information Architecture

4. Licensing & Service Plans

5. Essential PowerShell Cmdlets (Microsoft Graph)

Clause 4: Context of the organization

Clause 5: Leadership

1. Source of Authority (SoA) & Synchronization

2. The JML Process (Joiners, Movers, Leavers)

3. Identity Governance & Entitlement Management (Requires Entra ID P2)

4. Dynamic Groups & Attributes

5. Essential PowerShell Cmdlets (Microsoft Graph)

1. Architecture & Core Concepts

2. Enterprise Baseline Policies (The “Must-Haves”)

3. Governance, Exclusions & Safety Nets

4. Session Controls & Granular Security

5. Troubleshooting & Diagnostics

6. Essential PowerShell Cmdlets (Microsoft Graph)

1. Hybrid Authentication Topologies

2. MFA & Modern Authentication Methods

3. Self-Service Password Reset (SSPR) & Registration

4. Legacy Authentication (A Prime Attack Vector)

5. Troubleshooting & Diagnostics

6. Essential PowerShell Cmdlets (Microsoft Graph)

5) Organisational controls

1. Deployment Strategy (The “Crawl, Walk, Run” Approach)

2. Classifying the Data (What are we protecting?)

3. Policy Rules & The User Experience

4. Endpoint DLP (Securing the Local Device)

5. Alerts, Triage & Permissions

6. Essential PowerShell Cmdlets (ExchangeOnlineManagement / Security & Compliance)

1. Taxonomy & Deployment Strategy

2. Item-Level vs. Container-Level Labels

1. The Core Mechanisms: Policies vs. Labels

2. The Principles of Retention (The Conflict Engine)

Project Management Team Structure

Stage 1: Initiate the audit

1. Safe Links & Safe Attachments (The Core Shields)

2. Anti-Phishing & Impersonation Protection

3. Automated Investigation and Response (AIR)

4. Threat Explorer & Campaign Discovery

5. Attack Simulation Training

6. Essential PowerShell Cmdlets (Security & Compliance)

1. Onboarding & Sensor Health

2. Attack Surface Reduction (ASR)

3. Vulnerability Management (TVM)

4. Detection & Response (EDR)

5. Next-Generation Protection (Antivirus)

6. Essential PowerShell Cmdlets (Windows Defender Module)

1. Cloud Discovery & Shadow IT

2. Conditional Access App Control (Session Controls)

3. App Governance & OAuth Permissions

4. Information Protection & DLP Integration

5. Threat Detection & Anomaly Policies

6. Essential PowerShell Cmdlets (Microsoft Graph & API)