Inside the Microsoft 365 Security Operations Course: 17 Modules, 474,000 Words, Zero Video
What this course is
Microsoft 365 Security Operations is the largest course on the Ridgeline platform — 17 modules, 474,871 words, and over 500 pages of operational security content mapped to the SC-200 exam objectives (January 2026 update). It teaches security analysts to operate the full Microsoft security stack: Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, Microsoft Sentinel, Entra ID, and the unified Defender XDR portal.
The course is not a certification prep course. It is a production operations manual that happens to cover every SC-200 exam domain. The difference matters: a certification course teaches you to answer questions about Sentinel. This course teaches you to deploy analytics rules to your Sentinel workspace, build investigation workbooks, configure automated playbooks, and troubleshoot the data connectors that feed them — in your own tenant, not a sandbox that disappears when the lab timer expires.
Who it’s for
SOC analysts working in M365 environments. You have Defender for Endpoint alerts firing in the portal. You have Sentinel analytics rules that someone else configured. You need to understand the full stack — what each component does, how they share signals, and how to investigate when something goes wrong. This course takes you from “I can see alerts” to “I can build the detection rules that generate them.”
IT administrators who inherited security responsibilities. Your organization deployed M365 E5 but nobody configured the security stack. Safe Links is on defaults. Sentinel has the free connector and nothing else. You know the admin center. This course teaches you to turn the licensing investment into operational security capability.
Security engineers preparing for SC-200. The course maps to every SC-200 exam domain. But instead of flashcards and practice questions, you get production-depth coverage of each technology with the operational context that makes the exam questions obvious. Analysts who complete this course consistently report that the exam felt straightforward — because they had deployed and operated everything the exam asks about.
What makes it different
Every module produces something you deploy. Module 6 does not just explain data connectors — it walks through connecting each log source to Sentinel, verifying ingestion, troubleshooting the common failures (the Azure AD connector that looks connected but is not forwarding sign-in logs), and building the data health monitoring workbook that alerts you when ingestion drops. When you finish Module 6, your Sentinel workspace has verified data connectors and a monitoring workbook — not a certificate that says you understand data connectors.
The course includes over 200 annotated KQL queries. Every query is explained line by line — not just what it does but why each operator was chosen, what the alternative approaches are, and what to do with the results. The queries are production-ready: copy them, modify the entity names for your environment, and deploy. The Mastering KQL companion course teaches the query language fundamentals; this course applies KQL to operational security.
The 17 modules
The course follows a progression from understanding to operating to investigating to hunting.
Phase 1 (Modules 1-4, FREE) establishes the foundation. Module 1 maps the entire M365 security ecosystem — all nine components and how they share signals. Module 2 teaches KQL fundamentals specifically for security analysts (not data engineers — the queries focus on security tables and investigation patterns). Module 3 navigates the Defender XDR portal and the unified incident queue. Module 4 analyzes Entra ID sign-in logs — the first real investigation skill, because every M365 security incident starts with an identity.
Phase 2 (Modules 5-12) configures and operates each security component. Sentinel workspace design and data connector deployment. Defender for Endpoint configuration and device management. Defender for Office 365 anti-phishing policies. Defender for Cloud Apps policies for shadow IT detection. Analytics rule building in Sentinel. Cloud workload protection. Exposure and vulnerability management.
Phase 3 (Modules 13-22) is the investigation phase — 10 complete worked investigation scenarios. The flagship is Module 13: AiTM Credential Phishing Investigation, based on a real five-wave phishing campaign investigated in a production SOC. Also includes BEC, consent phishing, token replay, ransomware pre-encryption, insider threat, and cross-domain investigation in the unified portal.
Phase 4 (Modules 23-28) covers advanced operations: threat hunting with KQL, MITRE ATT&CK integration in Sentinel, automation with playbooks and automation rules, workbook building, Security Copilot, and hunt management with bookmarks and archived logs.
How to start
The first four modules are free — no account required, no email gate. Read Module 1 to understand the ecosystem. Work through Module 2 to learn the KQL patterns you will use throughout the course. If the depth and approach work for you, the paid modules are available through a monthly or annual subscription.